Vigil@nce: IBM DB2 9.1, several vulnerabilities
October 2009 by Vigil@nce
An attacker can use several vulnerabilities of IBM DB2 in order to
elevate his privileges.
Severity: 2/4
Consequences: data reading, data creation/edition, data deletion
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 3
Creation date: 29/09/2009
IMPACTED PRODUCTS
– IBM DB2 UDB
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in IBM DB2.
A function is not deleted when a user loses privileges on an
object. [grav:2/4; CVE-2009-3471, IZ46658, IZ46773, IZ46774]
An attacker with sufficient privileges can insert, update or
delete rows in a table. [grav:2/4; CVE-2009-3472, IZ50074,
IZ50078, IZ50079]
An attacker can use "SET SESSION AUTHORIZATION" without owning the
SETSESSIONUSER privilege. [grav:2/4; CVE-2009-3473, IZ55883]
CHARACTERISTICS
Identifiers: BID-36540, CVE-2009-3471, CVE-2009-3472,
CVE-2009-3473, IZ46658, IZ46773, IZ46774, IZ50074, IZ50078,
IZ50079, IZ55883, VIGILANCE-VUL-9056
http://vigilance.fr/vulnerability/IBM-DB2-9-1-several-vulnerabilities-9056