Published:2011/03/04  Last Updated:2011/03/30

JVN#16308183
IBM DB2 vulnerable to denial-of-service (DoS)

Overview

IBM DB2 contains a denial-of-service (DoS) vulnerability.

Products Affected

  • DB2 for Linux, UNIX, and Windows Version 9.7 FP0 to FP3a
  • DB2 for Linux, UNIX, and Windows Version 9.5 FP0 to FP7
  • DB2 for Linux, UNIX, and Windows Version 9.1 FP0 to FP10

Description

IBM DB2 contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE).

Impact

An attacker that can create or execute stored procedures may cause a denial-of-service (DoS).

Solution

Apply a patch
Apply the appropriate patch according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2011.03.04

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication a particular login or set there of is required (root, bin, etc.)
  • Low
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Comment

The "Authentication" section of the analysis was performed from the point of view of the affected product's administrative privileges.

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2010-4476
JVN iPedia JVNDB-2011-000016

Update History

2011/03/04
Published in English.
2011/03/28
Information under the section "Solution" was modified.
2011/03/29
Information under the section "Vendor Status" was modified.
2011/03/30
Information under the section "Vendor Status" was modified.