ADMIN - Explore the new world of system administration! Special introductory offer! Order by September 30th to save 10% off the regular subscription price! Each issue delivers technical solutions to the real-world problems you face every day. Learn the latest techniques for better:
network security
system management
troubleshooting
performance tuning
virtualization
cloud computing
on Windows, Linux, Solaris, and popular varieties of Unix.
iDenfense security service reports six vulnerabilities in IBM's DB2 database.
The issues were discovered in versions 8 and 9 of IBM's DB2 database solution. The CVE IDs CVE-2007-4276, CVE-2007-4275, CVE-2007-4273, CVE-2007-4272, CVE-2007-4271 and CVE-2007-4270 have been assigned. The first vulnerability triggers a buffer overflow in the database when an attacker specifies a specially crafted string via certain environment variable (issue 4276). The attacker could gain the ability to execute arbitrary code. The second vulnerability (4275) gives attackers the ability to load or run their own binaries when entering a search key.
Another critical error (issue 4273) is cased by vulnerable setuid binaries in DB2. An attacker creating specially crafted symbolic links on the system could trick the system into following the links when creating new directories thus opening the system up to the attacker who would possess full write privileges for the new directories.
The remaining vulnerabilities are all related to faulty file and directory management and could allow attackers to gain root privileges. Details on all vulnerabilities are available from idefense. IBM has responded by releasing fixes to patch the vulnerabilities in both versions of the database (Fix for Version 8, Fix for Version 8).
Comments