|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA13088] DB2 Universal Database Multiple Vulnerabilities
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Thu Feb 10 2005 - 08:22:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
DB2 Universal Database Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA13088
VERIFY ADVISORY:
http://secunia.com/advisories/13088/
CRITICAL:
Moderately critical
IMPACT:
Manipulation of data, Exposure of system information, Exposure of
sensitive information, DoS, System access
WHERE:
From local network
SOFTWARE:
DB2 Universal Database 8.x
http://secunia.com/product/857/
DESCRIPTION:
Multiple vulnerabilities have been reported in DB2 Universal
Database, which can be exploited to cause a DoS (Denial of Service),
gain knowledge of sensitive information, read and manipulate file
content, or compromise a vulnerable system.
1) An unspecified error on the Windows platform related to the way
system resources are used can be exploited by malicious, local users
to cause a DoS, gain knowledge of connecting users' passwords, or
view other query results.
2) An unspecified error within the processing of network messages
while establishing a database connection or instance attachment can
be exploited by malicious users to execute arbitrary code.
3) Missing restrictions in some XML Extender user-defined functions
can be exploited by malicious users to read or manipulate the
contents of arbitrary files.
4) An unspecified error within the federated support when creating
certain database objects can be exploited by malicious users to
execute arbitrary code on a vulnerable system.
Successful exploitation requires that federated support is enabled.
5) An unspecified error within the handling of certain XML functions
in SELECT statements can be exploited by malicious users to execute
arbitrary code on a vulnerable system.
SOLUTION:
Apply DB2 8.1 FixPak 8.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html
PROVIDED AND/OR DISCOVERED BY:
1) Chris Anley, NGSSoftware.
2) David Litchfield, NGSSoftware.
3-5) Reported by vendor.
ORIGINAL ADVISORY:
IBM:
http://www-1.ibm.com/support/docview.wss?uid=swg21196289
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]