Database - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Database


DB2 Crack Lets in Attackers Without Database Credentials



 By: Lisa Vaas
2006-06-12
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Database story.


Rate This Article:
Poor Best
Big Blue promptly fixes flaw—unlike, it tartly says, some big database vendors.

Security researchers have uncovered a critical client/server protocol flaw in IBMs DB2 database.

Impervas Application Defense Center reported on June 12 that it had discovered the vulnerability—which allows any attacker with network access to the database server to bring it down or to run arbitrary code—in DB2 Version 8.

The flaws severity is magnified by the fact that an attacker doesnt need database credentials to exploit the weakness, according to Imperva.

Also, due to the fact that this is a network-level flaw, attacks slip by DB2s built-in auditing mechanism.

Resource Library:
When requested for comment on the flaw, IBM took the opportunity to thumb its nose at archrival Oracle, whose "Unbreakable" slogan and slow patch times have gotten it into sticky PR situations in the past few years.

"IBM realizes that it is unrealistic to claim that any database is unbreakable and that code—by its very nature—may contain some flaws," IBM engineers relayed in a statement e-mailed by a spokesperson.

"This is why the IBM development teams are continually working with various security entities throughout the industry to evaluate our code and detect any potential problems," IBMs statement continues. "Our engineers then work to quickly address any problems with an immediate patch rather than leaving our customers exposed until the next scheduled Fixpack release."

Oracle kept users waiting weeks for the scheduled April 2006 Critical Patch Update. Click here to read more.

IBM released a Fixpack for the flaw on May 12. IBMs APAR (Authorized Program Analysis Report) IY84096, which documents the flaw, is available along with the Fixpack on IBMs site.

According to IBMs APAR, the flaw results in a buffer overflow after a bad connect request causes memory corruption and crash.

"A malicious CONNECT or ATTACH request sent to a DB2 server may cause a buffer overflow and instance crash, resulting in a denial of service," the APAR reads.

Affected DB2 versions include DB2 on Unix, Linux and Windows (all versions, all platforms).

According to IBM, DB2 users can disable or restrict remote access to the database server in order to effect a temporary fix. Users should disable the DB2 TCP/IP listener if not required, IBM instructs (set SVCENAME to NULL in the database manager configuration), or use a firewall to restrict connections to the DB2 TCP/IP listener port.

Editors Note: This story was updated to remove a reference to researchers who discovered the flaw in addition to Imperva. In fact, the researchers initially mentioned are Imperva researchers.

Check out eWEEK.coms for the latest database news, reviews and analysis.



  Reader Comments: DB2 Crack Lets in Attackers Without Database Credentials
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Database Articles          >>> More By Lisa Vaas
 


