Vigil@nce: IBM DB2 9.7, two vulnerabilities
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use two vulnerabilities of IBM DB2, in order to
execute privileged features.
– Severity: 2/4
– Creation date: 17/09/2010
DESCRIPTION OF THE VULNERABILITY
Two vulnerabilities were announced in IBM DB2.
When privileges on an object are revoked for PUBLIC, a local
attacker can continue to execute functions, because they are not
marked as INVALID. [severity:2/4; IC68015]
When a privileged user called a Compound SQL (compiled), it is
stored in the cache. However, access rights to the cache are not
checked. An unprivileged attacker can therefore execute the cached
query. [severity:2/4; IC70406]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IBM-DB2-9-7-two-vulnerabilities-9952