Summary
The host is installed with IBM DB2 and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow attacker to bypass security restrictions, cause a denial of service.
Impact Level: System/Application
Solution
Update IBM DB2 9.5 Fixpak 5,
http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24022678
Insight
The flaws are due to:
- An unspecified error in the Engine Utilities component, causes segmentation fault by modifying the db2ra data stream sent in a request from the load utility.
- An unspecified error in 'db2licm' within the Engine Utilities component it has unknown impact and local attack vectors.
- An unspecified error in the DRDA Services componenta, causes the server trap by calling a SQL stored procedure in unknown circumstances.
- An error in relational data services component, allows attackers to obtain the password argument from the SET ENCRYPTION PASSWORD statement via vectors involving the GET SNAPSHOT FOR DYNAMIC SQL command.
- Multiple unspecified errors in bundled stored procedures in the Spatial Extender component, have unknown impact and remote attack vectors.
- An unspecified vulnerability in the Query Compiler, Rewrite, and Optimizer component, allows to cause a denial of service (instance crash) by compiling a SQL query.
Affected
IBM DB2 version 9.5 prior to Fixpak 5
References
Severity
Classification
-
CVE CVE-2009-4328, CVE-2009-4329, CVE-2009-4330, CVE-2009-4333, CVE-2009-4335, CVE-2009-4439 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Oracle Database Server Multiple Unspecified Vulnerabilities-01 April2014
- MySQL 5.0.51a Unspecified Remote Code Execution Vulnerability
- IBM DB2 SQL/PSM Stored Procedure Debugging Buffer Overflow Vulnerability (Linux)
- IBM DB2 'nodes.reg' Permission Weakness Vulnerability
- Oracle MySQL Multiple Unspecified vulnerabilities-01 Feb15 (Windows)