x}ks6*Q3{L=RJ64ԭRQ$$1H.IVrO/vKZ=sf6ЍFh|G޻$\i9rskjޢ>w߽ ?Xf8mTEK\ߤ~Am;t =4mMfNHB ~}@~kfwD%x_'Щ=ѩ€wɔZiZلܗ>}~qb[ .hqLIlP$ȁ_M¦͂%HCxGu)tC(DIږyD6GǮJ;ߣ*#7 ݙx8/DeO‡d^b{Aq<5;^;0k}BQ5w0NK <[_w@Sա*v25vkn/E@^cBȡ[Rh=7d7){"-,w2K*-aȵ :9zu v}jDJ73g }KH;R@}k {>5I ib1lp:JH n> \ G0/56`?Ķh…p\.:!뺷}=-:ҍ}4 .j.9am S P2zhNt,`_eY7;Ͱ-P6#MTZ]QJrG╇C`[©;hvnTUMSe{~] !GA GmGh[I#ZIkP\vOnzـ\>v..ɣ-N.|'[oLV)UjT:( Ԙ:b= u+P%opK(ivdf1{PdXIc/YTUi w;ǃSҹtnotNΏo3do̲5ZMӀ Zvf#?[ ֫۳ۗkiOz7{#+|r>5M0\ܱ¬:֪o~97cs'^Ϗ3S?&:aZ+땆~Ffw2t!޺p|=!IoK'|:8%8\^Cj ݖUB_*DȏKŗG)LY4C ! ,тmdƩ$|ǺzN3ߜjmT7oh2 f4 .έfh- @ho*K>LrM&@Sk~$GM\sb.L22z)6-`i˫ TE嗋mESi>]Q4{3Bɽ`g@ɋ BD?CC0!pl/\~_M.Qwڪ9Q[ k+\M흛ǘ\zLZgM{W~xD18,]evr`\\Է7ZORQ^Tr[h S2ud8԰1nұ>âx?0Mt3ϼ#|>55G㤞F!|БdmxqZ.s+ԍEXn`6h q٭mE%_¤<  fAki$>6(Z\?` VCf@B랂9׿ޚA"Qޚґ4a qj 8=*~s=w}   @lߣ5#~[-[Y6x O͹A }(~9-RC/1""D% R h4AZǰEBENA77;.V+\y"*m':.܉;T+Jd&3,BV-KїPf%i2khƺń(VFN1|(0Vf)RبQm7eH:|:ioBg< 0 Һ:-$mXSLF0pq<39`'<7,kS@la} / a Sn6O)tsf9`ZƔWj>!4ӇiЈ4X}5SN`cܑ^̜07ÚL ~D虅m>`T4fsSڶESc7UBsNHB/W2 \_&AB5 6d:ɤPl';oWf?ΖMkͲ'{_No6ʁy2KmVJg@x# l+/,;7kc:*+_iihH*E6@\Z3,c %.␘ W0Z46pȞZcnP jrI))KaW4E%sXf&`ܱ &P wS~8;[0P!k^GgVu<]|$}r;C6 p>x>JeHכABS CO5,v&ff:X[' +ȁUzqڋgpp0uVׅ=- ._8g7i+@oLsCm0 ǖ "^l"{_=)V}B~. iO5 &^PGe d^ `M`Rc׶݇| :lF֝BQڞ>-B.-g \\ipf^EZLhKgAqA0*L\y.rV~ 2qÝa&1 DR)Ö13wdio&{םT'咢TS< ֚pDr@uߘʓ@gӐah"pHEAxZhp B@U.)L-9Iz -[ hg [Qzn3Cz+ `RI?I BL!2Bsݧ}=1g匬`"{ lRPZUU+Zp~W`s<(yO?b5xx /OqCvPClKgƐRz7t1ܦ;pKsSp)c# ,c`7 $̮fG` cCTҔgDF(/9 .+TNjZ|jGVQ=/YQwSfa "S+0j7jր[}n)rdd8+ё,Xr]TՑG7`wg*Q :@!G:0=X,()y9]Q˶+ZЁ P},5u<X\[``!> ~6f8f&af4Y[ ⦪ʾ_iWg%|h#QL ` K{ZCA;eSt}p@b#RiCݜ5o"uy@VIJYhQVl\ڡqm(}^L:޼?~EBo';7 Aɴ(56|o r)ߦI39旉)/hy6檦URd,4Ω"6f ĮiϺV&>e>c'^}QApaqgX7| UI%T[b=J9ޣ06@yI @ QZ`Y V8g{}Dpwԫ04R΁MOT%0=@" c].g}]٘y4>ʐ>hxG2gdY JhUm{\ cw2|]>?/$*RIv+Ձ5΀LdV֪EzXz,)uzd&RrCE7uȋ­7:6P$#I P*~JeP'Iuzf*kZQR޾*Ꝗ4rO,ش,>6W"h -z; ez(̖ O%4e%3E/쎸-9DXxbQ{lrK{]wѾ@8'̕%$MX5\=QDu Z:̏T)wsVR$I; g?amE:JbI*N=ym5ucf`<#ɟ?9qwP7|$o>eM+v@lkZpW|L2M: Gr@ ɲ\' ׫UVj8J3Ay vBs=I<CMM8qc oR9 "_K84J xϰL'JUVqc?3 cS7׏Z]{ E D@D;n?