Patch available for critical IBM DB2 Universal Database flaws

From: NGSSoftware Insight Security Research (nisr_at_NEXTGENSS.COM)
Date: 10/05/04

  • Next message: Steve Shockley: "ASP.Net vulnerabillity" 
    Date:         Tue, 5 Oct 2004 15:15:52 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Researchers at NGSSoftware have discovered multiple critical/high risk
    vulnerabilities in IBM's DB2 Universal Database. Versions affected include

    DB2 8.1 Fixpak 7 and earlier

    IBM has updated Fixpak 6 and 7 to 6a and 7a to include fixes for these
    flaws. In all, 20 vulnerabilities, mostly remotely exploitable buffer
    overflows, have been addressed by the updates. The updated Fixpaks have just
    been released and can be downloaded from

    http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html

    The flaws fixed in these Fixpaks equate to NGSS BUGID 102, 103, 104, 105,
    106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 117, 118, 119, 120, 121
    and 122 from the Vendor Notification Alerts -
    http://www.nextgenss.com/vna.htm.

    NGSSoftware are going to withhold details about these flaws for three
    months. Full details will be published on the 5th of January 2005. This
    three month window will allow DB2 database administrators the time needed to
    test and apply the Fixpak before the details are released to the general
    public. This reflects NGSSoftware's new approach to responsible disclosure.

    NGSSQuirreL for DB2, NGSSoftware's advanced vulnerability assessment scanner
    and security manager for IBM DB2, has been updated to check for and
    positively identify these flaws in DB2 database servers on the network. More
    information about NGSSQuirreL for DB2 can be found at
    http://www.nextgenss.com/db2.htm.

    NGSSoftware Insight Security Research
    http://www.databasesecurity.com/
    http://www.nextgenss.com/
    +44(0)208 401 0070 

    --
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--
  • Next message: Steve Shockley: "ASP.Net vulnerabillity"

    Relevant Pages

    • [Full-disclosure] Details for BID 18428
      ... DB2 Universal Database is a popular database software package ... DB2 UDB server. ... handshake process with the server, causing the server process to crash. ... The first message used by a client when establishing a connection to the ...
      (Full-Disclosure)
    • [Full-disclosure] Team SHATTER Security Advisory: Multiple DoS in JAR files manipulation procedu
      ... Team SHATTER Security Advisory ... All versions of IBM DB2 Database Server on Windows platform. ... DB2 has multiple vulnerabilities which can lead to Denial of Service ... Vendor was contacted and a patch was released. ...
      (Full-Disclosure)
    • Team SHATTER Security Advisory: Multiple DoS in JAR files manipulation procedures
      ... Team SHATTER Security Advisory ... All versions of IBM DB2 Database Server on Windows platform. ... DB2 has multiple vulnerabilities which can lead to Denial of Service ... Vendor was contacted and a patch was released. ...
      (Bugtraq)
    • Re: Connection problem with Access
      ... CurrentDb.Name produced the path to db2). ... As far as permissions go I have given myself 'administer' rights on ... everything, including the database. ... almost every time I have seen documentation for the ...
      (microsoft.public.word.mailmerge.fields)
    • RE: DBD::DB2 question need an example
      ... list database directory ... LI0124E Invalid argument value. ... can you run the following commands from the DB2 CLP ... means that DB2 is not liking something about your $dsn. ...
      (perl.dbi.users)