Vigil@nce: IBM DB2 10.1, four vulnerabilities
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use four vulnerabilities of IBM DB2, in order to
create a denial of service or to elevate his privileges.
– Impacted products: DB2 UDB
– Severity: 2/4
– Creation date: 14/09/2012
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in IBM DB2.
An authenticated attacker can use SQLJ.DB2_INSTALL_JAR to replace
a JAR archive, in order to execute privileged code
(VIGILANCE-VUL-11870 (https://vigilance.fr/tree/1/11870)).
[severity:2/4; CVE-2012-2194, IC84019, IC84711, IC84714, IC84716,
swg21607622]
An attacker can use GET_WRAP_CFG_C and GET_WRAP_CFG_C2 to access
to XML files (VIGILANCE-VUL-11845 (https://vigilance.fr/tree/1/11845)).
[severity:2/4; CVE-2012-2196, IC84614, IC84712, IC84748, IC84750,
IC84751, swg21607618]
An authenticated attacker can generate a buffer overflow in the
processing of Java stored procedures, in order to elevate his
privileges (VIGILANCE-VUL-11871 (https://vigilance.fr/tree/1/11871)).
[severity:2/4; CVE-2012-2197, IC84555, IC84752, IC84753, IC84754,
IC84755, swg21607628]
An attacker can use the UTL_FILE module to access to files located
outside the DB2 server root. [severity:2/4; CVE-2012-3324,
IC85513, swg21611040]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IBM-DB2-10-1-four-vulnerabilities-11949