SB2017091103 - Multiple vulnerabilities in IBM DB2 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017091103

SB2017091103 - Multiple vulnerabilities in IBM DB2

Published: September 11, 2017

Security Bulletin ID SB2017091103
Severity
Low
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Privilege escalation (CVE-ID: CVE-2017-1439)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper privilege controls. A local attacker with DB2 instance owner privileges can obtain root access to the system.

2) Privilege escalation (CVE-ID: CVE-2017-1451)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper privilege controls. A local attacker with DB2 instance owner privileges can obtain root access to the system.

3) Denial of service (CVE-ID: CVE-2017-1519)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to input validation flaw. A remote attacker can supply particular configuration using SSL and an alternate gateway setup to cause disruption of service for Db2 Connect Server setup.

Successful exploitation of the vulnerability results in denial of service.

4) Privilege escalation (CVE-ID: CVE-2017-1438)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper privilege controls. A local attacker with DB2 instance owner privileges can obtain root access to the system.

5) Privilege escalation (CVE-ID: CVE-2017-1452)

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to improper privilege controls. A local attacker can obtain root privileges and overwrite DB2 files.

6) Information disclosure (CVE-ID: CVE-2017-1434)

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to the connection string is written in the clear in an error message to db2diag.log. A local attacker can read highly sensitive information in the error log.

Remediation

Install update from vendor's website.

References