| VID |
25210 |
| Severity |
30 |
| Port |
523 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
According to its version, the installation of DB2 10.5 on the remote host is older than Fix Pack 8 and is therefore potentially affected by multiple vulnerabilities :
- A local privilege escalation vulnerability exists due to insecurely loading binaries planted in a location that a SETGID or SETUID binary would execute. A local attacker can exploit this, via a malicious binary, to gain root privileges. (CVE-2016-5995)
- A denial of service vulnerability exists in the SQLNP_SCOPE_TRIAL() function due to improper handling of SQL statements. An authenticated, remote attacker can exploit this to crash the database.
- A denial of service vulnerability exists in the Query Compiler QGM due to improper handling of specific queries. An authenticated, remote attacker can exploit this, via a specially crafted query, to crash the database.
* References:
http://www.ibm.com/support/docview.wss?uid=swg21990061
http://www.ibm.com/support/docview.wss?uid=swg21633303#8
* Platforms Affected:
IBM DB2 UDB versions before 10.5 Fix Pack 8 |
| Recommendation |
Apply the latest IBM DB2 Universal Database Fix Pack (10.5 Fix Pack 8 or later), available from the IBM Support & downloads Web site at
http://www-01.ibm.com/support/docview.wss?uid=swg24042680 |
| Related URL |
CVE-2016-5995 (CVE) |
| Related URL |
93012 (SecurityFocus) |
| Related URL |
(ISS) |
|
