IBM DB2 9.x < 9 Fix Pack 5 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 4536

Synopsis

The remote IBM DB2 database server is affected by multiple vulnerabilities.

Description

According to its version, the installation of IBM DB2 on the remote host is affected by one or more of the following vulnerabilities :

- There is an unspecified security vulnerability related to a 'DB2FMP' process (IZ20352).
- There is an unspecified security vulnerability in a CLR-stored procedure deployment from IBM Database Add-Ins for Visual Studio (JR28432).
- The password used to connect to the database can be seen in plaintext in a memory dump (JR27422).
- There is a possible stack variable overrun in 'SQLRLAKA()' (IZ16346).
- A local privilege escalation vulnerability via file creation can result in root-level access (IZ12735).
- There are possible buffer overflows involving 'XQUERY', 'XMLQUERY', 'XMLEXISTS', and 'XMLTABLE' (IZ18434).

Solution

Upgrade to IBM DB2 9.1 Fix Pack 6 or higher.

See Also

http://www.securityfocus.com/archive/1/496406/30/0/threaded

http://www.securityfocus.com/archive/1/496405/30/0/threaded

http://www-1.ibm.com/support/docview.wss?uid=swg21255607

http://www-1.ibm.com/support/docview.wss?uid=swg1IZ20352

http://www-1.ibm.com/support/docview.wss?uid=swg1JR30026

http://www-1.ibm.com/support/docview.wss?uid=swg1JR28432

http://www-1.ibm.com/support/docview.wss?uid=swg1IZ12735

http://www-1.ibm.com/support/docview.wss?uid=swg1JR27422

http://www-1.ibm.com/support/docview.wss?uid=swg1IZ16346

http://www-1.ibm.com/support/docview.wss?uid=swg1IZ18434

http://www-1.ibm.com/support/docview.wss?uid=swg1IZ07299

http://www-1.ibm.com/support/docview.wss?uid=swg1IZ22188

http://www-1.ibm.com/support/docview.wss?uid=swg1IZ21983

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=688

Plugin Details

Severity: Critical

ID: 4536

Family: Database

Published: 8/18/2004

Updated: 3/6/2019

Nessus ID: 33128

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:db2

Reference Information

CVE: CVE-2008-1966, CVE-2008-2154, CVE-2008-3852, CVE-2008-3853, CVE-2008-3854, CVE-2008-3855, CVE-2008-3856, CVE-2008-3857, CVE-2008-3858, CVE-2008-6821

BID: 29601, 35408, 35409