Vulnerability CVE-2011-1847

Vulnerability Name:

CVE-2011-1847 (CCN-66979)

Assigned:

2011-04-21

Published:

2011-04-21

Updated:

2017-09-19

Summary:

IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement.
Note: some of these details are obtained from third party information.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.9 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:P)
3.6 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2011-1847

Source: CCN
Type: SA44229
IBM DB2 Two Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
44229

Source: CCN
Type: IBM Support and Downloads
IBM DB2

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1IC71413

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1IC72119

Source: AIXAPAR
Type: UNKNOWN
IC71413

Source: AIXAPAR
Type: UNKNOWN
IC72119

Source: CCN
Type: OSVDB ID: 72698
IBM DB2 Relational Data Services SYSSTAT.TABLES Statistics Manipulation

Source: BID
Type: UNKNOWN
47525

Source: CCN
Type: BID-47525
IBM DB2 Multiple Security Bypass Vulnerabilities

Source: VUPEN
Type: Vendor Advisory
ADV-2011-1083

Source: XF
Type: UNKNOWN
ibm-db2-rds-sec-bypass(66979)

Source: XF
Type: UNKNOWN
ibm-db2-rds-sec-bypass(66979)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:14122

Source: CCN
Type: IBM Security Bulletin 6347588 (Security Guardium)
IBM Security Guardium is affected by multiple vulnerabilities

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:db2:9.5:-:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp1:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp2:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp2a:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp3:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp3a:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp3b:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp4:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp4a:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp5:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:fp6:*:*:*:*:*:*

OR cpe:/a:ibm:db2:*:fp6a:*:*:*:*:*:* (Version <= 9.5)

Configuration 2:

cpe:/a:ibm:db2:9.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7:fp1:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7:fp2:*:*:*:*:*:*

OR cpe:/a:ibm:db2:*:fp3:*:*:*:*:*:* (Version <= 9.7)

Configuration CCN 1:

cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:14122	V	IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement. NOTE: some of these details are obtained from third party information.	2013-07-29

BACK