IBM DB2 Fenced UserID Unspecified Authentication Bypass Vulnerability
BID:22729
Info
IBM DB2 Fenced UserID Unspecified Authentication Bypass Vulnerability
| Bugtraq ID: | 22729 |
| Class: | Design Error |
| CVE: |
CVE-2007-1228 |
| Remote: | No |
| Local: | Yes |
| Published: | Feb 26 2007 12:00AM |
| Updated: | May 12 2015 07:34PM |
| Credit: | The vendor disclosed this vulnerability. |
| Vulnerable: |
IBM DB2 Universal Database for Windows 8.2 IBM DB2 Universal Database for Windows 8.1 IBM DB2 Universal Database for Windows 9.1 IBM DB2 Universal Database for Solaris 8.2 IBM DB2 Universal Database for Solaris 8.1 IBM DB2 Universal Database for Solaris 9.1 IBM DB2 Universal Database for Linux 8.2 IBM DB2 Universal Database for Linux 8.1 IBM DB2 Universal Database for Linux 9.1 IBM DB2 Universal Database for HP-UX 8.2 IBM DB2 Universal Database for HP-UX 8.1 IBM DB2 Universal Database for HP-UX 9.1 IBM DB2 Universal Database for AIX 8.2 IBM DB2 Universal Database for AIX 8.1 IBM DB2 Universal Database for AIX 9.1 FixPack 2 |
| Not Vulnerable: |
IBM DB2 Universal Database for Windows 9.1 FixPack 2 IBM DB2 Universal Database for Windows 8.2 FixPak 7 IBM DB2 Universal Database for Windows 8.1 FixPak 14 IBM DB2 Universal Database for Solaris 9.1 FixPack 2 IBM DB2 Universal Database for Solaris 8.2 FixPak 7 IBM DB2 Universal Database for Solaris 8.1 FixPak 14 IBM DB2 Universal Database for Linux 9.1 FixPack 2 IBM DB2 Universal Database for Linux 8.2 FixPak 7 IBM DB2 Universal Database for Linux 8.1 FixPak 14 IBM DB2 Universal Database for HP-UX 9.1 FixPack 2 IBM DB2 Universal Database for HP-UX 8.2 FixPak 7 IBM DB2 Universal Database for HP-UX 8.1 FixPak 14 IBM DB2 Universal Database for AIX 9.1 FixPack 2 IBM DB2 Universal Database for AIX 8.2 FixPak 7 IBM DB2 Universal Database for AIX 8.1 FixPak 14 |
Discussion
IBM DB2 Fenced UserID Unspecified Authentication Bypass Vulnerability
IBM DB2 is prone to an unspecified authentication-bypass vulnerability because it fails to effectively restrict access to certain directories.
An attacker could exploit this issue to gain unauthorized access to privileged directories.
Versions prior to 8.1 FixPak 14 and 9.1 FixPak 2 are vulnerable.
IBM DB2 is prone to an unspecified authentication-bypass vulnerability because it fails to effectively restrict access to certain directories.
An attacker could exploit this issue to gain unauthorized access to privileged directories.
Versions prior to 8.1 FixPak 14 and 9.1 FixPak 2 are vulnerable.
Exploit / POC
IBM DB2 Fenced UserID Unspecified Authentication Bypass Vulnerability
An attacker can exploit this issue by issuing basic shell commands.
An attacker can exploit this issue by issuing basic shell commands.
Solution / Fix
IBM DB2 Fenced UserID Unspecified Authentication Bypass Vulnerability
Solution:
The vendor has released fixes to address this issue. Please see the referenced advisories for information on how to obtain and apply these fixes.
IBM DB2 Universal Database for Solaris 9.1
IBM DB2 Universal Database for HP-UX 9.1
IBM DB2 Universal Database for Linux 9.1
IBM DB2 Universal Database for Windows 9.1
IBM DB2 Universal Database for Windows 8.1
IBM DB2 Universal Database for AIX 8.1
IBM DB2 Universal Database for Linux 8.1
IBM DB2 Universal Database for Solaris 8.1
IBM DB2 Universal Database for HP-UX 8.1
Solution:
The vendor has released fixes to address this issue. Please see the referenced advisories for information on how to obtain and apply these fixes.
