DB2 9.7 < Fix Pack 9 Multiple Vulnerabilities

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by multiple vulnerabilities.

Description :

According to its version, the installation of DB2 9.7 on the remote
host is earlier than Fix Pack 9. It is, therefore, reportedly affected
by one or more of the following vulnerabilities :

- The included software, GSKit, contains several errors
related to SSL and TLS that could result in denial of
service, information disclosure or unauthorized
insertion of arbitrary root Certification Authority
certificate. (CVE-2012-2190, CVE-2012-2191,
CVE-2012-2203 / IC90395)

- A stack-based buffer overflow exists related to
db2aud and db2flacc that could allow a local attacker
to elevate privileges to that of an instance owner. The
db2aud issue does not affect installs on the Windows
operating system. (CVE-2013-3475 / IC92495)

- An unspecified error exists that could allow an attacker
to gain SELECT, INSERT, UPDATE, or DELETE permissions to
database tables. Note that successful exploitation
requires the rights EXPLAIN, SQLADM, or DBADM.
(CVE-2013-4033 / IC94523)

- An error exists related to the XSLT parser that could
allow a null pointer to be dereferenced.
(CVE-2013-5466 / IC97470)

- An error exists related to queries containing OLAP
specifications that could allow remote, authenticated
attackers to close database connections and deactivate
the database. (CVE-2013-6717 / IC95641)

See also :

http://www.nessus.org/u?8e4dccd8
http://www-01.ibm.com/support/docview.wss?uid=swg21450666#9
http://www-01.ibm.com/support/docview.wss?uid=swg24036646

Solution :

Apply DB2 Version 9.7 Fix Pack 9 or later.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false