Summary
| Detail | |||
|---|---|---|---|
| Vendor | Ibm | First view | 2007-02-23 |
| Product | db2 Universal Database | Last view | 2010-10-05 |
| Version | 9.1 | Type | Application |
| Update | fp4a | ||
| Edition | windows | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:ibm:db2_universal_database | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 6.4 | 2010-10-05 | CVE-2010-3739 | The audit facility in the Security component in IBM DB2 UDB 9.5 before FP6a uses instance-level audit settings to capture connection (aka CONNECT and AUTHENTICATION) events in certain circumstances in which database-level audit settings were intended, which might make it easier for remote attackers to connect without discovery. |
| 5 | 2009-01-16 | CVE-2009-0173 | Unspecified vulnerability in the server in IBM DB2 8 before FP17a, 9.1 before FP6a, and 9.5 before FP3a allows remote authenticated users to cause a denial of service (trap) via a crafted data stream. |
| 5 | 2009-01-16 | CVE-2009-0172 | Unspecified vulnerability in IBM DB2 8 before FP17a, 9.1 before FP6a, and 9.5 before FP3a allows remote attackers to cause a denial of service (infinite loop) via a crafted CONNECT data stream. |
| 4.6 | 2008-08-28 | CVE-2008-3857 | The Base Service Utilities component in IBM DB2 9.1 before Fixpak 5 retains a cleartext password in memory after the database connection that sent the password is fully established, which might allow local users to obtain sensitive information by reading a memory dump. |
| 7.5 | 2008-08-28 | CVE-2008-3856 | The routine infrastructure component in IBM DB2 8 before FP17, 9.1 before FP5, and 9.5 before FP1 on Unix and Linux does not change the ownership of the db2fmp process, which has unknown impact and attack vectors. |
| 4.6 | 2008-08-28 | CVE-2008-3855 | Unspecified vulnerability in the DB2 Administration Server (DAS) in the Core DAS function component in IBM DB2 9.1 before Fixpak 5 allows local users to gain privileges, aka a "FILE CREATION VULNERABILITY." NOTE: this may be the same as CVE-2007-5664. |
| 7.8 | 2008-08-28 | CVE-2008-3854 | Multiple stack-based buffer overflows in IBM DB2 9.1 before Fixpak 5 and 9.5 before Fixpak 1 allow remote attackers to cause a denial of service (system outage) via vectors related to (1) use of XQuery to issue statements; the (2) XMLQUERY, (3) XMLEXISTS, and (4) XMLTABLE statements; and the (5) sqlrlaka function. |
| 6.5 | 2008-08-28 | CVE-2008-3852 | Unspecified vulnerability in the CLR stored procedure deployment from IBM Database Add-Ins for Visual Studio in the Visual Studio Net component in IBM DB2 9.1 before Fixpak 5 and 9.5 before Fixpak 2 allows remote authenticated users to execute arbitrary code via unknown vectors. |
| 9.3 | 2007-11-20 | CVE-2007-6053 | IBM DB2 UDB 9.1 before Fixpak 4 does not properly handle use of large numbers of file descriptors, which might allow attackers to have an unknown impact involving "memory corruption." NOTE: the vendor description of this issue is too vague to be certain that it is security-related. |
| 7.8 | 2007-11-20 | CVE-2007-6052 | IBM DB2 UDB 9.1 before Fixpak 4 does not properly perform vector aggregation, which might allow attackers to cause a denial of service (divide-by-zero error and DBMS crash), related to an "overflow." NOTE: the vendor description of this issue is too vague to be certain that it is security-related. |
| 10 | 2007-11-20 | CVE-2007-6051 | IBM DB2 UDB 9.1 before Fixpak 4 assigns incorrect privileges to the (1) DB2ADMNS and (2) DB2USERS alternative groups, which has unknown impact. NOTE: the vendor description of this issue is too vague to be certain that it is security-related. |
| 7.2 | 2007-11-20 | CVE-2007-6050 | Unspecified vulnerability in DB2LICD in IBM DB2 UDB 9.1 before Fixpak 4 has unknown impact and attack vectors, related to creation of an "insecure directory." |
