Detections
Analytics

IBM DB2 < 9 Fix Pack 2 Multiple Vulnerabilities

critical Nessus Plugin ID 24699

Language:

Synopsis

The remote database server is affected by multiple issues.

Description

According to its version, the installation of IBM DB2 running on the remote host allows unsafe access to several setuid-root binaries. A local attacker can exploit this to crash the affected database server or possibly even gain root-level access.

In addition, the fenced userid may be able to access directories without proper authorization.

Solution

Apply DB2 Version 9 Fix Pack 2 or later.

See Also

http://www.nessus.org/u?c3852717

http://www.nessus.org/u?3f1c047c

https://seclists.org/fulldisclosure/2007/Feb/520

https://seclists.org/fulldisclosure/2007/Feb/522

http://www-1.ibm.com/support/docview.wss?uid=swg21255745

http://www-1.ibm.com/support/docview.wss?uid=swg21255747

http://www-1.ibm.com/support/docview.wss?uid=swg1IY86711

Plugin Details

Severity: Critical

ID: 24699

File Name: db2_9fp2.nasl

Version: 1.27

Type: remote

Family: Databases

Published: 2/23/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:db2

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/6/2006

Reference Information

CVE: CVE-2007-1086, CVE-2007-1087, CVE-2007-1088, CVE-2007-1228

BID: 22677, 22729

CWE: 287