Vulnerability Name:

CVE-2009-4331 (CCN-55014)

Assigned:2009-12-15
Published:2009-12-15
Updated:2010-10-07
Summary:The Install component in IBM DB2 9.5 before FP5 and 9.7 before FP1 configures the High Availability (HA) scripts with incorrect file-permission and authorization settings, which has unknown impact and local attack vectors.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
1.9 Low (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N)
1.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Other
References:Source: CONFIRM
Type: UNKNOWN
ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT

Source: CONFIRM
Type: UNKNOWN
ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v97/APARLIST.TXT

Source: CONFIRM
Type: UNKNOWN
ftp://public.dhe.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT

Source: MITRE
Type: CNA
CVE-2009-4331

Source: CCN
Type: SA37759
IBM DB2 Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
37759

Source: AIXAPAR
Type: Exploit
IC63581

Source: CCN
Type: IBM Support & downloads
IC63581: SECURITY: INCORRECT FILE PERMISSION AND AUTHORIZATION FOR HA SCRIPTSWHEN INSTALLED VIA V9.5.

Source: AIXAPAR
Type: Exploit, Patch
IC63959

Source: CONFIRM
Type: Patch
http://www-01.ibm.com/support/docview.wss?uid=swg21293566

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21412902

Source: CCN
Type: OSVDB ID: 67683
IBM DB2 Universal Database Install Component High Availability (HA) Scripts Installation Permission Weakness Unspecified Local Issue

Source: BID
Type: UNKNOWN
37332

Source: CCN
Type: BID-37332
IBM DB2 prior to 9.5 Fix Pack 5 Multiple Unspecified Security Vulnerabilities

Source: VUPEN
Type: Vendor Advisory
ADV-2009-3520

Source: XF
Type: UNKNOWN
ibm-db2-install-unspecified(55014)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:db2:9.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp2a:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp3a:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp3b:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:db2_universal_database:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp3a:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp2a:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp3b:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm db2 9.5
    ibm db2 9.5 fp1
    ibm db2 9.5 fp2
    ibm db2 9.5 fp2a
    ibm db2 9.5 fp3
    ibm db2 9.5 fp3a
    ibm db2 9.5 fp3b
    ibm db2 9.7
    ibm db2 universal database 9.5
    ibm db2 universal database 9.5 fp1
    ibm db2 universal database 9.5 fp2
    ibm db2 universal database 9.5 fp3a
    ibm db2 universal database 9.5 fp3
    ibm db2 universal database 9.5 fp2a
    ibm db2 universal database 9.5 fp3b