Detections
Analytics
IBM DB2 9.5 < Fix Pack 7 Multiple Vulnerabilities
critical Nessus Plugin ID 51841
Language:
Synopsis
The remote database server is affected by multiple vulnerabilities.Description
According to its version, the installation of IBM DB2 9.5 running on the remote host is prior Fix Pack 7. It is, therefore, affected by the following vulnerabilities :- The 'db2dasrrm' component included with such versions fails to perform sufficient bounds checks on user- supplied input, which an attacker could leverage to overflow the buffer, potentially resulting in arbitrary code execution on the remote system. (IC72028)
- An unspecified error in the Relational Data Services component can be exploited to update statistics for tables without the appropriate privileges. (IC71413)
- An error in the Relational Data Services component may grant users privileges to execute non-DDL statements after role membership has been revoked from its group.
(IC71263)
Solution
Apply IBM DB2 version 9.5 Fix Pack 7 or later.See Also
https://www.zerodayinitiative.com/advisories/ZDI-11-036/
https://seclists.org/fulldisclosure/2011/Jan/583
https://www-01.ibm.com/support/docview.wss?uid=swg1IC72028
https://www-304.ibm.com/support/docview.wss?uid=swg21293566#7
Plugin Details
Severity: Critical
ID: 51841
File Name: db2_95fp7.nasl
Version: 1.22
Type: remote
Family: Databases
Published: 2/1/2011
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:ibm:db2
Exploit Ease: No known exploits are available
Patch Publication Date: 12/13/2010
Vulnerability Publication Date: 1/31/2011