% ?S-l8-F:~ݕDw{vO燤}@:k_v/>&~f?Н :w!aa="A`Wǽ4.Jݫ?I7WR&FøDo9)P K #E1>bt߫]=/coۧݫ a= F["^9 K}{%d}һxG{ՑҽN zs=ADHC䄬W!yN.:FS̠o2XGX?ֈdȰ3"m@PKsÙb9ki.Dzt_5g0T h#)۵coc( V`!1t|PV# (ʑ=`=` n)>\b/z$B 0F_Th)W4fuSxv9ݴ9S%j7"EJN~N[ҷoDWs7|ExW(x,VfsF;.1?xԾCz?"Y^3_Ow jE p!ZIS"9oթ-tOӖO|BaJ;TLa:߄u?I{uYغ[ΘhI3:%Ic 5m$jZ3fj# $_:JI"v+6hl(lA jSÚ]e .^߹m|`M`l)ZQ!|Nr a=i_D`e>R%;yQb}b%h4eW&Bzc'?<@s`*伨6SѨIl7spu"?h9c7:^jG/sy"O+:Y-,':]@!_GoYM21/ȄKԍ)A/x9GQ r0xf&4NlEWy/("+xYESrk]O}4]vY͠y{do&|)s'AޚuhaJofm5a4 ݣoR:i?{޽sҾ2CWq [:i)`* 94DhH^ݍ X"2NIJa/>8zdM#}ӹJfyӼ2hɘAxl7B_7C]pb_sT xB`o~ϤW*]c*w}ﰧ}VZtC.qF Vd/)&%n.e LM OKt1ڮ/=اHYXdbSOفo 1O O=qԱىE|Syg!,daзF0[)=)$Ιd<J;oݭnM ^L "A;&JX۴ rUCaK_&,0y0pLVa ~R~6 ߊ;bE#Ƴtǟ-ۊS򽵢rp:y WS M[k/!1 %]Kдg=.0(yS/4 FK[⹏^}:lOo %~!Й*Ͷ-CY#`"rR !e>;'d9m\ݝ'&فR ^/w@;y-NJ%,㗋/*3Iom]U0{|+29j<>hM\~ ,'tie_h"5'$_c*c,Hfsd a0 F~_re`><;rz3v ch(_!<H,2RpUI0=7E 3EbfFJl ^QBx%;F n*r:-Ʉ/Y8n`G`,LJ¢1sI@$Mjr_D? :K2ja4pW[H&&'Ĕ Td!g/ikRuLJC1EqT=zg[qvP?v:gYMlT F_p%̫|&5X%{ Oʅ.ɼnvA%$=7 VY%:_S-9q`q-:_Jq);<T +GHN~8lewXrf5x;9˰a2BnS?ZEϙ$) KF0YMGfdLrɠlZԎaeE?E({#Xb tīyNOT'@m&}ijJOR{*'oo9ՊtS .Cd%Gve+ɰ\ !ytEoH4 $8X1xt VlAHnq;E.` ftŇYAҔ\AIQٴh=  ހHT%_ަ尢|VLأv\rtg_,1?MKW6o31ΈE8mģCvhK5Qz,rH 閎p" u=:APɎT-5T3 "D |lipKd[[V܉gJZe[)tR:60A,v О r0Dv0(K@SpOQC@Ġ@}l h3]؉jI-U^}<‹Ԑ sRGKa5"^#k_̓`[.>]gֶB7'D}Kg.rpR!}2wH# `:Ik TvD_$뚜^DӠ+^ju[^:aDžWbp;CQ&+6C|E  . b%3iz{eM vO||B.,JY-^LTkx-Ix[A6Pq7FH׮m9lt Jr-ͮ7K&ɼI77O>}GorkJ[2 E>=۹zRUc k[$!\XwH~ٰH7Tn4ʵ @H;[Js,&kPҫxU D@^gw\IJf[#qjo9x/1<"Ebڦ) l+^NJx%40[u>w:KjxQی.H<TT0ӅɝKBj[A=I"6,jeU7 R!4 DĴa;]B;D|%վZkK>/,&0}s' [wnB,%utc*BtixLi_2bfi4aW \% 6 >O$i=-\SX2Jn£1mc i/.,'@HF!\`^A.xqXD"HKrw`SsBk2RyUZzmﻴJ~}}}~j5bCU.f{P(pGnSdl,}g4oVc\R6-B`" j &G_o{[]ⷺIz.B?6Ak4W&DDmomYK6b03Np37q>IQ B.!!92!Wۓ"EmQ[sot\۝,R ;TvPϟp@Fk⸿dí[ѓ| CwVhm\]en\Aţ!{6p'Vy*<{vHO_ ĵ?9@UxrEDR|WV =ǿ=(7WoiT'?ݘ(u۫ΠB Ρk?0 ܘxmn$?h۾a+@mն-0'Eq2f{ m~[1+tӕtToJYn&VC}__}&<>yGHj|ubCv4t86e䋦3&e&Sj νko(jc {jW闶U±O}Kȼ Xnm^NړuYİO刋%X ъ#;Ћg&dm vEtlq˶~>›&VCrя"rqhoT⯠œjgϡ?:K/ ؝0< I77^G%Hku"7v?C* O2ۆ=a)G)E1;  F(oCu&n[{S揩 eT= ? K2S^|Oy4t£4OaR-,:'7~ "E <7ť=9=vq m.O2=aUňk)'>?H-5>^G K^b,\ B,6։aDٍȡ-cb 1ʵm <ߋ! Zl?QX2!