IBM Db2 Vulnerabilities Left IBM Database Installations At Risk Of Hacks

IBM patched a couple of serious vulnerabilities in the previous week in their Db2 database installations. These IBM Db2 vulnerabilities could allow an attacker to execute arbitrary commands with admin privileges. The vendors have advised the users to update their respective machines to stay protected from potential cyber attacks.

IBM DB2 Database Vulnerabilities Spotted

As disclosed recently, a couple of IBM Db2 vulnerabilities could let an attacker take over the targeted systems. IBM has published separate security advisories regarding the flaws.

The first of these vulnerabilities is a privilege escalation flaw that could allow an attacker for arbitrary code execution. As explained by IBM in their advisory,

“IBM Db2 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code.”

Allegedly, a researcher from Beijing Dbsec Technology Co., Ltd., Eddie Zhu, discovered the flaw who then reported it to IBM. To exploit the bug (CVE-2018-1897), an attacker with local user access could elevate user privileges by running specially crafted applications.

The second vulnerability existed in IBM® Spectrum Scale. According to the description given in IBM’s advisory,

“IBM Spectrum Scale could allow a GPFS command line utility allows an unprivileged, authenticated user with access to a GPFS node to read arbitrary files available on this node.”

Patches Released

The vulnerability CVE-2018-1897 allegedly affected the IBM Db2 versions 9.7, 10.1, 10.5, and 11.1. The vendors have patched the flaw in V11.1.4.4. Whereas, for the other editions, the users can download the corresponding fixed editions: Db2 V9.7 FP11, V10.1 FP6, and V10.5 FP10. Regarding the other bug CVE-2018-1723, IBM stated,

“All fix pack levels of IBM DB2 V10.5 and V11.1.1 editions running on AIX and Linux are affected, and only for those customers who have DB2® pureScale™ Feature installed.”

For fixing the flaw, the users of DB2 V10.5 can obtain the GPFS efix 4.1.1.17 efix 8  by contacting the technical support at IBM. Whereas, the customers of DB2 V11.1 can download the patched version V11.1.4.4.

Let us know your thoughts in the comments section.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients