Patch available for critical IBM DB2 Universal Database flaws

• Previous message: Castigliola, Angelo: "Darn if you do Darn if you don't."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 5 Oct 2004 15:15:52 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Researchers at NGSSoftware have discovered multiple critical/high risk
vulnerabilities in IBM's DB2 Universal Database. Versions affected include

DB2 8.1 Fixpak 7 and earlier

IBM has updated Fixpak 6 and 7 to 6a and 7a to include fixes for these
flaws. In all, 20 vulnerabilities, mostly remotely exploitable buffer
overflows, have been addressed by the updates. The updated Fixpaks have just
been released and can be downloaded from

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html

The flaws fixed in these Fixpaks equate to NGSS BUGID 102, 103, 104, 105,
106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 117, 118, 119, 120, 121
and 122 from the Vendor Notification Alerts -
http://www.nextgenss.com/vna.htm.

NGSSoftware are going to withhold details about these flaws for three
months. Full details will be published on the 5th of January 2005. This
three month window will allow DB2 database administrators the time needed to
test and apply the Fixpak before the details are released to the general
public. This reflects NGSSoftware's new approach to responsible disclosure.

NGSSQuirreL for DB2, NGSSoftware's advanced vulnerability assessment scanner
and security manager for IBM DB2, has been updated to check for and
positively identify these flaws in DB2 database servers on the network. More
information about NGSSQuirreL for DB2 can be found at
http://www.nextgenss.com/db2.htm.

NGSSoftware Insight Security Research
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

• Previous message: Castigliola, Angelo: "Darn if you do Darn if you don't."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] Details for BID 18428 ... DB2 Universal Database is a popular database software package ... DB2 UDB server. ... handshake process with the server, causing the server process to crash. ... The first message used by a client when establishing a connection to the ... (Full-Disclosure) [Full-disclosure] Team SHATTER Security Advisory: Multiple DoS in JAR files manipulation procedu ... Team SHATTER Security Advisory ... All versions of IBM DB2 Database Server on Windows platform. ... DB2 has multiple vulnerabilities which can lead to Denial of Service ... Vendor was contacted and a patch was released. ... (Full-Disclosure) Team SHATTER Security Advisory: Multiple DoS in JAR files manipulation procedures ... Team SHATTER Security Advisory ... All versions of IBM DB2 Database Server on Windows platform. ... DB2 has multiple vulnerabilities which can lead to Denial of Service ... Vendor was contacted and a patch was released. ... (Bugtraq) RE: DBD::DB2 question need an example ... list database directory ... LI0124E Invalid argument value. ... can you run the following commands from the DB2 CLP ... means that DB2 is not liking something about your $dsn. ... (perl.dbi.users) RE: ADABAS vs IMS vs DB2 Who is faster? ... ADABAS vs IMS vs DB2 Who is faster? ... I know many shops that yo-yo the database only when an IPL is required. ... (bit.listserv.ibm-main)