SynopsisThe remote IBM DB2 database server is vulnerable to multiple attack vectors.
DescriptionVersions of IBM DB2 10.5 earlier than Fix Pack 6 are potentially affected by multiple vulnerabilities :
- An unspecified flaw exists in IBM DB2 XML Native Encryption that may allow an attacker to gain access to private memory information. No further details have been provided.
- A flaw exists in the IBM Global Security Kit (GSKit) when handling RSA temporary keys in a non-export RSA key exchange ciphersuite. A man-in-the-middle attacker can exploit this to downgrade the session security to use weaker EXPORT_RSA ciphers, thus allowing the attacker to more easily monitor or tamper with the encrypted stream. (CVE-2015-0138)
- An unspecified flaw in the General Parallel File System (GPFS) allows a local attacker to gain root privileges. (CVE-2015-0197)
- A flaw exists in the General Parallel File System (GPFS), related to certain cipherList configurations, that allows a remote attacker, using specially crafted data, to bypass authentication and execute arbitrary programs with root privileges. (CVE-2015-0198)
- A denial of service vulnerability exists in the General Parallel File System (GPFS) that allows a local attacker to corrupt kernel memory by sending crafted ioctl character device calls to the mmfslinux kernel module. (CVE-2015-0199)
- A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808)
- An information disclosure vulnerability exists due to improper block cipher padding by TLSv1 when using Cipher Block Chaining (CBC) mode. A remote attacker, via an 'Oracle Padding' side channel attack, can exploit this vulnerability to gain access to sensitive information. Note that this is a variation of the POODLE attack.
SolutionUpgrade to IBM DB2 10.5 Fix Pack 6 or higher.