Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

IBM DB2 10.1 < Fix Pack 5 / 10.5 < Fix Pack 6 Multiple Vulnerabilities

High

Synopsis

The remote IBM DB2 database server is vulnerable to multiple attack vectors.

Description

Versions of IBM DB2 10.1 earlier than Fix Pack 5 or 10.5 earlier than Fix Pack 6 are potentially affected by multiple issues :

- A flaw exists that is triggered during the handling of SELECT statements with XML/XSLT function. This may allow an attacker to gain access to arbitrary files. (CVE-2014-8910) - A flaw exists that is triggered during the handling of SQL statements with unspecified Scalar Functions. This may allow an authenticated remote attacker to cause a denial of service. (CVE-2015-0157) - A flaw exists in the automated maintenance feature. The issue occurs when an authenticated DB2 user with elevated privileges manipulates an automated maintenance policy stored procedure, which can result in disclosing arbitrary files owned by the DB2 fenced ID on UNIX/Linux or administrator on Windows. (CVE-2015-1883) - A flaw exists in the Data Movement feature that is triggered when handling a specially crafted query. This may allow an authenticated remote attacker to delete rows from a table without appropriate privileges. (CVE-2015-1922) - A flaw exists that is triggered during the handling of SQL statements with LUW Scalar Functions. This may allow an authenticated remote attacker to run arbitrary code under the privileges of the DB2 instance owner, or cause a denial of service. (CVE-2015-1935)

Solution

Upgrade to IBM DB2 10.5 Fix Pack 6 or higher. If version 10.5 cannot be obtained, version 10.1 Fix Pack 5 is also patched for these issues.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg1IT06353
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06354
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06355
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06356
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08075
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08080
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08085
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08086
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08523
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08524
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08525
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08543
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08656
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08667
http://www-01.ibm.com/support/docview.wss?uid=swg1IT08668
http://www-01.ibm.com/support/docview.wss?uid=swg21610582#5
http://www-01.ibm.com/support/docview.wss?uid=swg21610653#5
http://www-01.ibm.com/support/docview.wss?uid=swg21633303#6
http://www-01.ibm.com/support/docview.wss?uid=swg21647054#6
http://www-01.ibm.com/support/docview.wss?uid=swg21697988
http://www-01.ibm.com/support/docview.wss?uid=swg21698308
http://www-01.ibm.com/support/docview.wss?uid=swg21882724
http://www-01.ibm.com/support/docview.wss?uid=swg21902661
http://www-01.ibm.com/support/docview.wss?uid=swg21959650
http://www-01.ibm.com/support/docview.wss?uid=swg21962557
http://www-01.ibm.com/support/docview.wss?uid=swg21962559
http://www-01.ibm.com/support/docview.wss?uid=swg21962560
http://www-01.ibm.com/support/docview.wss?uid=swg21962562
http://www-01.ibm.com/support/docview.wss?uid=swg21962565
http://www-01.ibm.com/support/docview.wss?uid=swg21962634
http://www-01.ibm.com/support/docview.wss?uid=swg21966964
http://www-01.ibm.com/support/docview.wss?uid=swg21979608