IBM DB2 9.8 < Fix Pack 4 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 9195

Synopsis

The remote IBM DB2 database server is vulnerable to multiple attack vectors.

Description

Versions of IBM DB2 9.8 earlier than Fix Pack 4 are potentially affected by multiple issues :

- A flaw exists in the high availability 9.5 upgrade scripts that is due to them automatically installing into the '/usr/sbin/rsct/sapolicies/db2' directory with insecure permissions. (OSVDB 123604)
- A flaw exists that is due to Monitor Administrative Views (in sysibmadm schema) being readable by the public. This may allow a remote attacker to gain access to potentially sensitive information. (OSVDB 123605)

Solution

Upgrade to IBM DB2 9.8 Fix Pack 4 or higher.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg24030581

http://www-01.ibm.com/support/docview.wss?uid=swg21455035#4

http://www.ibm.com/support/docview.wss?uid=swg1IC69495

http://www.ibm.com/support/docview.wss?uid=swg1IC77539

Plugin Details

Severity: Medium

ID: 9195

File Name: 9195.prm

Family: Database

Published: 2016/04/15

Modified: 2016/11/23

Dependencies: 9531

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS3#AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2013/08/10

Vulnerability Publication Date: 2013/08/10