Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

IBM DB2 10.5 < Fix Pack 6 Multiple Vulnerabilities (Bar Mitzvah)

Critical

Synopsis

The remote IBM DB2 database server is vulnerable to multiple attack vectors.

Description

Versions of IBM DB2 10.5 earlier than Fix Pack 6 are potentially affected by multiple vulnerabilities :

- An unspecified flaw exists in IBM DB2 XML Native Encryption that may allow an attacker to gain access to private memory information. No further details have been provided. (OSVDB 127288) - A flaw exists in the IBM Global Security Kit (GSKit) when handling RSA temporary keys in a non-export RSA key exchange ciphersuite. A man-in-the-middle attacker can exploit this to downgrade the session security to use weaker EXPORT_RSA ciphers, thus allowing the attacker to more easily monitor or tamper with the encrypted stream. (CVE-2015-0138) - An unspecified flaw in the General Parallel File System (GPFS) allows a local attacker to gain root privileges. (CVE-2015-0197) - A flaw exists in the General Parallel File System (GPFS), related to certain cipherList configurations, that allows a remote attacker, using specially crafted data, to bypass authentication and execute arbitrary programs with root privileges. (CVE-2015-0198) - A denial of service vulnerability exists in the General Parallel File System (GPFS) that allows a local attacker to corrupt kernel memory by sending crafted ioctl character device calls to the mmfslinux kernel module. (CVE-2015-0199) - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - An information disclosure vulnerability exists due to improper block cipher padding by TLSv1 when using Cipher Block Chaining (CBC) mode. A remote attacker, via an 'Oracle Padding' side channel attack, can exploit this vulnerability to gain access to sensitive information. Note that this is a variation of the POODLE attack.

Solution

Upgrade to IBM DB2 10.5 Fix Pack 6 or higher.