IBM recommends DB2 7.2/8.1 relational database users apply a fixpack for vulnerabilities in two commands that could allow an attacker to execute arbitrary code with high privileges.
The vulnerabilities are in the INVOKE command, which invokes procedures stored at a specific location in a database, and in LOAD -- one of the most commonly used commands -- which moves data into a database table.
A specially crafted version of either command could cause the stack to overflow and allow an attacker to execute arbitrary code on the database machine, at the administrator privilege level in Windows and as db2inst1 or db2as in Linux. The attacker need only have "Connect" privileges to the database.
The INVOKE vulnerability occurs in version Windows 7.2, while the LOAD vulnerability affects version 7.2 for both Windows and Linux. IBM DB2 Universal Data Base 8.1 is also vulnerable.
These vulnerabilities were first discovered by researchers Mark Rowe and Matt Moore from British security testing firm Pentest Limited, as part of a project on how to secure DB2 installations.
FOR MORE INFORMATION: