CERT-In Vulnerability Note CIVN-2009-08
Multiple Vulnerabilities in IBM DB2
Original Issue Date:January 20, 2009
Severity Rating:
Medium
Systems Affected
The affected DB2 UDB for Linux, UNIX, and Windows Version 8.1 and 8.2, Version 9.1 and Version 9.5 products are:
- DB2 Enterprise Server Edition
- DB2 Workgroup Server (all Editions)
- DB2 Express Server (all Editions)
- DB2 Personal Edition
- DB2 Connect Server (all Editions)
Overview
Some vulnerabilities have been reported in IBM DB2 which can allow malicious users to cause Denial of Service.
Description
1. “CONNECT” Data Stream Denial of Service Vulnerability (CVE-2009-0172)
An unspecified vulnerability exists in some versions of DB2 UDB products while processing a malformed "CONNECT" data stream. This vulnerability can be exploited to terminate the server.
2. Data Stream Denial of Service Vulnerability (CVE-2009-0173)
An unspecified vulnerability exists in some versions of DB2 UDB products when processing certain malformed data streams. A remote attacker can exploit this vulnerability to cause denial of service attack on server by terminating database server.
Solution
Apply patches as mentioned in IBM advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21363936
http://www-01.ibm.com/support/docview.wss?uid=swg27007053
Vendor Information
IBM
http://www-01.ibm.com/support/docview.wss?uid=swg21363936
http://www-01.ibm.com/support/docview.wss?uid=swg27007053
References
Secunia
http://secunia.com/advisories/33529/
Security Tracker
http://securitytracker.com/alerts/2009/Jan/1021591.html
ISS X-Force Database
http://xforce.iss.net/xforce/xfdb/47931
SecurityFocus
http://www.securityfocus.com/bid/33258
CVE Name
CVE-2009-0172
CVE-2009-0173
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
