Technical Description

A vulnerability has been identified in IBM DB2 Universal Database, which could be exploited by remote attackers to cause a denial of service or take complete control of an affected system. This issue is caused by a buffer overflow error in the DB2 JDBC Applet Server (DB2JDS) service when processing malformed requests sent to port 6789/TCP, which could be exploited by remote attackers to crash an affected service or execute arbitrary code with elevated privileges.

Note : Two other vulnerabilities exist within the handling of malformed packets, which could be exploited by atackers to cause a denial of service.

Affected Products

IBM DB2 Universal Database versions 9.x
IBM DB2 Universal Database versions 8.x
IBM DB2 Universal Database versions 7.x
IBM DB2 Universal Database versions 6.x

Solution

Upgrade to DB2 UDB version 8.1 FixPak 15 (8.2 FixPak 8) :
http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg24016650

References

http://www.vupen.com/english/advisories/2007/1707
http://www-1.ibm.com/support/docview.wss?uid=swg1IY97750
http://www.zerodayinitiative.com/advisories/ZDI-07-056.html

Credits

Vulnerability reported by ZDI.

ChangeLog

2007-05-08 : Initial release
2007-10-10 : Updated Description and References

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.