INDUSTRY
IBM Patching DB2 Vulnerability
By Paul Roberts, IDG News Service, IBM released a software patch for a serious security vulnerability in some versions of its DB2 database, according to the security company that discovered the problems. If left unaddressed, the vulnerability could enable attackers to run malicious code on DB2 systems using the permissions of an administrative (root) account, according to Core Security Technologies of Boston. DB2 is a popular relational database that competes with databases from Oracle and Microsoft's SQL Server.
IBM makes versions of DB2 for operating systems including Unix, Linux, Sun's Solaris and Microsoft's Windows. DB2 is used by more than 300,000 companies and 60 million users worldwide, according to IBM's Web site. Buffer overflow vulnerabilities were found in two components of DB2 Version 7.2 for Linux. Those components are accessible to DB2 users, but run with system administrator (root) level permissions, said Ejovi Nuwere, a security engineer at Core. Attackers would need to know which DB2 components were vulnerable and target them with specially crafted, extra-long commands to trigger the buffer overflow, he said. Once that was accomplished, the attacker could retain the root-level account access and redirect the programs, gaining total control of the DB2 database and the system on which DB2 is running, Nuwere said. The vulnerabilities are not accessible to remote users. Attackers would first need to be able to connect to DB2 on a corporate intranet with a user account to launch an attack, he said. IBM had a software patch for vulnerable DB2 systems available for download from a company FTP site Wednesday. While not as severe as recent vulnerabilities disclosed by Microsoft, the DB2 security holes should be addressed by companies that are using vulnerable versions of the software, according to Core CEO Paul Paget. Representatives of IBM were not immediately available to comment on the vulnerability.
IBM makes versions of DB2 for operating systems including Unix, Linux, Sun's Solaris and Microsoft's Windows. DB2 is used by more than 300,000 companies and 60 million users worldwide, according to IBM's Web site. Buffer overflow vulnerabilities were found in two components of DB2 Version 7.2 for Linux. Those components are accessible to DB2 users, but run with system administrator (root) level permissions, said Ejovi Nuwere, a security engineer at Core. Attackers would need to know which DB2 components were vulnerable and target them with specially crafted, extra-long commands to trigger the buffer overflow, he said. Once that was accomplished, the attacker could retain the root-level account access and redirect the programs, gaining total control of the DB2 database and the system on which DB2 is running, Nuwere said. The vulnerabilities are not accessible to remote users. Attackers would first need to be able to connect to DB2 on a corporate intranet with a user account to launch an attack, he said. IBM had a software patch for vulnerable DB2 systems available for download from a company FTP site Wednesday. While not as severe as recent vulnerabilities disclosed by Microsoft, the DB2 security holes should be addressed by companies that are using vulnerable versions of the software, according to Core CEO Paul Paget. Representatives of IBM were not immediately available to comment on the vulnerability.