Vulnerability Name:

CVE-2013-3475 (CCN-84358)

Assigned:2013-05-31
Published:2013-05-31
Updated:2018-09-25
Summary:Stack-based buffer overflow in db2aud in the Audit Facility in IBM DB2 and DB2 Connect 9.1, 9.5, 9.7, 9.8, and 10.1, as used in Smart Analytics System 7600 and other products, allows local users to gain privileges via unspecified vectors.
Per: http://www-01.ibm.com/support/docview.wss?uid=swg21639355

'The following IBM DB2 and DB2 Connect V9.1, V9.5, V9.7 and V10.1 editions running on AIX, Linux, HP and Solaris (this vulnerability is not applicable to DB2 on Windows.).'
CVSS v3 Severity:7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.6 Medium (CCN CVSS v2 Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C)
4.9 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2013-3475

Source: CCN
Type: SA52663
IBM DB2 / DB2 Connect db2aud Privilege Escalation Vulnerability

Source: SECUNIA
Type: Vendor Advisory
52663

Source: CCN
Type: SA53704
IBM Smart Analytics System Series db2aud Privilege Escalation Vulnerability

Source: SECUNIA
Type: Vendor Advisory
53704

Source: AIXAPAR
Type: UNKNOWN
IC92463

Source: AIXAPAR
Type: UNKNOWN
IC92495

Source: AIXAPAR
Type: UNKNOWN
IC92496

Source: AIXAPAR
Type: UNKNOWN
IC92498

Source: CCN
Type: IBM Security Bulletin 1639194
IBM Smart Analytics System 7600, 7700, and 7710 are affected by a privilege escalation vulnerability in the DB2 Audit Facility (CVE-2013-3475)

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21639194

Source: CCN
Type: IBM Security Bulletin 1639355
Privilege escalation vulnerability in IBM DB2's Audit Facility (CVE-2013-3475)

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21639355

Source: CCN
Type: IBM Security Bulletin 1640925
IBM InfoSphere Balanced Warehouse C3000 and C4000, IBM Smart Analytics System 1050, 2050, and 5710 systems are affected by privilege escalation vulnerability in IBM DB2 for Linux, Unix, and Windows Audit Facility (CVE-2013-3475)

Source: CCN
Type: IBM Security Bulletin 1644329
IBM InfoSphere Balanced Warehouse D5100 and IBM Smart Analytics System 5600 are affected by a privilege escalation vulnerability in the DB2 Audit Facility (CVE-2013-3475)

Source: BID
Type: UNKNOWN
60255

Source: CCN
Type: BID-60255
IBM DB2 and DB2 Connect Audit Facility Local Privilege Escalation Vulnerability

Source: XF
Type: UNKNOWN
db2-cve20133475-bo(84358)

Source: XF
Type: UNKNOWN
ibm-db2-cve20133475-bo(84358)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:db2:9.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:*:-:*:*
  • OR cpe:/a:ibm:db2_connect:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_connect:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_connect:9.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_connect:9.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_connect:10.1:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:smart_analytics_system_7600:-:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:ibm:db2:9.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:*:-:*:*
  • OR cpe:/a:ibm:db2:9.8:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    ibm db2 9.1
    ibm db2 9.5
    ibm db2 9.7
    ibm db2 9.8
    ibm db2 10.1
    ibm db2 connect 9.1
    ibm db2 connect 9.5
    ibm db2 connect 9.7
    ibm db2 connect 9.8
    ibm db2 connect 10.1
    ibm smart analytics system 7600 -
    ibm db2 9.1
    ibm db2 9.5
    ibm db2 9.7
    ibm db2 10.1
    ibm db2 9.8