IBM DB2 Everyone Group Arbitrary File Access

2004-10-06T07:00:32
ID OSVDB:10523
Type osvdb
Reporter Chris Anley(chris@ngssoftware.com)
Modified 2004-10-06T07:00:32

Description

Vulnerability Description

DB2 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered in the Windows version when the 'Everyone' group is granted read and write access to certain DB2 resources, which could allow a malicious user to gain access to plaintext Windows user names and passwords from the 'DB2SHMSECURITYSERVICE' section resulting in a loss of confidentiality and/or integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct these issues. However, IBM has released a patch to address this vulnerability.

Short Description

DB2 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered in the Windows version when the 'Everyone' group is granted read and write access to certain DB2 resources, which could allow a malicious user to gain access to plaintext Windows user names and passwords from the 'DB2SHMSECURITYSERVICE' section resulting in a loss of confidentiality and/or integrity.

References:

Vendor URL: http://www-306.ibm.com/software/data/db2/udb/ Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1011562 Secunia Advisory ID:12733 Related OSVDB ID: 12755 Related OSVDB ID: 10515 Related OSVDB ID: 10516 Related OSVDB ID: 10519 Related OSVDB ID: 12754 Related OSVDB ID: 10514 Related OSVDB ID: 10517 Related OSVDB ID: 10518 Related OSVDB ID: 10520 Related OSVDB ID: 12756 Related OSVDB ID: 12757 Related OSVDB ID: 10513 Related OSVDB ID: 10521 Related OSVDB ID: 10522 Other Advisory URL: http://www.nextgenss.com/advisories/db2-01.txt Other Advisory URL: http://www.nextgenss.com/advisories/db205012005F.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0028.html Keyword: APAR IY62300 Keyword: #NISR05012005F