| 7.2 | 2007-11-20 | CVE-2007-6049 | Unspecified vulnerability in the SSL LOAD GSKIT action in IBM DB2 UDB 9.1 before Fixpak 4 has unknown impact and attack vectors, involving a call to dlopen when the effective uid is root. |
| 10 | 2007-11-20 | CVE-2007-6048 | IBM DB2 UDB 9.1 before Fixpak 4 uses incorrect permissions on ACLs for DB2NODES.CFG, which has unknown impact and attack vectors. NOTE: the vendor description of this issue is too vague to be certain that it is security-related. |
| 10 | 2007-11-20 | CVE-2007-6047 | Unspecified vulnerability in the DB2DART tool in IBM DB2 UDB 9.1 before Fixpak 4 allows attackers to execute arbitrary commands as the DB2 instance owner, related to invocation of TPUT by DB2DART. |
| 7.2 | 2007-11-20 | CVE-2007-6046 | Unspecified vulnerability in unspecified setuid programs in IBM DB2 UDB 9.1 before Fixpak 4 allows local users to have an unknown impact. |
| 10 | 2007-11-20 | CVE-2007-6045 | Unspecified vulnerability in (1) DB2WATCH and (2) DB2FREEZE in IBM DB2 UDB 9.1 before Fixpak 4 has unknown impact and attack vectors. |
| 6 | 2007-08-18 | CVE-2007-4417 | IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 does not properly revoke privileges on methods, which allows remote authenticated users to execute a method after revocation until the routine auth cache is flushed. |
| 6.9 | 2007-08-18 | CVE-2007-4276 | Stack-based buffer overflow in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows attackers to execute arbitrary code via a long DASPROF and possibly other environment variables, which are copied into the buildDasPaths buffer. |
| 6.9 | 2007-08-18 | CVE-2007-4275 | Multiple untrusted search path vulnerabilities in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allow local users to gain privileges via certain vectors related to (1) DB2 instance or FMP startup on Linux and Solaris; (2) exec of executables while running as root on non-Windows systems, as demonstrated by AIX; and unspecified vectors involving (3) db2licm and (4) db2pd. |
| 4.6 | 2007-08-18 | CVE-2007-4273 | IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows local users to create arbitrary directories and execute arbitrary code via a "crafted localized message file" that enables a format string attack, possibly involving the (1) OSSEMEMDBG or (2) TRC_LOG_FILE environment variable in db2licd (db2licm). |
| 1.9 | 2007-08-18 | CVE-2007-4272 | Multiple vulnerabilities in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allow local users to create arbitrary files via (1) unspecified vectors where an attacker's umask is honored, (2) /etc/ld.so.preload, (3) certain "cron data file locations", and other unspecified vectors possibly involving the (4) OSSEMEMDBG or (5) TRC_LOG_FILE environment variable in db2licd (db2licm). |
| 2.1 | 2007-08-18 | CVE-2007-4271 | Directory traversal vulnerability in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows local users to create arbitrary files via a .. (dot dot) in an unspecified environment variable, which is appended to "/tmp/" and used as a log file. NOTE: this issue might be related to symlink following. |
| 6.9 | 2007-08-18 | CVE-2007-4270 | Multiple race conditions in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allow local users to gain root privileges via a symlink attack on certain files. |
| 7.2 | 2007-02-23 | CVE-2007-1089 | IBM DB2 Universal Database (UDB) 9.1 GA through 9.1 FP1 allows local users with table SELECT privileges to perform unauthorized UPDATE and DELETE SQL commands via unknown vectors. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 47% (8) | CWE-264 | Permissions, Privileges, and Access Controls |
| 11% (2) | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
| 11% (2) | CWE-20 | Improper Input Validation |
| 5% (1) | CWE-399 | Resource Management Errors |
| 5% (1) | CWE-287 | Improper Authentication |
| 5% (1) | CWE-200 | Information Exposure |
| 5% (1) | CWE-134 | Uncontrolled Format String |
| 5% (1) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 68409 | IBM DB2 UDB Security Component Audit Facility Connection Capture Instance-lev... |
| 54035 | IBM DB2 Universal Database setuid Programs Unspecified Local Issue |
| 52619 | IBM DB2 Universal Database Crafted CONNECT Data Stream Unspecified Remote DoS |
| 52618 | IBM DB2 Universal Database Crafted Data Stream Unspecified Remote DoS |
| 48429 | IBM DB2 Universal Database Base Service Utilities Component Memory Dump Clear... |
| 46271 | IBM DB2 Universal Database Admin Server File Creation Unspecified Local Privi... |
| 46270 | IBM DB2 Universal Database Add-ins for Visual Studio CLR Stored Procedure Dep... |
| 46267 | IBM DB2 Universal Database SQLRLAKA() Overflow |
| 46266 | IBM DB2 Universal Database XMLTABLE Statement Overflow |
| 46265 | IBM DB2 Universal Database XMLEXISTS Statement Overflow |
| 46264 | IBM DB2 Universal Database XMLQUERY Statement Overflow |
| 46263 | IBM DB2 Universal Database XQuery Statement Overflow |
| 46262 | IBM DB2 Universal Database on *nix DB2FMP Process Ownership Switching Unspeci... |
| 41017 | IBM DB2 Universal Database DB2NODES.CFG ACL Weakness Unspecified Issue |
| 41016 | IBM DB2 Universal Database DB2DART Tool TPUT Arbitrary Command Execution |
| 41015 | IBM DB2 Universal Database DB2FREEZE Unspecified Issue |
| 41014 | IBM DB2 Universal Database DB2WATCH Unspecified Issue |
| 41013 | IBM DB2 Universal Database SSL LOAD GSKIT Action Unspecified Issue |
| 41012 | IBM DB2 Universal Database DB2LICD Directory Creation Unspecified Issue |
| 41011 | IBM DB2 Universal Database DB2ADMNS / DB2USERS Alternative Group Permission ... |
| 41010 | IBM DB2 Universal Database Vector Aggregation Unspecified DoS |
| 41008 | IBM DB2 Universal Database File Descriptor Handling Unspecified Memory Corrup... |
| 40994 | IBM DB2 Universal Database Multiple Unspecified Symlink Local Privilege Escal... |
| 40993 | IBM DB2 Universal Database Unspecified /tmp Logfile Arbitrary File Creation |
| 40992 | IBM DB2 Universal Database db2licd (db2licm) Unspecified Arbitrary File Creation |
OpenVAS Exploits
| id | Description |
|---|---|
| 2010-10-08 | Name : IBM DB2 Multiple Vulnerabilities (Oct10) File : nvt/gb_ibm_db2_mult_vuln_oct10.nasl |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | IBM DB2 database server SQLSTT denial of service attempt RuleID : 16364 - Type : SERVER-OTHER - Revision : 8 |
| 2014-01-10 | IBM DB2 Database Server invalid data stream denial of service attempt RuleID : 16341 - Type : SERVER-OTHER - Revision : 9 |
| 2014-01-10 | IBM DB2 database server CONNECT denial of service attempt RuleID : 15509 - Type : SERVER-OTHER - Revision : 8 |
| 2014-01-10 | IBM DB2 Universal Database xmlquery buffer overflow attempt RuleID : 14991 - Type : SQL - Revision : 7 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2010-09-07 | Name: The remote database server is affected by multiple vulnerabilities. File: db2_95fp6.nasl - Type: ACT_GATHER_INFO |
| 2008-09-12 | Name: The remote database server is affected by multiple issues. File: db2_8fp17.nasl - Type: ACT_GATHER_INFO |
| 2008-08-28 | Name: The remote database server is affected by multiple vulnerabilities. File: db2_95fp2.nasl - Type: ACT_GATHER_INFO |
| 2008-07-30 | Name: The remote database server is affected by multiple vulnerabilities. File: db2_95fp1.nasl - Type: ACT_GATHER_INFO |
| 2008-06-10 | Name: The remote database server is affected by multiple vulnerabilities. File: db2_9fp5.nasl - Type: ACT_GATHER_INFO |
| 2007-11-16 | Name: The remote database server is affected by multiple vulnerabilities. File: db2_9fp4.nasl - Type: ACT_GATHER_INFO |
| 2007-08-20 | Name: The remote database server is affected by multiple vulnerabilities. File: db2_9fp3.nasl - Type: ACT_GATHER_INFO |
