IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities

Bugtraq ID:	26010
Class:	Unknown
CVE:	CVE-2007-5324
Remote:	Yes
Local:	No
Published:	Oct 10 2007 12:00AM
Updated:	Oct 15 2007 06:18PM
Credit:	These issues were discovered by an anonymous researcher working with TippingPoint and the Zero Day Initiative.
Vulnerable:	IBM DB2 Universal Database 8.2 IBM DB2 Universal Database 8.1
Not Vulnerable:	IBM DB2 Universal Database 8.2 FixPak 8 IBM DB2 Universal Database 8.1 FixPak 15

IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities

IBM DB2 Universal Database is prone to two denial-of-service vulnerabilities.

Successfully exploiting these issues allows attackers to cause server crashes, denying service to legitimate users.

IBM DB2 Universal Database 8.1 and 8.2 are vulnerable to these issues.

NOTE: Information regarding the buffer-overflow vulnerability previously documented in this BID has been removed. That vulnerability is documented in a separate record: BID 23890 (IBM DB2 Universal Database JDBC Applet Server Unspecified Code Execution Vulnerability).

IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities

An attacker can exploit this issue by sending malformed packets to the vulnerable server.

IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities

Solution:
IBM has released DB2 9.1 Fixpak 15 and 8.2 Fixpak 8 to address these issues. Please see the references for more information.

IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities

References:

• DB2 Technical Support (IBM)
  
• IBM DB2 DB2JDS Multiple Vulnerabilities (TippingPoint)
  
• IY97750: This vulnerability allows remote attackers to execute arbitrary code on (IBM)