Detections
Analytics
IBM DB2 10.1 < Fix Pack 5 / 10.5 < Fix Pack 6 Multiple Vulnerabilities
high Nessus Network Monitor Plugin ID 9199
Synopsis
The remote IBM DB2 database server is vulnerable to multiple attack vectors.Description
Versions of IBM DB2 10.1 earlier than Fix Pack 5 or 10.5 earlier than Fix Pack 6 are potentially affected by multiple issues :- A flaw exists that is triggered during the handling of SELECT statements with XML/XSLT function. This may allow an attacker to gain access to arbitrary files. (CVE-2014-8910)
- A flaw exists that is triggered during the handling of SQL statements with unspecified Scalar Functions. This may allow an authenticated remote attacker to cause a denial of service. (CVE-2015-0157)
- A flaw exists in the automated maintenance feature. The issue occurs when an authenticated DB2 user with elevated privileges manipulates an automated maintenance policy stored procedure, which can result in disclosing arbitrary files owned by the DB2 fenced ID on UNIX/Linux or administrator on Windows. (CVE-2015-1883)
- A flaw exists in the Data Movement feature that is triggered when handling a specially crafted query. This may allow an authenticated remote attacker to delete rows from a table without appropriate privileges. (CVE-2015-1922)
- A flaw exists that is triggered during the handling of SQL statements with LUW Scalar Functions. This may allow an authenticated remote attacker to run arbitrary code under the privileges of the DB2 instance owner, or cause a denial of service. (CVE-2015-1935)
Solution
Upgrade to IBM DB2 10.5 Fix Pack 6 or higher. If version 10.5 cannot be obtained, version 10.1 Fix Pack 5 is also patched for these issues.See Also
http://www-01.ibm.com/support/docview.wss?uid=swg21610653#5
http://www-01.ibm.com/support/docview.wss?uid=swg21902661
http://www-01.ibm.com/support/docview.wss?uid=swg21633303#6
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06353
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06354
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06355
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06356
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08075
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08080
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08085
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08086
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08523
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08524
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08525
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08543
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08656
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08667
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08668
http://www-01.ibm.com/support/docview.wss?uid=swg21610582#5
http://www-01.ibm.com/support/docview.wss?uid=swg21647054#6
http://www-01.ibm.com/support/docview.wss?uid=swg21697988
http://www-01.ibm.com/support/docview.wss?uid=swg21698308
http://www-01.ibm.com/support/docview.wss?uid=swg21882724
http://www-01.ibm.com/support/docview.wss?uid=swg21959650
http://www-01.ibm.com/support/docview.wss?uid=swg21962557
http://www-01.ibm.com/support/docview.wss?uid=swg21962559
http://www-01.ibm.com/support/docview.wss?uid=swg21962560
http://www-01.ibm.com/support/docview.wss?uid=swg21962562
http://www-01.ibm.com/support/docview.wss?uid=swg21962565
http://www-01.ibm.com/support/docview.wss?uid=swg21962634
Plugin Details
Severity: High
ID: 9199
Family: Database
Published: 4/15/2016
Updated: 3/6/2019
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 8
Temporal Score: 7
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:C
CVSS v3
Risk Factor: High
Base Score: 7.6
Temporal Score: 7.3
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:ibm:db2
Patch Publication Date: 7/10/2015
Vulnerability Publication Date: 7/10/2015
Reference Information
CVE: CVE-2014-8910, CVE-2015-0157, CVE-2015-1883, CVE-2015-1922, CVE-2015-1935