[VIM] Recent DB2 Vulnerabilities

Steven M. Christey coley at linus.mitre.org
Sat Aug 18 21:05:56 UTC 2007


On Fri, 17 Aug 2007, George A. Theall wrote:

> Has anyone had a look at the recent vulnerabilities in DB2 announced by
> iDefense? Does anyone know how they map to IBM's APARs?

This collectively gave us fits.  I was the assigner of the original
CVEs, and used best-available information to merge or split iDefense's
various advisories, pre-disclosure.

Post-disclosure, Bill Heinbockel emailed the iDefense people, and Josh
Drake was able to give us enough information to map between CVE's and
APAR's, using private iDefense information to correlate.

Accordingly, we are treating iDefense as the authoritative source in this
case.

Below I've got CVE-to-APAR mappings, APAR-to-CVE mappings, and CVE
descriptions with our analysis fields that will explain more of the
rationale.  We also have a couple "spare" CVEs for DB2 that don't seem to
be associated with any iDefense advisories (CVE-2007-4423 CVE-2007-4418
CVE-2007-4417).

Finally: CVE-wise, this is an extremely complex disclosure, so there's a
small chance that we have an error in here somewhere.

- Steve

===== CVE to APAR =====

CVE-2007-4270
  AIXAPAR:IY98210
  AIXAPAR:IY99261

CVE-2007-4271
  AIXAPAR:IY98210
  AIXAPAR:IY99261

CVE-2007-4272
  AIXAPAR:IY98011
  AIXAPAR:IY98101
  AIXAPAR:IY98210

CVE-2007-4273
  AIXAPAR:IY98011
  AIXAPAR:IY98101

CVE-2007-4275
  AIXAPAR:IY97922
  AIXAPAR:IY97936
  AIXAPAR:IY98176
  AIXAPAR:IY98206
  AIXAPAR:IZ01923
  AIXAPAR:IZ02067

CVE-2007-4276
  AIXAPAR:IY97346
  AIXAPAR:IY99311


===== APAR TO CVE =====

AIXAPAR:IY98210

  CVE-2007-4270
  CVE-2007-4271
  CVE-2007-4272

AIXAPAR:IY99261

  CVE-2007-4270
  CVE-2007-4271

AIXAPAR:IY98011

  CVE-2007-4272
  CVE-2007-4273

AIXAPAR:IY98101

  CVE-2007-4272
  CVE-2007-4273

AIXAPAR:IY97922

  CVE-2007-4275

AIXAPAR:IY97936

  CVE-2007-4275

AIXAPAR:IY98176

  CVE-2007-4275

AIXAPAR:IY98206

  CVE-2007-4275

AIXAPAR:IZ01923

  CVE-2007-4275

AIXAPAR:IZ02067

  CVE-2007-4275


AIXAPAR:IY97346

  CVE-2007-4276

AIXAPAR:IY99311

  CVE-2007-4276

===== CVE's not associated with iDefense advisories =====

CVE-2007-4423

CVE-2007-4418

CVE-2007-4417



======================================================
Name: CVE-2007-4270
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4270
Acknowledged: yes advisory
Announced: 20070816
Flaw: race
Reference: IDEFENSE:20070816 IBM DB2 Universal Database Multiple Race Condition Vulnerabilities
Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=578
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607
Reference: AIXAPAR:IY98210
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98210
Reference: AIXAPAR:IY99261
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY99261
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

Multiple race conditions in IBM DB2 UDB 8 before Fixpak 15 and 9.1
before Fixpak 3 allow local users to gain root privileges via a
symlink attack on certain files.


Analysis:
MAPPING: The iDefense to IBM mapping was assisted through e-mail
coordination with iDefense.

ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents
say "Symlink Security Vulnerability when DB2 opens files, running as
root." An APAR search for IY99261 or IY98210 provides a truncated
"Local exploitation of a design error in DB2 could allow an attacker
to elevate privileges to root when DB2 opens files," description. The
APAR documents are not readily available.

ACCURACY: This is a resultant symlink issue, not primary, since the
product does test for whether the file is a symlink. However, there is
a race from the point when the product checks the file and when the
file is actually used.


