IBM DB2 < 9 Fix Pack 3 / 8 Fix Pack 15 Multiple Vulnerabilities

This script is Copyright (C) 2007-2015 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by multiple vulnerabilities.

Description :

According to its version, the installation of IBM DB2 running on the
remote host is affected by one or more of the following issues :

- A local user may be able to overwrite arbitrary files,
create arbitrary world-writeable directories, or gain
root privileges via symlink attacks or specially
crafted environment variables. (IY98210 / IY99261)

- A user may be able to continue to execute a method even
once privileges for the method have been revoked.
(IY88226, version 8 only)

- There is an unspecified issue allowing for privilege
elevation when DB2 'execs' executables while running as
root. (IY98206 / IY98176)

- There is an unspecified vulnerability related to
incorrect authorization routines. (JR25940, version 8
only)

- There is an unspecified vulnerability in
'AUTH_LIST_GROUPS_FOR_AUTHID'. (IZ01828, version 9.1
only)

- There is an unspecified vulnerability in the 'db2licm'
and 'db2pd' tools. (IY97922 / IY97936)

- There is an unspecified vulnerability involving
'db2licd' and the 'OSSEMEMDBG' and 'TRC_LOG_FILE'
environment variables. (IY98011 / IY98101)

- There is a buffer overflow involving the 'DASPROF'
environment variable. (IY97346 / IY99311)

- There is an unspecified vulnerability that can arise
during instance and FMP startup. (IZ01923 / IZ02067)

- The DB2JDS service may allow for arbitrary code
execution without the need for authentication due to a
stack overflow in an internal sprintf() call.
(IY97750, version 8 only)

- The DB2JDS service is affected by two denial of service
issues that can be triggered by packets with an invalid
LANG parameter or a long packet, which cause the process
to terminate (version 8 only).

Note that there is currently insufficient information to determine to
what extent the first set of issues overlaps the others.

See also :

http://www.appsecinc.com/resources/alerts/db2/2007-01.shtml
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0313.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0314.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0315.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0316.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0317.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0318.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0319.html
http://archives.neohapsis.com/archives/bugtraq/2007-10/0153.html
http://www-1.ibm.com/support/docview.wss?uid=swg21255607
http://www-1.ibm.com/support/docview.wss?uid=swg21255352

Solution :

Apply IBM DB2 version 9 Fix Pack 3 / 8.1 Fix Pack 15 / 8.2 Fix Pack 8
or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true