Two IBM DB2 flaws allow arbitrary code execution

IBM has alerted DB2 users to apply fixes for vulnerabilities in the relational database that could enable an attacker to execute code.

IBM recommends DB2 7.2/8.1 relational database users apply a fixpack for vulnerabilities in two commands that could allow an attacker to execute arbitrary code with high privileges.

The vulnerabilities are in the INVOKE command, which invokes procedures stored at a specific location in a database, and in LOAD -- one of the most commonly used commands -- which moves data into a database table.

A specially crafted version of either command could cause the stack to overflow and allow an attacker to execute arbitrary code on the database machine, at the administrator privilege level in Windows and as db2inst1 or db2as in Linux. The attacker need only have "Connect" privileges to the database.

The INVOKE vulnerability occurs in version Windows 7.2, while the LOAD vulnerability affects version 7.2 for both Windows and Linux. IBM DB2 Universal Data Base 8.1 is also vulnerable.

These vulnerabilities were first discovered by researchers Mark Rowe and Matt Moore from British security testing firm Pentest Limited, as part of a project on how to secure DB2 installations.

FOR MORE INFORMATION:

IBM DB2 FixPaks


Dig deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close