Secunia

Multiple vulnerabilities have been reported in IBM DB2, some of which have unknown impacts, while others can be exploited by malicious, local users to bypass certain security restrictions, perform certain actions with escalated privileges, and gain escalated privileges, by malicious users to compromise a vulnerable system, or by malicious people to cause a DoS (Denial of Service).

1) Race condition errors when modifying symbolic links can be exploited to e.g. modify arbitrary files with root privileges.

2) An input validation error when using environment variables to save event information to a log file can be exploited to e.g. create arbitrary files on the system.

3) Errors when handling files with elevated privileges can be exploited to e.g. create or append to arbitrary files on the system.

4) Certain unspecified setuid-binaries create directory structures insecurely. These can be exploited to e.g. create arbitrary world-writable directories via symlink attacks.

5) Input validation errors when using environment variables to execute binaries or load libraries can be exploited to e.g. execute arbitrary code with root privileges.

6) A boundary error when processing certain unspecified environment variables can be exploited to cause a buffer overflow.

7) A boundary error in the sysproc.auth_list_groups_for_authid function within Base Service Utilities can be exploited to cause a stack-based buffer overflow by passing an overly long value (greater than 40 bytes) to the affected function.

This vulnerability is reported in version 9.1.

8) The problem is that a user may still be able to execute a method even if the privileges for the method has been revoked.

This vulnerability is reported in version 8.

9) An unspecified error related to incorrect authorization checks has been reported.

This vulnerability is reported in version 8.

10) Unspecified errors exists in db2licd, and the OSSEMEMDBG and TRC_LOG_FILE environment variables.

11) A boundary error when processing the DASPROF environment variable can be exploited to cause a buffer overflow.

12) An unspecified error exists during instance and FMP startup.

13) An unspecified error can be exploited to crash the DB2 server via a malformed connection request.

This vulnerability is reported in version 9.

The vulnerabilities are reported in versions 8 and 9.1, unless otherwise indicated.

Solution
DB2 Universal Database 8:
Further details available in Customer Area

Provided and/or discovered by
1) Joshua J. Drake, iDefense Labs
2) Discovered by an anonymous person and reported via iDefense Labs.
3) Discovered independently by:
* Joshua J. Drake, iDefense Labs
* An anonymous person, reported via iDefense Labs.
4) Discovered by an anonymous person and reported via iDefense Labs.
5) Discovered by an anonymous person and reported via iDefense Labs.
6) Discovered by an anonymous person and reported via iDefense Labs.
7) Ariel Sanchez, Application Security Inc.
8)-13) Reported by the vendor.

Changelog
Further details available in Customer Area

Original Advisory
IBM:
http://www-1.ibm.com/support/docview.wss?uid=swg21268189
http://www-1.ibm.com/support/docview.wss?uid=swg1IY88226
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940
http://www-1.ibm.com/support/docview.wss?uid=swg21255352
http://www-1.ibm.com/support/docview.wss?uid=swg21255607
http://www-1.ibm.com/support/docview.wss?uid=swg1IY99261
http://www-1.ibm.com/support/docview.wss?uid=swg1IY98210
http://www-1.ibm.com/support/docview.wss?uid=swg1IY97936
http://www-1.ibm.com/support/docview.wss?uid=swg1IY97922
http://www-1.ibm.com/support/docview.wss?uid=swg1IZ01828
http://www-1.ibm.com/support/docview.wss?uid=swg1IZ00188

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=578
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=579
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=581
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=582
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=583

Application Security Inc.:
http://www.appsecinc.com/resources/alerts/db2/2007-01.shtml

Deep Links
Links available in Customer Area