Vigil@nce: IBM DB2 8.1, several vulnerabilities
October 2009 by Vigil@nce
An attacker can use several vulnerabilities of IBM DB2 in order to
elevate his privileges.
Severity: 2/4
Consequences: data reading, data creation/edition, data deletion
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 29/09/2009
IMPACTED PRODUCTS
– IBM DB2 UDB
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in IBM DB2.
A function is not deleted when a user loses privileges on an
object. [grav:2/4; CVE-2009-3471, IZ46658, IZ46773, IZ46774]
An attacker with sufficient privileges can insert, update or
delete rows in a table. [grav:2/4; CVE-2009-3472, IZ50074,
IZ50078, IZ50079]
CHARACTERISTICS
Identifiers: BID-36540, CVE-2009-3471, CVE-2009-3472, IZ46658,
IZ46773, IZ46774, IZ50074, IZ50078, IZ50079, VIGILANCE-VUL-9055
http://vigilance.fr/vulnerability/IBM-DB2-8-1-several-vulnerabilities-9055