News Stay informed about the latest enterprise technology news and product updates.

Two IBM DB2 flaws allow arbitrary code execution

IBM has alerted DB2 users to apply fixes for vulnerabilities in the relational database that could enable an attacker to execute code.

IBM recommends DB2 7.2/8.1 relational database users apply a fixpack for vulnerabilities in two commands that could allow an attacker to execute arbitrary code with high privileges.

The vulnerabilities are in the INVOKE command, which invokes procedures stored at a specific location in a database, and in LOAD -- one of the most commonly used commands -- which moves data into a database table.

A specially crafted version of either command could cause the stack to overflow and allow an attacker to execute arbitrary code on the database machine, at the administrator privilege level in Windows and as db2inst1 or db2as in Linux. The attacker need only have "Connect" privileges to the database.

The INVOKE vulnerability occurs in version Windows 7.2, while the LOAD vulnerability affects version 7.2 for both Windows and Linux. IBM DB2 Universal Data Base 8.1 is also vulnerable.

These vulnerabilities were first discovered by researchers Mark Rowe and Matt Moore from British security testing firm Pentest Limited, as part of a project on how to secure DB2 installations.


IBM DB2 FixPaks

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.