IBM DB2 8.1 < Fix Pack 18 Multiple Vulnerabilities

medium Nessus Plugin ID 40662

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

According to its version, the installation of IBM DB2 8.1 running on the remote host is affected by one or more of the following issues :

- A local attacker may be able to gain write access to an arbitrary file using DAS, which could lead to gaining root privileges. (IZ34149)

- It may be possible to crash the server by sending specially crafted packets to the 'DB2JDS' service. (IZ52433)

- The security component in UNIX installs is affected by a private memory leak. (IZ35635)

- The 'DASAUTO' command can be run by a non-privileged user. (IZ40343)

Solution

Apply IBM DB2 UDB version 8.1 Fix Pack 18 or later.

See Also

https://www.securityfocus.com/archive/1/507237/30/0/threaded

http://www-01.ibm.com/support/docview.wss?rs=71&uid=swg21255352

https://www-01.ibm.com/support/docview.wss?uid=swg1IZ34149

https://www-01.ibm.com/support/docview.wss?uid=swg1IZ52433

https://www-01.ibm.com/support/docview.wss?uid=swg1IZ35635

http://www-01.ibm.com/support/docview.wss?uid=swg21386689

Plugin Details

Severity: Medium

ID: 40662

File Name: db2_81fp18.nasl

Version: 1.18

Type: remote

Family: Databases

Published: 8/20/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:db2

Exploit Ease: No known exploits are available

Patch Publication Date: 8/14/2009

Vulnerability Publication Date: 8/14/2009

Reference Information

CVE: CVE-2009-2858, CVE-2009-2859, CVE-2009-2860

BID: 36059

CWE: 264, 399

SECUNIA: 36313