| VID |
25055 |
| Severity |
40 |
| Port |
523 |
| Protocol |
TCP |
| Class |
DB2 |
| Detailed Description |
The IBM DB2 UDB server, according to its version, has a denial of service vulnerability via the ATTACH/CONNECT request. IBM DB2 Universal Database (UDB) versions prior to 8.1 FixPak 12 are vulnerable to a buffer overflow vulnerability, caused by improper bounds checking of ATTACH and CONNECT requests. By sending a specially-crafted ATTACH or CONNECT request during the initial handshake process, a remote attacker could cause the database to crash or possibly execute arbitrary code on the affected host.
* References:
http://www-1.ibm.com/support/docview.wss?uid=swg24012305
http://www-1.ibm.com/support/docview.wss?uid=swg1IY84096
http://www-1.ibm.com/support/docview.wss?uid=swg1IY76767
http://www-1.ibm.com/support/docview.wss?uid=swg1IY79204
http://www-1.ibm.com/support/docview.wss?uid=swg1IY82725
http://www.securityfocus.com/archive/1/archive/1/445297/100/0/threaded
http://www.frsirt.com/english/advisories/2006/2332
http://secunia.com/advisories/20579
* Platforms Affected:
IBM DB2 Universal Database 8.x
Microsoft Windows Any version
Sun Microsystems, Inc., Solaris SPARC and x86
Hewlett-Packard Company, HP-UX 11i
Linux Any version
IBM AIX 4.0 and 5L |
| Recommendation |
Apply the latest IBM DB2 Universal Database Fix Pack (8.1 FixPak 12 or 8.2 FixPak 5 or later), available from the IBM Support & downloads Web site at http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg24012305 |
| Related URL |
CVE-2006-3066 (CVE) |
| Related URL |
18428 (SecurityFocus) |
| Related URL |
27098 (ISS) |
|