IBM DB2 Universal Database for Solaris 9.1
-
IBM v9fp2_sunos_universal_fixpack.tar.gz
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2sunv9/ fixpack/FP2_U810941/v9fp2_sunos_universal_fixpack.tar.gz
IBM DB2 Universal Database for HP-UX 9.1
-
IBM v9fp2_hpipf_universal_fixpack.tar.gz
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2hpIH64 v9/fixpack/FP2_U810942/v9fp2_hpipf_universal_fixpack.tar.gz -
IBM v9fp2_hppa_universal_fixpack.tar.gz
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2hpv9/f ixpack/FP2_U810943/v9fp2_hppa_universal_fixpack.tar.gz
IBM DB2 Universal Database for Linux 9.1
-
IBM v9fp2_linux_universal_fixpack.tar.gz
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxI A32v9/fixpack/FP2_MI00183/v9fp2_linux_universal_fixpack.tar.gz -
IBM v9fp2_linux390_universal_fixpack.tar.gz
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linux3 9064v9/fixpack/FP2_MI00187/v9fp2_linux390_universal_fixpack.tar.gz -
IBM v9fp2_linux64_universal_fixpack.tar.gz
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxI A64v9/fixpack/FP2_MI00185/v9fp2_linux64_universal_fixpack.tar.gz -
IBM v9fp2_linuxx64_universal_fixpack.tar.gz
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxA MD64v9/fixpack/FP2_MI00184/v9fp2_linuxx64_universal_fixpack.tar.gz
IBM DB2 Universal Database for Windows 9.1
-
IBM v9fp2_win_ese.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA3 2v9/fixpack/FP2_WR21380/v9fp2_win_ese.exe -
IBM v9fp2_win_exp.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA3 2v9/fixpack/FP2_WR21380/v9fp2_win_exp.exe -
IBM v9fp2_win_pe.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA3 2v9/fixpack/FP2_WR21380/v9fp2_win_pe.exe -
IBM v9fp2_win_wse.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA3 2v9/fixpack/FP2_WR21380/v9fp2_win_wse.exe -
IBM v9fp2_win64_ese.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA6 4v9/fixpack/FP2_WR21381/v9fp2_win64_ese.exe -
IBM v9fp2_winx64_ese.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winX64 v9/fixpack/FP2_WR21382/v9fp2_winx64_ese.exe -
IBM v9fp2_winx64_exp.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winX64 v9/fixpack/FP2_WR21382/v9fp2_winx64_exp.exe -
IBM v9fp2_winx64_pe.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winX64 v9/fixpack/FP2_WR21382/v9fp2_winx64_pe.exe -
IBM v9fp2_winx64_wse.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winX64 v9/fixpack/FP2_WR21382/v9fp2_winx64_wse.exe
IBM DB2 Universal Database for Windows 8.1
-
IBM FP14_WR21377_ESE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA3 2v8/fixpak/FP14_WR21377/FP14_WR21377_ESE.exe -
IBM FP14_WR21377_EXP.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA3 2v8/fixpak/FP14_WR21377/FP14_WR21377_EXP.exe -
IBM FP14_WR21377_PE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA3 2v8/fixpak/FP14_WR21377/FP14_WR21377_PE.exe -
IBM FP14_WR21377_WSE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA3 2v8/fixpak/FP14_WR21377/FP14_WR21377_WSE.exe -
IBM FP14_WR21378_CONPE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA6 4v8/fixpak/FP14_WR21378/FP14_WR21378_CONPE.exe -
IBM FP14_WR21378_ESE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA6 4v8/fixpak/FP14_WR21378/FP14_WR21378_ESE.exe -
IBM FP14_WR21378_PE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winIA6 4v8/fixpak/FP14_WR21378/FP14_WR21378_PE.exe -
IBM FP14_WR21379_CONEE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winAMD 64v8/fixpak/FP14_WR21379/FP14_WR21379_CONEE.exe -
IBM FP14_WR21379_CONPE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winAMD 64v8/fixpak/FP14_WR21379/FP14_WR21379_CONPE.exe -
IBM FP14_WR21379_CONUE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winAMD 64v8/fixpak/FP14_WR21379/FP14_WR21379_CONUE.exe -
IBM FP14_WR21379_ESE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winAMD 64v8/fixpak/FP14_WR21379/FP14_WR21379_ESE.exe -
IBM FP14_WR21379_EXP.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winAMD 64v8/fixpak/FP14_WR21379/FP14_WR21379_EXP.exe -
IBM FP14_WR21379_EXPP.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winAMD 64v8/fixpak/FP14_WR21379/FP14_WR21379_EXPP.exe -
IBM FP14_WR21379_WSE.exe
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2winAMD 64v8/fixpak/FP14_WR21379/FP14_WR21379_WSE.exe
IBM DB2 Universal Database for AIX 8.1
-
IBM FP14_U810097.tar.Z
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2aix433 v8/fixpak/FP14_U810097/FP14_U810097.tar.Z -
IBM FP14_U810098.tar.Z
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2aix5v8 /fixpak/FP14_U810098/FP14_U810098.tar.Z
IBM DB2 Universal Database for Linux 8.1
-
IBM FP14_MI00175.tar
32-bit linux 2.4
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxI A32v8/fixpak/FP14_MI00175/FP14_MI00175.tar -
IBM FP14_MI00176.tar
32-bit linux 2.6
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linux2 632/fixpak/FP14_MI00176/FP14_MI00176.tar -
IBM FP14_MI00177.tar
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxI A64v8/fixpak/FP14_MI00177/FP14_MI00177.tar -
IBM FP14_MI00179.tar
64-bit linux 2.6
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxA MD64v8/fixpak/FP14_MI00179/FP14_MI00179.tar -
IBM FP14_MI00180.tar
64-bit linux 2.6
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linux2 6AMD64/fixpak/FP14_MI00180/FP14_MI00180.tar -
IBM FP14_MI00181.tar
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linux3 90v8/fixpak/FP14_MI00181/FP14_MI00181.tar -
IBM FP14_MI00182.tar
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linux3 9064v8/fixpak/FP14_MI00182/FP14_MI00182.tar
IBM DB2 Universal Database for Solaris 8.1
-
IBM FP14_U810099.tar.Z
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2sunv8/ fixpak/FP14_U810099/FP14_U810099.tar.Z -
IBM FP14_U810988.tar.Z
ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english/db2sunAMD64v 8/fixpak/FP14_U810988/FP14_U810988.tar.Z
IBM DB2 Universal Database for HP-UX 8.1
References
IBM DB2 Fenced UserID Unspecified Authentication Bypass Vulnerability
References:
References:
- DB2 Universal Database Product Page (IBM)
- SECURITY APAR IY86711 (IBM)
- SECURITY APAR IY87492 (IBM)