Two IBM DB2 flaws allow arbitrary code execution

Edmund X. DeJesus, Information Security Magazine

IBM recommends DB2 7.2/8.1 relational database users apply a fixpack for vulnerabilities in two commands that could allow an attacker to execute arbitrary code with high privileges.

The vulnerabilities are in the INVOKE command, which invokes procedures stored at a specific location in a database, and in LOAD -- one of the most commonly used commands -- which moves data into a database table.

A specially crafted version of either command could cause the stack to overflow and allow an attacker to execute arbitrary code on the database machine, at the administrator privilege level in Windows and as db2inst1 or db2as in Linux. The attacker need only have "Connect" privileges to the database.

The INVOKE vulnerability occurs in version Windows 7.2, while the LOAD vulnerability affects version 7.2 for both Windows and Linux. IBM DB2 Universal Data Base 8.1 is also vulnerable.

These vulnerabilities were first discovered by researchers Mark Rowe and Matt Moore from British security testing firm Pentest Limited, as part of a project on how to secure DB2 installations.


    Requires Free Membership to View

IBM DB2 FixPaks

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: