Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] IBM DB2 Flaws Found

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] IBM DB2 Flaws Found
Date: Mon, 14 Feb 2005 04:25:53 -0600 (CST) 
http://www.eweek.com/article2/0,1759,1764124,00.asp

By Lisa Vaas 
February 11, 2005

Several flaws have been discovered in IBM's DB2 Universal Database
that can be exploited to cause DoS attacks, to reveal sensitive
information, to read and manipulate file content, or to compromise
vulnerable systems.

An advisory posted Thursday on the bug-reporting site Secunia rates
the flaws as moderately critical, with IBM having already issued a
FixPak for DB2 versions 8.x.

IBM's advisory states that the vulnerabilities were discovered on Dec.  
10. The new vulnerabilities follow close on the heels of three FixPaks
that IBM released in October to address multiple vulnerabilities in
DB2 on Linux, Unix and Windows platforms.

The specifics on one of the flaws is that an error in the Windows
platform relating to the way system resources are used can be
exploited to cause a denial-of-service attack, to grab users'
passwords or to view other query results.

A second flaw has to do with processing of network messages while
establishing a database connection or instance attachment. Attackers
can exploit the flaw to execute arbitrary code.

Another flaw deals with missing restrictions in some XML Extender
user-defined functions. Exploits result in malicious users being able
to read or manipulate file content.

Finally, when creating certain databases within federated support,
attackers can exploit a flaw that allows them to execute arbitrary
code on vulnerable systems.

IBM advises all users of Unix, Linux and Windows platforms, as well as
users of DB2 UDB clients, servers and Connect gateway installations,
to install FixPaks 6a, 6b and 7a.

IBM advises all of the above users, plus users of DB2 XML Extender, to
install FixPak 8. Windows-specific fixes in FixPak 8 also apply to DB2
clients, but the risk isn't serious, according to IBM, and therefore
the fix isn't crucial.

In general, IBM advises DB2 UDB administrators to upgrade all DB2
client, server and Connect gateway instances on all supported
platforms to DB2 UDB Version 8.1 FixPak 8 "as soon as possible." The
only exceptions are DB2 UDB client instances on Version 8.1 FixPak 6a,
6b or 7a, which don't need to move up to the FixPak 8 level.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] IBM DB2 Flaws Found, InfoSec News <=
Previous by Date:  [ISN] China's Big Export - When it comes to spying, Beijing likes to flood the zone, InfoSec News
Next by Date:  [ISN] Hacker invades 'War of the Worlds' Web site, InfoSec News
Previous by Thread:  [ISN] China's Big Export - When it comes to spying, Beijing likes to flood the zone, InfoSec News
Next by Thread:  [ISN] Hacker invades 'War of the Worlds' Web site, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]