Multiple vulnerabilities in IBM DB2
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2017-1439 CVE-2017-1451 CVE-2017-1519 CVE-2017-1438 CVE-2017-1452 CVE-2017-1434 |
| CWE-ID | CWE-264 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM DB2 Server applications / Database software |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Privilege escalation
EUVDB-ID: #VU8215
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-1439
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper privilege controls. A local attacker with DB2 instance owner privileges can obtain root access to the system.
Install update from vendor's website.
IBM DB2: 9.7 - 11.1.0.0
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_db2:9.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_db2:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_db2:10.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_db2:11.1.0.0:*:*:*:*:*:*:*
https://www-01.ibm.com/support/docview.wss?uid=swg22006061
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Privilege escalation
EUVDB-ID: #VU8216
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-1451
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper privilege controls. A local attacker with DB2 instance owner privileges can obtain root access to the system.
Install update from vendor's website.
IBM DB2: 9.7 - 11.1.0.0
CPE2.3https://www-01.ibm.com/support/docview.wss?uid=swg22006061
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Denial of service
EUVDB-ID: #VU8217
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-1519
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to input validation flaw. A remote attacker can supply particular configuration using SSL and an alternate gateway setup to cause disruption of service for Db2 Connect Server setup.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
IBM DB2: 10.5 - 11.1.0.0
CPE2.3https://www-01.ibm.com/support/docview.wss?uid=swg22007183
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Privilege escalation
EUVDB-ID: #VU8218
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-1438
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper privilege controls. A local attacker with DB2 instance owner privileges can obtain root access to the system.
Install update from vendor's website.
IBM DB2: 9.7 - 11.1.0.0
CPE2.3https://www-01.ibm.com/support/docview.wss?uid=swg22006885
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Privilege escalation
EUVDB-ID: #VU8219
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-1452
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges.
The weakness exists due to improper privilege controls. A local attacker can obtain root privileges and overwrite DB2 files.
Install update from vendor's website.
IBM DB2: 9.7 - 11.1.0.0
CPE2.3https://www-01.ibm.com/support/docview.wss?uid=swg22006109
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU8220
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-1434
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the connection string is written in the clear in an error message to db2diag.log. A local attacker can read highly sensitive information in the error log.
Update to version 11.1.2.2.
Vulnerable software versionsIBM DB2: 11.1.0.0
CPE2.3https://www-01.ibm.com/support/docview.wss?uid=swg22005740
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
