Vigil@nce: IBM DB2, denial of service of JDBC Applet Server
October 2009 by Vigil@nce
A network attacker can send a malicious query to the JDBC Applet
Server, in order to stop it.
Severity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/10/2009
IMPACTED PRODUCTS
– IBM DB2 UDB
DESCRIPTION OF THE VULNERABILITY
A Java application can use a DB2 database, by connecting to JDBC
Applet Server, which listens on the port 6789/tcp.
The jdbcReadString() method handles character strings provided by
the application. However, when a Unicode string is converted to
Ansi, jdbcReadString() uses an invalid size, which generates a
read at an invalid memory address.
A network attacker can therefore send a malicious query to the
JDBC Applet Server, in order to stop it.
CHARACTERISTICS
Identifiers: CVE-2009-2971, NSFOCUS SA2009-02, VIGILANCE-VUL-9100
http://vigilance.fr/vulnerability/IBM-DB2-denial-of-service-of-JDBC-Applet-Server-9100