======================================================
Name: CVE-2007-4271
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4271
Acknowledged: yes advisory
Announced: 20070816
Flaw: dot
Reference: IDEFENSE:20070816 IBM DB2 Universal Database Directory Traversal Vulnerability
Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=579
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607
Reference: AIXAPAR:IY98210
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98210
Reference: AIXAPAR:IY99261
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY99261
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

Directory traversal vulnerability in IBM DB2 UDB 8 before Fixpak 15
and 9.1 before Fixpak 3 allows local users to create arbitrary files
via a .. (dot dot) in an unspecified environment variable, which is
appended to "/tmp/" and used as a log file.  NOTE: this issue might be
related to symlink following.


Analysis:
ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents
say "Symlink Security Vulnerability when DB2 opens files, running as
root." An APAR search for IY99261 or IY98210 provides a truncated
"Local exploitation of a design error in DB2 could allow an attacker
to elevate privileges to root when DB2 opens files," description. The
APAR documents are not readily available.

ACCURACY: The attacker does not have control of the data contents,
only the destination file. No specific environment variable was
mentioned.


======================================================
Name: CVE-2007-4272
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4272
Acknowledged: yes advisory
Announced: 20070816
Flaw: unk
Reference: IDEFENSE:20070816 IBM DB2 Universal Database Multiple File Creation Vulnerabilities
Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607
Reference: AIXAPAR:IY98011
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98011
Reference: AIXAPAR:IY98101
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98101
Reference: AIXAPAR:IY98210
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98210
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

Multiple vulnerabilities in IBM DB2 UDB 8 before Fixpak 15 and 9.1
before Fixpak 3 allow local users to create arbitrary files via (1)
unspecified vectors where an attacker's umask is honored, (2)
/etc/ld.so.preload, (3) certain "cron data file locations", and other
unspecified vectors possibly involving the (4) OSSEMEMDBG or (5)
TRC_LOG_FILE environment variable in db2licd (db2licm).


Analysis:
ABSTRACTION: This is SPLIT from the "Security vulnerability in db2licm
and db2pd tool" issue because there is apparently different provenance
(IDEFENSE versus unknown).

ACCURACY: The swg21255352 and swg21255607 documents, and the AIXAPAR
titles, say db2licd. The bodies of the AIXAPAR documents say db2licm.

ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents
say "SECURITY: Security vulnerability with db2licd, and the OSSEMEMDBG
and TRC_LOG_FILE environment variables." The APAR documents state
"Local exploitation of a design error in DB2 could allow an attacker
to elevate privileges to root and/or create or change files which the
instance user does not normally have access to when running the tool
db2licm, or by using either the OSSEMEMDBG or TRC_LOG_FILE environment
variables. This problem does not apply to Windows systems. ... This
problem was reported to IBM by an anonymous researcher working with
the iDefense Vulnerability Contributor Program (VCP) and Joshua J.
Drake of iDefense." This seems somewhat similar to CVE-2007-1086,
CVE-2007-1087, and CVE-2007-1088, all of which relate to IDEFENSE
document 481. However, there are a number of discrepancies. First,
these three candidates map to AIXAPAR:IY94833, which says UNIX, Linux,
and Windows. Here, Windows is not affected. Second, IDEFENSE document
481 says that Joshua J. Drake was the discoverer. Here, the
information is "an anonymous researcher working with the iDefense
Vulnerability Contributor Program (VCP) and Joshua J. Drake of
iDefense." Third, AIXAPAR:IY94833 indicates that 9.1 Fixpak 2 has a
fix, and here the fix is in Fixpak 3. (Admittedly, the DB2 UDB version
8 aspect of the fix might conceivably be the same.)


======================================================
Name: CVE-2007-4273
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4273
Acknowledged: yes advisory
Announced: 20070816
Flaw: other
Reference: IDEFENSE:20070816 IBM DB2 Universal Database Directory Creation Vulnerability
Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=581
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607
Reference: AIXAPAR:IY98011
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98011
Reference: AIXAPAR:IY98101
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98101
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows local
users to create arbitrary directories and execute arbitrary code via a
"crafted localized message file" that enables a format string attack,
possibly involving the (1) OSSEMEMDBG or (2) TRC_LOG_FILE environment
variable in db2licd (db2licm).


