DB2 9.5 < Fix Pack 7 Multiple Vulnerabilities

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by multiple issues.

Description :

According to its version, the installation of DB2 9.5 on the remote
host is older than Fix Pack 7. Such versions are affected by the
following vulnerabilities :

- The 'db2dasrrm' component included with such versions
fails to perform sufficient bounds checks on user-
supplied input, which an attacker could leverage to
overflow the buffer, potentially resulting in arbitrary
code execution on the remote system. (IC72028)

- An unspecified error in the Relational Data Services
component can be exploited to update statistics for
tables without the appropriate privileges. (IC71413)

- An error in the Relational Data Services component may
grant users privileges to execute non-DDL statements
after role membership has been revoked from its group.
(IC71263)

See also :

http://www.zerodayinitiative.com/advisories/ZDI-11-036/
http://archives.neohapsis.com/archives/fulldisclosure/2011-01/0586.html
https://www-01.ibm.com/support/docview.wss?uid=swg1IC72028
https://www-304.ibm.com/support/docview.wss?uid=swg21293566#7
https://www-304.ibm.com/support/docview.wss?uid=swg1IC71413
https://www-304.ibm.com/support/docview.wss?uid=swg1IC71263

Solution :

Apply DB2 Version 9.5 Fix Pack 7 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Databases

Nessus Plugin ID: 51841 ()

Bugtraq ID: 46052
47525

CVE ID: CVE-2011-0731
CVE-2011-1846
CVE-2011-1847