| VID |
25072 |
| Severity |
40 |
| Port |
523 |
| Protocol |
TCP |
| Class |
DB2 |
| Detailed Description |
A version of IBM DB2 UDB server which is older than 9.1 FixPak 7 is running on the host. Such versions are reportedly affected by multiple
issues :
- In certain situations an INNER JOIN predicate is applied before the OUTER JOIN predicate, which could result in disclosure of sensitive information.
- It may be possible to connect to DB2 servers without valid passwords, provided LDAP-based authentication is used, and the remote LDAP server is configured to allow anonymous binds.
- By connecting to a DB2 server using a third-party DRDA client that uses IPV6 address format of the correlation token, it may be possible to crash the remote DB2 server.
* References:
http://www-01.ibm.com/support/docview.wss?rs=71&uid=swg21255607#7
http://www-01.ibm.com/support/docview.wss?uid=swg1JR31886
http://www-01.ibm.com/support/docview.wss?uid=swg1JR32272
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ36683
* Platforms Affected:
IBM DB2 UDB versions 9.1 prior to 9.1 FixPack 7
Microsoft Windows Any version
Sun Microsystems, Inc., Solaris SPARC and x86
Hewlett-Packard Company, HP-UX 11i
Linux Any version
IBM AIX 4.0 and 5L |
| Recommendation |
For DB2 Universal Database 9.1:
Apply the latest IBM DB2 Universal Database Fix Pack (9.1 FixPak 7 or later), available from the IBM Support & downloads Web site at http://www-1.ibm.com/support/docview.wss?uid= swg1JR31886 |
| Related URL |
CVE-2009-1239 (CVE) |
| Related URL |
34650 (SecurityFocus) |
| Related URL |
(ISS) |
|
