Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

IBM DB2 9.5 < 9.5 Fix Pack 1 Multiple Vulnerabilities



The remote IBM DB2 database server is affected by multiple attack vectors.


The installation of IBM DB2 on the remote host 9.5 is prior to Fix Pack 1 and is affected by one or more of the following vulnerabilities :

- There is a security vulnerability in the 'NNSTAT' procedure on Windows platforms that allows low-privileged users to overwrite arbitrary files (IZ10776) - There is a security vulnerability in the 'SYSPROC.ADMIN_SP_C' procedure on Windows platforms that allows users to load arbitrary libraries and execute arbitrary code in the system (IZ10917) - An unspecified vulnerability affects 'DB2WATCH' and 'DB2FREEZE' on Solaris platforms (IZ12994) - A flaw exists as the db2ls command creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the FILE file to cause the program to unexpectedly write to any file on the system. (IZ14939) - An authenticated remote user can cause the DB2 instance to crash by passing specially crafted parameters to the 'RECOVERJAR' and 'REMOVE_JAR' procedures (IZ15496) - There is an internal buffer overflow vulnerability in the DAS process that could allow arbitrary code execution on the affected host (IZ12406) - A local attacker can create arbitrary files as root on Unix and Linux platforms using symlinks to the 'dasRecoveryIndex', 'dasRecoveryIndex.tmp', '.dasRecoveryIndex.lock', and 'dasRecoveryIndex.cor' files during initialization (IZ12798) - There is a security vulnerability related to a failure to switch the owner of the 'db2fmp' process affecting Unix and Linux platforms (IZ19155) - When a memory dump occurs, the password used to connect to the database remains visible in clear text in memory (JR28314)


Apply IBM DB2 Version 9.5 Fix Pack 1 or higher.