IBM DB2 9.8 < Fix Pack 4 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9195

Synopsis

The remote IBM DB2 database server is vulnerable to multiple attack vectors.

Description

Versions of IBM DB2 9.8 earlier than Fix Pack 4 are potentially affected by multiple issues :

- A flaw exists in the high availability 9.5 upgrade scripts that is due to them automatically installing into the '/usr/sbin/rsct/sapolicies/db2' directory with insecure permissions.
- A flaw exists that is due to Monitor Administrative Views (in sysibmadm schema) being readable by the public. This may allow a remote attacker to gain access to potentially sensitive information.

Solution

Upgrade to IBM DB2 9.8 Fix Pack 4 or higher.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg24030581

http://www-01.ibm.com/support/docview.wss?uid=swg21455035#4

http://www.ibm.com/support/docview.wss?uid=swg1IC69495

http://www.ibm.com/support/docview.wss?uid=swg1IC77539

Plugin Details

Severity: Medium

ID: 9195

Family: Database

Published: 4/15/2016

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 8/10/2013

Vulnerability Publication Date: 8/10/2013