Analysis:
ACCURACY: the format string attack is probably enabled by modifying
the environment variables to point to alternate
internationalization/localization files that contain resource strings
with attacker-controlled format string specifiers.

ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents
say "SECURITY: Security vulnerability with db2licd, and the OSSEMEMDBG
and TRC_LOG_FILE environment variables." The APAR documents state
"Local exploitation of a design error in DB2 could allow an attacker
to elevate privileges to root and/or create or change files which the
instance user does not normally have access to when running the tool
db2licm, or by using either the OSSEMEMDBG or TRC_LOG_FILE environment
variables. This problem does not apply to Windows systems. ... This
problem was reported to IBM by an anonymous researcher working with
the iDefense Vulnerability Contributor Program (VCP) and Joshua J.
Drake of iDefense."


======================================================
Name: CVE-2007-4275
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4275
Acknowledged: yes advisory
Announced: 20070816
Flaw: other
Reference: IDEFENSE:20070816 IBM DB2 Universal Database Multiple Untrusted Search Path Vulnerabilities
Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=582
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607
Reference: AIXAPAR:IY97922
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY97922
Reference: AIXAPAR:IY97936
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY97936
Reference: AIXAPAR:IY98176
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98176
Reference: AIXAPAR:IY98206
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98206
Reference: AIXAPAR:IZ01923
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IZ01923
Reference: AIXAPAR:IZ02067
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IZ02067
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

Multiple untrusted search path vulnerabilities in IBM DB2 UDB 8 before
Fixpak 15 and 9.1 before Fixpak 3 allow local users to gain privileges
via certain vectors related to (1) DB2 instance or FMP startup on
Linux and Solaris; (2) exec of executables while running as root on
non-Windows systems, as demonstrated by AIX; and unspecified vectors
involving (3) db2licm and (4) db2pd.


Analysis:
MAPPING/ABSTRACTION: This issues were MERGEd through post-advisory
coordination with iDefense CNA.

ABSTRACTION: These issues were MERGEd by the CNA based on best
available information at the time of assignment.  It is possible that
there should have been a SPLIT because of different affected platforms
(roughly equivalent to different affected versions). Specifically,
IZ02067/IZ01923 state "applies only to Linux and Solaris." However,
IY98206/IY98176 state "does not apply to Windows systems," with a
later mention of "Reported component name DB2 UDB ESE AIX." This
suggests that the AIX version has vector 2 but not vector 1.

ACKNOWLEDGEMENT: IZ02067/IZ01923 state "SECURITY: SECURITY
VULNERABILITY DURING INSTANCE AND FMP STARTUP ... an anonymous
researcher working with the iDefense Vulnerability Contributor Program
(VCP) and Joshua J. Drake of iDefense Labs. This APAR addresses the
issues described by CVE-2007-4275." IY98206/IY98176 state 'SECURITY:
Security vulnerability when DB2 "execs" executables while running as
root ... an anonymous researcher working with the iDefense
Vulnerability Contributor Program (VCP) and Joshua J. Drake of
iDefense Labs. This APAR addresses the issues described by
CVE-2007-4275.


======================================================
Name: CVE-2007-4276
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4276
Acknowledged: yes advisory
Announced: 20070816
Flaw: buf
Reference: IDEFENSE:20070816 IBM DB2 Universal Database buildDasPaths Buffer Overflow Vulnerability
Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=583
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607
Reference: AIXAPAR:IY97346
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY97346
Reference: AIXAPAR:IY99311
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY99311
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

Stack-based buffer overflow in IBM DB2 UDB 8 before Fixpak 15 and 9.1
before Fixpak 3 allows attackers to execute arbitrary code via a long
DASPROF and possibly other environment variables, which are copied
into the buildDasPaths buffer.


Analysis:
MAPPING: The iDefense to IBM mapping was assisted through e-mail
coordination with iDefense.

ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents
say "DASPROF env variable - Buffer Overflow Vulnerability." An APAR
search for IY99311 or IY97346 provides a truncated "There is a buffer
overflow vulnerability in DASPROF environment variable. Overflowing
the buffer may lead [to] arbitrary code" description. The APAR
documents are not readily available.

