Vigil@nce: IBM DB2 9.5, several vulnerabilities
October 2009 by Vigil@nce
An attacker can use several vulnerabilities of IBM DB2 in order to
elevate his privileges.
Severity: 2/4
Consequences: data reading, data creation/edition, data deletion
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 3
Creation date: 29/09/2009
IMPACTED PRODUCTS
– IBM DB2 UDB
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in IBM DB2.
When authentication is based on LDAP, an attacker can connect to
the IBM DB2 database (VIGILANCE-VUL-8744 (https://vigilance.fr/tree/1/8744)).
[grav:2/4; CVE-2009-1905, JR32268]
A function is not deleted when a user loses privileges on an
object. [grav:2/4; CVE-2009-3471, IZ46658, IZ46773, IZ46774]
An attacker with sufficient privileges can insert, update or
delete rows in a table. [grav:2/4; CVE-2009-3472, IZ50074,
IZ50078, IZ50079]
CHARACTERISTICS
Identifiers: BID-36540, CVE-2009-1905, CVE-2009-3471,
CVE-2009-3472, IZ46658, IZ46773, IZ46774, IZ50074, IZ50078,
IZ50079, JR32268, VIGILANCE-VUL-9057
http://vigilance.fr/vulnerability/IBM-DB2-9-5-several-vulnerabilities-9057