IBM DB2 10.1 < Fix Pack 5 Multiple Vulnerabilities (Bar Mitzvah)

Versions of IBM DB2 10.1 earlier than Fix Pack 5 are potentially affected by multiple vulnerabilities :

• An unspecified flaw exists in the monitoring or audit facility due to passwords being stored when handling specially crafted commands. A remote, authenticated attacker can exploit this to access sensitive information. (CVE-2014-0919)
• A stack-based buffer overflow condition exists due to improper validation of user-supplied input when handling crafted ‘ALTER MODULE’ statements. A remote, authenticated attacker can exploit this to cause a denial of service or execute arbitrary code. (CVE-2014-3094)
• A flaw exists when handling a crafted ‘UNION’ clause in a subquery of a ‘SELECT’ statement. A remote, authenticated attacker can exploit this to cause a denial of service. (CVE-2014-3095)
• A denial of service vulnerability exists when immediate ‘AUTO_REVAL’ is enabled. A remote, authenticated attacker can exploit this, via a crafted ‘ALTER TABLE’ statement, to crash the server. (CVE-2014-6159)
• A denial of service vulnerability exists when handling an identity column within a crafted ‘ALTER TABLE’ statement. A remote, authenticated attacker can exploit this vulnerability to crash the server. (CVE-2014-6209)
• A denial of service vulnerability exists when handling multiple ‘ALTER TABLE’ statements specifying the same column. A remote, authenticated attacker can exploit this vulnerability to crash the server. (CVE-2014-6210)
• A flaw exists that is triggered when handling specially crafted XML queries. A remote, authenticated attacker can exploit this to cause a consumption of resources, resulting in a denial of service. (CVE-2014-8901)
• A flaw exists in the IBM Global Security Kit (GSKit) when handling RSA temporary keys in a non-export RSA key exchange ciphersuite. A man-in-the-middle attacker can exploit this to downgrade the session security to use weaker EXPORT_RSA ciphers, thus allowing the attacker to more easily monitor or tamper with the encrypted stream. (CVE-2015-0138)
• An unspecified flaw in the General Parallel File System (GPFS) allows a local attacker to gain root privileges. (CVE-2015-0197)
• A flaw exists in the General Parallel File System (GPFS), related to certain cipherList configurations, that allows a remote attacker, using specially crafted data, to bypass authentication and execute arbitrary programs with root privileges. (CVE-2015-0198)
• A denial of service vulnerability exists in the General Parallel File System (GPFS) that allows a local attacker to corrupt kernel memory by sending crafted ioctl character device calls to the mmfslinux kernel module. (CVE-2015-0199)
• A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808)
• An information disclosure vulnerability exists due to improper block cipher padding by TLSv1 when using Cipher Block Chaining (CBC) mode. A remote attacker, via an ‘Oracle Padding’ side channel attack, can exploit this vulnerability to gain access to sensitive information. Note that this is a variation of the ‘POODLE’ attack.
• A double-free flaw exists in the CLI application. The issue is triggered as user-supplied input is not properly validated when handling client disconnects. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.
• A flaw exists that is triggered when handling ‘SUM’ or ‘GROUP’ BY queries with a ‘SUBSELECT’ that contains unnest. This may allow an attacker to cause the database to crash.
• An unspecified flaw exists in the ‘sqldRemoveCachedTableEntry()’ function that may allow an authenticated attacker to cause a DB2 instance to crash.
• A flaw exists that is triggered as user-supplied input is not properly validated when handling Partial Aggregation operators (PED, PEA). This may allow an authenticated attacker to corrupt memory and cause a denial of service.
• A flaw exists that is due to the program setting insecure 666 permissions for log files. This may allow a local attacker to manipulate logs.
• A flaw exists in the ‘sqlex_find_group()’ function in the handling of group names. This issue is triggered when returning a cumulative group name length greater than 64k for a user id. This may allow an authenticated attacker to crash the server.
• A flaw exists in the ‘sqlsBinSortPopulateRecPointers()’ function. The issue is triggered as user-supplied input is not properly validated when performing resettable sorts. This may allow an authenticated attacker to corrupt memory and cause a denial of service.
• A flaw exists that is triggered when handling generated tables with ‘INSERT INTO’ statements. This may allow an authenticated attacker to cause DB2 to crash.
• A flaw exists that is triggered when invoking runstats against a user temporary table while the index clause explicitly specifies index names while omitting the index scheme name. This may allow an authenticated attacker to cause a crash.
• A flaw exists in the DRDA communication protocol that is triggered during the handling of messages. This may allow an authenticated remote attacker to trigger a large memory overwrite.
• A flaw exists that is due to the program insecurely loading binaries planted in a location that a SETGID or SETUID binary would execute. This may allow a local attacker to gain elevated, root privileges.