DB2 Stored Procedure Infrastructure Privilege Escalation Vulnerability

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by a privilege escalation
vulnerability.

Description :

According to its version, the installation of DB2 on the remote host
is reportedly affected by a privilege escalation vulnerability.

An error exists related to the Stored Procedure infrastructure and the
'CREATE_EXTERNAL_ROUTINE' authority that could allow an authenticated
user to escalate privileges.

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg21673947

Solution :

Apply DB2 version 9.7 Fix Pack 9a, 10.1 Fix Pack 3a, 10.5 Fix Pack
3a, or 10.5 Fix Pack 4.

Alternatively, in the case of DB2 version 9.5 Fix Pack 9 or Fix Pack
10, 9.7 Fix Pack 8, and 10.5 Fix Pack 2, contact the vendor to obtain
a special build with the interim fix.

Additionally, note that users of DB2 version 9.1 installs that are
under an extended support contract may contact vendor support to
obtain a patch.

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Databases

Nessus Plugin ID: 76116 ()

Bugtraq ID: 67616

CVE ID: CVE-2013-6744