DB2 10.1 < Fix Pack 3 Multiple Vulnerabilities

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by multiple vulnerabilities.

Description :

According to its version, the installation of DB2 10.1 on the remote
host is affected by the following vulnerabilities :

- A stack-based buffer overflow error exists related to
input validation in the Audit facility and could lead
to privilege escalation and denial of service attacks.
Note this issue does not affected installs on the
Windows operating system. (CVE-2013-3475 / IC92498)

- When a multi-node configuration is used, an error exists
in the Fast Communications Manager (FCM) that could
allow denial of service attacks. (CVE-2013-4032 /
IC94434)

- An unspecified error exists that could allow an attacker
to gain SELECT, INSERT, UPDATE, or DELETE permissions to
database tables. Note that successful exploitation
requires the rights EXPLAIN, SQLADM, or DBADM.
(CVE-2013-4033 / IC94757)

See also :

http://www.nessus.org/u?0524e892
http://www-01.ibm.com/support/docview.wss?uid=swg21610582
http://www-01.ibm.com/support/docview.wss?uid=swg21639355
http://www-01.ibm.com/support/docview.wss?uid=swg21650231
http://www-01.ibm.com/support/docview.wss?uid=swg21646809

Solution :

Apply DB2 Version 10.1 Fix Pack 3 or later.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 70455 ()

Bugtraq ID: 60255
62018
62747

CVE ID: CVE-2013-3475
CVE-2013-4032
CVE-2013-4033