The remote IBM DB2 database server is vulnerable to multiple attack vectors.
Versions of IBM DB2 10.1 earlier than Fix Pack 5 or 10.5 earlier than Fix Pack 6 are potentially affected by multiple issues : - A flaw exists that is triggered during the handling of SELECT statements with XML/XSLT function. This may allow an attacker to gain access to arbitrary files. (CVE-2014-8910) - A flaw exists that is triggered during the handling of SQL statements with unspecified Scalar Functions. This may allow an authenticated remote attacker to cause a denial of service. (CVE-2015-0157) - A flaw exists in the automated maintenance feature. The issue occurs when an authenticated DB2 user with elevated privileges manipulates an automated maintenance policy stored procedure, which can result in disclosing arbitrary files owned by the DB2 fenced ID on UNIX/Linux or administrator on Windows. (CVE-2015-1883) - A flaw exists in the Data Movement feature that is triggered when handling a specially crafted query. This may allow an authenticated remote attacker to delete rows from a table without appropriate privileges. (CVE-2015-1922) - A flaw exists that is triggered during the handling of SQL statements with LUW Scalar Functions. This may allow an authenticated remote attacker to run arbitrary code under the privileges of the DB2 instance owner, or cause a denial of service. (CVE-2015-1935)
Upgrade to IBM DB2 10.5 Fix Pack 6 or higher. If version 10.5 cannot be obtained, version 10.1 Fix Pack 5 is also patched for these issues.