IBM DB2 9.7 < Fix Pack 10 Multiple Vulnerabilities

high Nessus Plugin ID 79245

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

According to its version, the installation of IBM DB2 9.7 running on the remote host is affected by the following vulnerabilities :

- An input-validation error exists related to handling the 'ALTER MODULE' statement that allows buffer overflows. (CVE-2014-3094)

- An error exists related to handling 'SELECT' statements with 'UNION' subqueries that allows application crashes.
(CVE-2014-3095)

- An error exists related to 'LUW' and 'ALTER TABLE' statement handling that allows application crashes.
(CVE-2014-6097)

- An error exists related to 'ALTER TABLE' statement handling that allows application crashes.
(CVE-2014-6159)

Note that if a special vendor-supplied build has been installed, this may be a false positive.

Solution

Apply IBM DB2 version 9.7 Fix Pack 10 or later.

Alternatively, contact the vendor regarding special builds containing the fix.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg1IT02592

http://www-01.ibm.com/support/docview.wss?uid=swg21681631

http://www-01.ibm.com/support/docview.wss?uid=swg1IT02645

http://www-01.ibm.com/support/docview.wss?uid=swg21681623

http://www-01.ibm.com/support/docview.wss?uid=swg1IT03786

http://www-01.ibm.com/support/docview.wss?uid=swg21684812

http://www-01.ibm.com/support/docview.wss?uid=swg1IT05105

http://www-01.ibm.com/support/docview.wss?uid=swg21688051

Plugin Details

Severity: High

ID: 79245

File Name: db2_97fp10.nasl

Version: 1.6

Type: remote

Family: Databases

Published: 11/14/2014

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:db2

Required KB Items: Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 11/5/2014

Vulnerability Publication Date: 8/29/2014

Reference Information

CVE: CVE-2014-3094, CVE-2014-3095, CVE-2014-6097, CVE-2014-6159

BID: 69546, 69550, 70983, 71006