IBM DB2 9.5 < 9.5 Fix Pack 1 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 4612


The remote IBM DB2 database server is affected by multiple attack vectors.


The installation of IBM DB2 on the remote host 9.5 is prior to Fix Pack 1 and is affected by one or more of the following vulnerabilities :

- There is a security vulnerability in the 'NNSTAT' procedure on Windows platforms that allows low-privileged users to overwrite arbitrary files (IZ10776)
- There is a security vulnerability in the 'SYSPROC.ADMIN_SP_C' procedure on Windows platforms that allows users to load arbitrary libraries and execute arbitrary code in the system (IZ10917)
- An unspecified vulnerability affects 'DB2WATCH' and 'DB2FREEZE' on Solaris platforms (IZ12994)
- A flaw exists as the db2ls command creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the FILE file to cause the program to unexpectedly write to any file on the system. (IZ14939)
- An authenticated remote user can cause the DB2 instance to crash by passing specially crafted parameters to the 'RECOVERJAR' and 'REMOVE_JAR' procedures (IZ15496)
- There is an internal buffer overflow vulnerability in the DAS process that could allow arbitrary code execution on the affected host (IZ12406)
- A local attacker can create arbitrary files as root on Unix and Linux platforms using symlinks to the 'dasRecoveryIndex', 'dasRecoveryIndex.tmp', '.dasRecoveryIndex.lock', and 'dasRecoveryIndex.cor' files during initialization (IZ12798)
- There is a security vulnerability related to a failure to switch the owner of the 'db2fmp' process affecting Unix and Linux platforms (IZ19155)
- When a memory dump occurs, the password used to connect to the database remains visible in clear text in memory (JR28314)


Apply IBM DB2 Version 9.5 Fix Pack 1 or higher.

See Also

Plugin Details

Severity: High

ID: 4612

File Name: 4612.prm

Family: Database

Published: 2008/08/04

Modified: 2017/02/09

Dependencies: 9531

Nessus ID: 33763

Risk Information

Risk Factor: High


Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C


Base Score: 8.7

Temporal Score: 7.5


Temporal Vector: CVSS3#E:U/RL:O/RC:C

Reference Information

CVE: CVE-2008-1966, CVE-2008-1997, CVE-2008-1998

BID: 28835, 28836, 28843