IBM DB2 Connect 9.7 < FP11 Special Build 35317 / 10.1 < FP5 Special Build 35316 / 10.5 < FP7 Special Build 35315 Multiple Vulnerabilities (Windows)
Medium Nessus Plugin ID 91337
SynopsisThe remote database server is affected by multiple vulnerabilities.
DescriptionAccording to its version, the installation of IBM DB2 Connect running on the remote Windows host is either 9.7 prior to fix pack 11 Special Build 35317, 10.1 prior to fix pack 5 Special Build 35316, or 10.5 prior to fix pack 7 Special Build 35315. It is, therefore, affected by the following vulnerabilities :
- A denial of service vulnerability exists in LUW related to the handling of DRDA messages. An authenticated, remote attacker can exploit this, via a specially crafted DRDA message, to cause the DB2 server to terminate abnormally. (CVE-2016-0211)
- A denial of service vulnerability exists in LUW when handling SELECT statements with subqueries containing the AVG OLAP function that are applied to Oracle compatible databases. An authenticated, remote attacker can exploit this, via a specially crafted query, to cause the DB2 server to terminate abnormally.
Note that the IBM DB2 Connect installation is affected only if a local database has been created.
SolutionApply the appropriate IBM DB2 Connect Special Build based on the most recent fix pack level for your branch.