IBM DB2 9.8 < Fix Pack 5 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 9196


The remote IBM DB2 database server is vulnerable to multiple attack vectors.


Versions of IBM DB2 9.8 earlier than Fix Pack 5 are potentially affected by multiple issues :

- A flaw exists in relational data services that is due to privileges persisting when they're removed from users. This may allow attackers to execute non-DDL statements after their privileges have been revoked. (OSVDB 125198)
- A flaw exists that is triggered when Self Tuning Memory Manager (STMM) is enabled and DATABASE_MEMORY is set to AUTOMATIC. This may allow a local attacker to potentially cause a crash. (OSVDB 125199)
- An authorized user with 'CONNECT' privileges from 'PUBLIC' can cause a denial of service via unspecified methods related to DB2's XML feature. (CVE-2012-0712)
- An unspecified information disclosure vulnerability exists related to the XML feature that can allow improper access to arbitrary XML files. (CVE-2012-0713)
- An error exists related to the Distributed RelationalDatabase Architecture (DRDA) that can allow denial of service conditions when processing certain request. (CVE-2012-2180)


Upgrade to IBM DB2 9.8 Fix Pack 5 or higher.

See Also

Plugin Details

Severity: Medium

ID: 9196

File Name: 9196.prm

Family: Database

Published: 2016/04/15

Modified: 2016/11/23

Dependencies: 9531

Nessus ID: 59905

Risk Information

Risk Factor: Medium


Base Score: 4.9

Temporal Score: 4

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C


Base Score: 6.2

Temporal Score: 5.8


Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2012/05/30

Vulnerability Publication Date: 2012/05/30

Reference Information

CVE: CVE-2012-0712, CVE-2012-0713, CVE-2012-2180

BID: 52326, 53873