IBM DB2 sqlcctcpgetbuffer Process Memory Consumption DoS

2005-05-04T05:50:48
ID OSVDB:16564
Type osvdb
Reporter OSVDB
Modified 2005-05-04T05:50:48

Description

Vulnerability Description

IBM DB2 contains a flaw that may allow a remote denial of service. The issue is triggered when a remote application calls nested stored procedures which causes a memory leak in the sqlcctcpgetbuffer process. This may cause out-of-memory errors, and will result in loss of availability for the database service.

Solution Description

Upgrade to version DB2 UDB Version 8.1 FixPak 9 or higher, as it has been reported to fix this vulnerability. It may also be possible to correct the flaw by implementing the following workaround: Setting the num_poolagents database manager configuration parameter to 0 might prevent this memory leak on UNIX-based systems.

Short Description

IBM DB2 contains a flaw that may allow a remote denial of service. The issue is triggered when a remote application calls nested stored procedures which causes a memory leak in the sqlcctcpgetbuffer process. This may cause out-of-memory errors, and will result in loss of availability for the database service.

Manual Testing Notes

When a remote application calls nested stored procedures, a memory leak in the sqlcctcpgetbuffer process might cause out-of-memory errors. Running "db2mtrk -i -p -v -all" several times reveals a continuing increase in the size of the persistent or private heap.

References:

Vendor Specific Advisory URL Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0142.html