Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    New DB2 Flaws Could Prove Troublesome

    By
    Dennis Fisher
    -
    September 17, 2003
    Share
    Facebook
    Twitter
    Linkedin

      Security experts have discovered two new vulnerabilities in IBMs DB2 database software, both of which allow an attacker to gain root privileges on vulnerable servers.

      The weaknesses are potentially quite dangerous, considering that DB2 is one of the most popular enterprise databases, especially for e-business applications. However, the flaws can only be exploited by local users, so the risk is mitigated somewhat.

      The vulnerabilities lie in two binaries that ship by default with DB2: db2licm and db2dart. The former is the license management tool for the database and is used by administrators to install license keys and set license policies. The latter is a consistency and error-checking tool that can be used to identify and mark incorrect data.

      Both flaws are stack-based buffer overruns and can be triggered by sending long command-line arguments to the vulnerable binaries. Once a local user executes the attack, he would have root privileges on the machine, giving him the ability to run any code he chooses.

      “These are classic stack-based buffer overruns and are not too difficult to exploit,” said Ivan Arce, CTO of Core Security Technologies Inc., the Boston-based penetration testing company that discovered the vulnerabilities.

      The weaknesses are known to affect version 7.2 of DB2 on Linux systems running on either x86 or S/390 architectures. Its possible that the vulnerabilities might also affect DB2 implementations on other Unix-based systems, Arce said, but Core Security has yet to test any other systems.

      IBM has developed packages to fix both flaws, which will be available for download shortly. FixPak 10 repairs the flaw in db2dart and 10a addresses the problem in db2licm. FixPak 10 is currently available on the main DB2 Technical Support page on IBMs site. However, 10a is only posted on an FTP site right now, but should be posted on the FixPak page soon.

      Core Security has developed some sample code for these vulnerabilities, which can be used to confirm whether a system is at risk. The code is contained in the companys advisory on this issue, which will be posted on its Web site Thursday.

      Discuss this in the eWeek forum.

      Dennis Fisher

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×