SB2018111602 - Privilege escalation vulnerabilities in IBM DB2

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Privilege escalation (CVE-ID: CVE-2018-1780)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper privileges and access controls. A a local db2 instance owner can exploit a symbolic link attack to read/write/corrupt a file that he originally did not have permission to access and obtain root access to the system.

2) Privilege escalation (CVE-ID: CVE-2018-1781)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper privileges and access controls. A a local db2 instance owner can exploit a symbolic link attack to read/write/corrupt a file that he originally did not have permission to access and obtain root access to the system.

3) Privilege escalation (CVE-ID: CVE-2018-1799)

The vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper privileges and access controls. A local db2 instance owner can overwrite files on the system which could cause damage to the database.

4) Privilege escalation (CVE-ID: CVE-2018-1834)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper privileges and access controls. A local db2 instance owner can conduct symbolic link attack and gain elevated privileges.

Remediation

Install update from vendor's website.

References

• http://www-01.ibm.com/support/docview.wss?uid=ibm10733939