Secunia

Some vulnerabilities have been reported in DB2, where some have an unknown impact and others can be exploited by malicious users to perform certain actions with escalated privileges, and by malicious people to cause a DoS, bypass certain security restrictions, or potentially compromise a vulnerable system.

1) An unspecified error related to the processing of CONNECT and ATTACH requests can be exploited to cause a DoS.

2) An unspecified error exists related to the DB2FMP process. No further information is currently available.

This is related to vulnerability #3 in:
SA29784

3) An unspecified error in the DB2JDS service can be exploited to cause a crash via specially crafted packets.

4) A boundary error in DAS server code can be exploited to cause a buffer overflow and may allow to cause a DoS or execute arbitrary code.

5) An error in "INSTALL_JAR can be exploited to create or overwrite arbitrary files on the system.

6) Views and triggers are not dropped and marked inoperative within the Native Managed Provider for .NET if the definer cannot maintain the objects.

7) An unspecified error can be exploited to connect to DB2 databases without a valid password if ldap-based authentication is used and the LDAP server allows anonymous binds.

The vulnerabilities are reported in IBM DB2 version 8 prior to Fixpak 17.

Solution
Update to Fixpak 17.

Provided and/or discovered by
Reported by the vendor.

4) The vendor credits Diego Bauche, Application Security Inc.
5) The vendor credits an anonymous researcher working with iDefense.

Changelog
Further details available in Customer Area

Original Advisory
IBM (IZ08134, IZ20350, JR29274, IZ22004, IZ22142, IZ22287, JR32273):
ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT
http://www-01.ibm.com/support/docview.wss?uid=swg21323084
http://www-01.ibm.com/support/docview.wss?uid=swg21318189

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area