DB2 < 8.1 FixPak 16 Multiple Vulnerabilities (deprecated)

high Nessus Network Monitor Plugin ID 4358

Synopsis

The remote database server is affected by multiple issues.

Description

According to its version, the installation of DB2 on the remote host is affected by one or more of the following issues :

- A local user may be able to gain root privileges using the 'db2pd' tool (IZ03546).
- The 'b2dart' tool executes a TPUT command that effectively allows users to run commands as the DB2 instance owner (IZ03647).
- A buffer overflow and invalid memory access vulnerability exists in the DAS server code (IZ05496).
- An unspecified vulnerability in 'SYSPROC.ADMIN_SP_C' (IZ06972).
- An unspecified vulnerability exists due to incorrect authorization checking in 'ALTER TABLE' statements (IZ07337).

Solution

Upgrade or patch according to vendor recommendations.

See Also

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=653

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=654

http://archives.neohapsis.com/archives/bugtraq/2008-02/0073.html

http://archives.neohapsis.com/archives/bugtraq/2008-02/0074.html

http://www-1.ibm.com/support/docview.wss?uid=swg21256235

Plugin Details

Severity: High

ID: 4358

Family: Database

Published: 2/5/2008

Updated: 3/6/2019

Nessus ID: 30153

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.4

Temporal Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Reference Information

CVE: CVE-2007-3676, CVE-2007-5757, CVE-2008-0698

BID: 27680, 27681, 27596