Vulnerability CVE-2012-4826 - CERT Civis.Net

Vulnerability Name:

CVE-2012-4826 (CCN-78817)

Assigned:

2012-10-18

Published:

2012-10-18

Updated:

2013-03-02

Summary:

Stack-based buffer overflow in the SQL/PSM (aka SQL Persistent Stored Module) Stored Procedure (SP) infrastructure in IBM DB2 9.1, 9.5, 9.7 before FP7, 9.8, and 10.1 might allow remote authenticated users to execute arbitrary code by debugging a stored procedure.

CVSS v3 Severity:

8.0 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

8.5 High (CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
6.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

8.5 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
6.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2012-4826

Source: OSVDB
Type: UNKNOWN
86414

Source: CCN
Type: SA50921
IBM DB2 SQL/PSM Stored Procedure Debugging Buffer Overflow Vulnerability

Source: AIXAPAR
Type: UNKNOWN
IC86765

Source: AIXAPAR
Type: Vendor Advisory
IC86781

Source: AIXAPAR
Type: UNKNOWN
IC86782

Source: AIXAPAR
Type: UNKNOWN
IC86783

Source: AIXAPAR
Type: UNKNOWN
IC87192

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21450666

Source: CCN
Type: IBM Security Bulletin 1614536
Buffer Overflow Vulnerability in IBM DB2 SQL/PSM Stored Procedure Infrastructure (CVE-2012-4826).

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21614536

Source: CCN
Type: OSVDB ID: 86414
IBM DB2 SQL/Persistent Stored Module (PSM) Stored Procedure (SP) Infrastructure Remote Overflow

Source: BID
Type: UNKNOWN
56133

Source: CCN
Type: BID-56133
Multiple IBM DB2 Products CVE-2012-4826 Remote Stack Buffer Overflow Vulnerability

Source: XF
Type: UNKNOWN
db2-javasp-incomplete-bo(78817)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:db2:9.1:-:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.5:-:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:*:-:*:*

Configuration CCN 1:

cpe:/a:ibm:db2_universal_database:9.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2_universal_database:9.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20124826000	V	CVE-2012-4826 on Ubuntu 12.04 LTS (precise) - medium.	2012-10-20