IBM DB2 9.8 < Fix Pack 5 Multiple Vulnerabilities
Medium Nessus Network Monitor Plugin ID 9196
SynopsisThe remote IBM DB2 database server is vulnerable to multiple attack vectors.
DescriptionVersions of IBM DB2 9.8 earlier than Fix Pack 5 are potentially affected by multiple issues :
- A flaw exists in relational data services that is due to privileges persisting when they're removed from users. This may allow attackers to execute non-DDL statements after their privileges have been revoked. (OSVDB 125198)
- A flaw exists that is triggered when Self Tuning Memory Manager (STMM) is enabled and DATABASE_MEMORY is set to AUTOMATIC. This may allow a local attacker to potentially cause a crash. (OSVDB 125199)
- An authorized user with 'CONNECT' privileges from 'PUBLIC' can cause a denial of service via unspecified methods related to DB2's XML feature. (CVE-2012-0712)
- An unspecified information disclosure vulnerability exists related to the XML feature that can allow improper access to arbitrary XML files. (CVE-2012-0713)
- An error exists related to the Distributed RelationalDatabase Architecture (DRDA) that can allow denial of service conditions when processing certain request. (CVE-2012-2180)
SolutionUpgrade to IBM DB2 9.8 Fix Pack 5 or higher.