| VID |
25091 |
| Severity |
30 |
| Port |
523 |
| Protocol |
TCP |
| Class |
DB2 |
| Detailed Description |
A version of IBM DB2 UDB server which is older than 9.7 FixPak 2 is running on the host. Such versions are reportedly affected by multiple issues
- If the database configuration parameter 'AUTO_REVAL' is set to 'IMMEDIATE', system granted privileges are not regenerated. (IC67008)
- 'Monitor Administrative Views' available in SYSIBMADM schema are publicly viewable. (IC67819)
- A weakness in the SSL v3 / TLS protocol involving session renegotiation may allow an attacker to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks. (IC68055)
- By sending a specially crafted packet to the Tivoli Monitoring Agent (KUDDB2), which listens on TCP port 6014 by default, it may be possible to trigger a denial
of service condition. (IC68762)
* References:
http://intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html
http://www-01.ibm.com/support/docview.wss?uid=swg21432298
* Platforms Affected:
IBM DB2 UDB versions 9.7 prior to 9.7 FixPack 2
Microsoft Windows Any version
Sun Microsystems, Inc., Solaris SPARC and x86
Hewlett-Packard Company, HP-UX 11i
Linux Any version
IBM AIX 4.0 and 5L |
| Recommendation |
For DB2 Universal Database 9.7:
Apply the latest IBM DB2 Universal Database Fix Pack (9.7 FixPak 2 or later), available from the IBM Support & downloads Web site at http://www-01.ibm.com/support/docview.wss?rs=71&uid=swg27007053 |
| Related URL |
CVE-2009-3555,CVE-2010-0472 (CVE) |
| Related URL |
38018,40446 (SecurityFocus) |
| Related URL |
(ISS) |
|