_ /)_V6LWPREm.MEfIȢDE\1]CՔ^r~^ :VXuV%d˘xVH=Қ0&^OE*ނ0H>PS_E UH+4p>O|Yki/kO6j!ɓ`5Z/k]T;Xif{yj+n-{sxb(ͪNTpdݺةRc-*<);,Oue^vM%dn& ~iXp>H':t}jh ܇TʹJ y4vzVGZIj[0|]SjZ <QmF#9Қx,T_H֞uvü`Z~kQ 'gq\zW 8p!uԮ,ve@N "8<뻿3^Q"6c-y6;^52ai7t]kt+ 7s>KaADνz??r}{ι9`Vm$MZH9U!7TP][ƏbD))o3윶AKOkטPtr҉8Ϙ" \ ЭB9ϪͲ;IoP}sY?e=a ' 2u?|yBJG=Jm~#dM-ãd|U:i|%w;ҥn,ߜM1_=o ɀ XPpCMI9T~:Nd>MYx\Jӑu o`|$z̥7f{@qq 81q,Ye%+փފ> sF@Yf!s<L]YUc `xG$!V~hw/U :7} d#/9k MCߑ?ŝ 죇B7V0K9asH ]\W\Afx98QnHs.clк|ŧtS_#m#!k^KΑQwFsU_i(%Z^尟aD9p=S1-0ȘhD MQ HxLirtN4%"ήt 5"  B-n#BLk<3DD^r {fĔy9d6f6A|2|u[? T6CĊ1gOiX$_@γF $N1XJECY`U@y+LB͂z‚Gx*~jJ͍$u~vK .X`,2E<Cep?,GyGaa2?yM:a"棙b\]:oN5kr H:yUss!aZ;:QB<ⱴP <'l6.Hol u7@fBh),f,՚RD&u]C !2,S=VJȽ<+zAuLTo)UH+^@0Y3:%@0>6#&Tw`9ZOwC!ۻ"ǝ-s¶-j=uN??u:7ݫAuf0ca慾,Ǜ,# rvվ0;eNq(gM B*rKxu" /W%qx&NYtOPJTَ/!jb\Sm09ot}-ZI-;YN|vW#'uƳ˜6A{c>6 5N>Mo )ns9UЊLjV}Q}xS S+S~7OrʑO(?\~9ˡ{6w i=)usUN9_/OPisȁ]2g|./e|e}/>9/sKD#)?Ar/2*g|@~r *gz^N{z9_?s޿y&?>7??}ᯏP1GBm^9mB9_zy9r־ƅ۩qNy:JE5rXB]7%{'sg+I4]a芫-5n ǤZuvņ^_A5KHe^ۛLCGP/<*Y}Mʱ 4rk 7[yDYII{2}tEi>riDLwe<_[nNJ>K\ȜHWɴ&Vی f |,y|8SNtw17 }^1B8 gvt{zUtKn ] x[ %>  #r75i\oxg?9/yd֦WVFZkp'k͠6KֈH>Y7 xЧx.؇ ߚč,z %h00(\/F>g<[`?Znamoz} `tn{gd닰Y JÙ#ш~ǰ+L 29"9GqLP[tC=ѯF.d DN͡a[;$o>eM+5VkZpWrDa3"BS]FTMVYi2ZUiT5rF(2B4|;یW57tS+r&]\ŠMCao/a+FöpZ';=4d9?MqgIB{PoO6-ĠG8ў#wˡB~ 22VHg'ՇoR0 lE/ڳQxCJ,,TwjcFP ~@:X~ snw0aŘSkCMHn_!]/Ɣ-˃a-yB7`pb#~YEƱ`˫)C0H½S1s86+c]tR - Z}nwV\dkR8E< !$̸fLe~Of@L V$u8>t zCcjd9Yk +cP<Pಓ_b'cey&f5b P|_|a9GvfQC͞"3%L#i_g\$&a"c'x M?) 9F0{P΢<>x$"2H 2s{F|%ԄZ{JfBZ7>\Włߜ#,zH𵝦^̀ԛZd5\Aո 6L=;W ^{#D3dƨz<RƠ#)e h kk#t^wkdU9Hz&zu x$^6=k"1: gKCJ'tw[o-\DR%&iw[1:dt;j$ŗM\s<XD=$y5|o,Gwfgs% #]^Π&bO_wnԷe&PLc)Jqi&ȥIG*K7"%ioPm <% *`>=.X";>m<'.}Nu;J' "@2drtPŗ;wi3F)f'NFp)hENF o.^sƠ`{e75SF =哳"ECӯ3|לk 0umr?{s\9,C c|Ʋcv9aR[W`0.<,(`F,$v"V7vsh{h۟sTHهl&~&TH.#Yl{ۺЃT~t=^OW{zC%ȕ/-F#|oUAYfSժZ-Ni|ۊ#iQg8&rYOJ^>۽wz"f/ROa6%s|N1Kik.^ϦO*LΗ kq>lgLp -ϱ=RZ`'l/Z?O;'