MA-162.062009: MyCERT Alert - Multiple Vulnerabilities in IBM DB2 Initial Release: 05 June 2009 1.0 Introduction Two vulnerabilities have been reported in the following IBM DB2 product: - IBM DB2 LDAP Authentication Bug
- IBM DB2 3rd-Party JDBC Driver IPv6 Bug
2.0 Impact 2.1 IBM DB2 LDAP Authentication Bug An attacker who successfully exploits the LDAP Authentication bug can remotely connect to the target database without any authentication. 2.2 IBM DB2 3rd-Party JDBC Driver IPv6 Bug An attacker who successfully exploits this vulnerability can invoke a third-party DRDA client to connect to the target database server and use the IPv6 address format of the correlation token to cause the target database to crash.
3.0 Affected Products The detail list of the vulnerable products and versions are as below: - IBM DB2 v9.1 prior to FixPak 7
- IBM DB2 v9.5 prior to FixPak 4
4.0 Recommendation The solutions provided by IBM regarding these vulnerabilities: 4.1 IBM DB2 LDAP Authentication Bug 4.2 IBM DB2 3rd-Party JDBC Driver IPv6 Bug - Update to IBM DB2 UDB Version 9.5, FixPak 4
- Alternatively, users can use DB2 JDBC driver or older third-party JDBC driver, which does not use IPV6 address in the correlation token
MyCERT generally advise users of this product to keep themselves updated with the latest security announcements by the vendor. MyCERT can be reached at: E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
