IBM patched a couple of serious vulnerabilities in the previous week in their Db2 database installations. These IBM Db2 vulnerabilities could allow an attacker to execute arbitrary commands with admin privileges. The vendors have advised the users to update their respective machines to stay protected from potential cyber attacks.
IBM DB2 Database Vulnerabilities Spotted
As disclosed recently, a couple of IBM Db2 vulnerabilities could let an attacker take over the targeted systems. IBM has published separate security advisories regarding the flaws.
The first of these vulnerabilities is a privilege escalation flaw that could allow an attacker for arbitrary code execution. As explained by IBM in their advisory,
“IBM Db2 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code.”
Allegedly, a researcher from Beijing Dbsec Technology Co., Ltd., Eddie Zhu, discovered the flaw who then reported it to IBM. To exploit the bug (CVE-2018-1897), an attacker with local user access could elevate user privileges by running specially crafted applications.
The second vulnerability existed in IBM® Spectrum Scale. According to the description given in IBM’s advisory,
“IBM Spectrum Scale could allow a GPFS command line utility allows an unprivileged, authenticated user with access to a GPFS node to read arbitrary files available on this node.”
The vulnerability CVE-2018-1897 allegedly affected the IBM Db2 versions 9.7, 10.1, 10.5, and 11.1. The vendors have patched the flaw in V184.108.40.206. Whereas, for the other editions, the users can download the corresponding fixed editions: Db2 V9.7 FP11, V10.1 FP6, and V10.5 FP10. Regarding the other bug CVE-2018-1723, IBM stated,
“All fix pack levels of IBM DB2 V10.5 and V11.1.1 editions running on AIX and Linux are affected, and only for those customers who have DB2® pureScale™ Feature installed.”
For fixing the flaw, the users of DB2 V10.5 can obtain the GPFS efix 220.127.116.11 efix 8 by contacting the technical support at IBM. Whereas, the customers of DB2 V11.1 can download the patched version V18.104.22.168.
Let us know your thoughts in the comments section.