DB2 < 8.1 FixPak 16 Multiple Vulnerabilities (deprecated)

High Nessus Network Monitor Plugin ID 4358

Synopsis

The remote database server is affected by multiple issues.

Description

According to its version, the installation of DB2 on the remote host is affected by one or more of the following issues :

- A local user may be able to gain root privileges using the 'db2pd' tool (IZ03546).
- The 'b2dart' tool executes a TPUT command that effectively allows users to run commands as the DB2 instance owner (IZ03647).
- A buffer overflow and invalid memory access vulnerability exists in the DAS server code (IZ05496).
- An unspecified vulnerability in 'SYSPROC.ADMIN_SP_C' (IZ06972).
- An unspecified vulnerability exists due to incorrect authorization checking in 'ALTER TABLE' statements (IZ07337).

Solution

Upgrade or patch according to vendor recommendations.

See Also

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=653

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=654

http://archives.neohapsis.com/archives/bugtraq/2008-02/0073.html

http://archives.neohapsis.com/archives/bugtraq/2008-02/0074.html

http://www-1.ibm.com/support/docview.wss?uid=swg21256235

Plugin Details

Severity: High

ID: 4358

Family: Database

Published: 2008/02/05

Modified: 2016/01/22

Nessus ID: 30153

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 8.4

Temporal Score: 7.8

Vector: CVSS3#AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Reference Information

CVE: CVE-2007-3676, CVE-2007-5757, CVE-2008-0698

BID: 27680, 27681, 27596