ABSTRACTION: This may seem similar to CVE-2007-1087 or CVE-2007-1088.
However, CVE-2007-1087 and CVE-2007-1088 map to a different IBM
identifier: AIXAPAR:IY94833. Also, AIXAPAR:IY94833 indicates that 9.1
Fixpak 2 has a fix, and here the fix is in Fixpak 3, so these are
different affected versions and should be SPLIT per AB2.  (Admittedly,
the DB2 UDB version 8 aspect of the fix might conceivably be the
same.)

ACCURACY: Most, but not all, environment-variable issues are local.


======================================================
Name: CVE-2007-4417
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4417
Acknowledged: yes advisory
Announced: 20070816
Flaw: other
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607
Reference: AIXAPAR:IY88158
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY88158
Reference: AIXAPAR:IY88226
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY88226
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 does not
properly revoke privileges on methods, which allows remote
authenticated users to execute a method after revocation until the
routine auth cache is flushed.


Analysis:
ACKNOWLEDGEMENT: The vendor says "After revoking privileges on a
method a user may still be able to execute the method until the
routine auth cache is flushed (database deactivated)."

ACCURACY: The vulnerability should probably not be expressed as "does
not flush the routine auth cache." Although a flush will stop
exploitation, it may be an expensive or disruptive action, and not an
appropriate solution.

ACCURACY: SECUNIA:26471 says that the "user may still be able to
execute a method even if the privileges for the method has been
revoked" issue was reported only in version 8 (i.e., not in version
9.1). This seems inconsistent with the listing of IY88158 in IBM's
swg21255607 document.


======================================================
Name: CVE-2007-4418
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4418
Acknowledged: yes advisory
Announced: 20070816
Flaw: other
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352
Reference: AIXAPAR:JR25940
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

IBM DB2 UDB 8 before Fixpak 15 does not properly check authorization,
which allows remote authenticated users with a certain SELECT
privilege to have an unknown impact via unspecified vectors.  NOTE:
this issue is probably related to CVE-2007-1089, but this is uncertain
due to lack of details.


Analysis:
ACKNOWLEDGEMENT: The swg21255352 CONFIRM says "SECURITY VULNERABILITY
RELATED TO INCORRECT AUTHORIZATION CHECKS." An APAR search for JR25940
provides a truncated "It is possible to bypass DB2 authorization
checking. This vulnerability can enable a user who holds SELECT"
description. The full description is not readily available. However,
JR25941 (for IBM DB2 UDB 9.1) states "JR25941: SECURITY VULNERABILITY
RELATED TO INCORRECT AUTHORIZATION CHECKS ... It is possible to bypass
DB2 authorization checking. This vulnerability can enable a user who
holds SELECT privilege on a table to update or delete the contents of
the table, even if they do not hold the required update and/or delete
privileges." JR25941 is a CVE-2007-1089 reference. Because of the
identical APAR titles and the adjacent APAR numbers, it seems very
likely that JR25940 and JR25941 are analogous issues: the first in
version 8, and the second in version 9.1. However, they are SPLIT
because the non-public status of the JR25940 document makes this
conclusion uncertain.


======================================================
Name: CVE-2007-4423
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4423
Acknowledged: yes advisory
Announced: 20070816
Flaw: unk
Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607
Reference: AIXAPAR:IZ01828
Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IZ01828
Reference: SECUNIA:26471
Reference: URL:http://secunia.com/advisories/26471

Unspecified vulnerability in the AUTH_LIST_GROUPS_FOR_AUTHID function
in IBM DB2 UDB 9.1 before Fixpak 3 allows attackers to cause a denial
of service.


Analysis:
ACKNOWLEDGEMENT: The vendor's swg21255607 document says "SECURITY
VULNERABILITY IN AUTH_LIST_GROUPS_FOR_AUTHID." An APAR search for
IZ01828 provides a truncated "Exploitation of an issue in the
AUTH_LIST_GROUPS_FOR_AUTHID function could allow an attacker to cause
a denial of service" description. The APAR document is not readily
available.




More information about the VIM mailing list