Vulnerability CVE-2014-0919 - CERT Civis.Net

Vulnerability Name:

CVE-2014-0919 (CCN-91981)

Assigned:

2014-01-06

Published:

2015-05-07

Updated:

2016-11-28

Summary:

IBM DB2 9.5 through 10.5 on Linux, UNIX, and Windows stores passwords during the processing of certain SQL statements by the monitoring and audit facilities, which allows remote authenticated users to obtain sensitive information via commands associated with these facilities.

CVSS v3 Severity:

2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
2.6 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-0919

Source: AIXAPAR
Type: UNKNOWN
IT07397

Source: AIXAPAR
Type: UNKNOWN
IT07547

Source: AIXAPAR
Type: UNKNOWN
IT07552

Source: AIXAPAR
Type: UNKNOWN
IT07553

Source: AIXAPAR
Type: UNKNOWN
IT07554

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21698021

Source: CCN
Type: IBM Security Bulletin 1698021
IBM DB2 contains a sensitive information exposure vulnerability in the monitoring and audit feature (CVE-2014-0919)

Source: CCN
Type: IBM Security Bulletin 1970398
Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2014-0919).

Source: CCN
Type: IBM Security Bulletin 1987604 (BigInsights)
BigInsights is affected by a vulnerability in DB2 (CVE-2014-0919, CVE-2016-0211)

Source: BID
Type: UNKNOWN
74217

Source: CCN
Type: BID-74217
Multiple IBM DB2 Products CVE-2014-0919 Information Disclosure Vulnerability

Source: SECTRACK
Type: UNKNOWN
1032247

Source: XF
Type: UNKNOWN
ibm-db2-cve20140919-info-disc(91981)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:db2:9.5:*:*:*:advanced_enterprise:*:*:*

OR cpe:/a:ibm:db2:9.5:*:*:*:advanced_workgroup:*:*:*

OR cpe:/a:ibm:db2:9.5:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:db2:9.5:*:*:*:express:*:*:*

OR cpe:/a:ibm:db2:9.5:*:*:*:workgroup:*:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:advanced_enterprise:*:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:advanced_workgroup:*:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:express:*:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:workgroup:*:*:*

OR cpe:/a:ibm:db2:9.8:*:*:*:advanced_enterprise:*:*:*

OR cpe:/a:ibm:db2:9.8:*:*:*:advanced_workgroup:*:*:*

OR cpe:/a:ibm:db2:9.8:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:db2:9.8:*:*:*:express:*:*:*

OR cpe:/a:ibm:db2:9.8:*:*:*:workgroup:*:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:advanced_enterprise:*:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:advanced_workgroup:*:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:express:*:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:workgroup:*:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:advanced_enterprise:*:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:advanced_workgroup:*:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:express:*:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:workgroup:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20140919000	V	CVE-2014-0919 on Ubuntu 12.04 LTS (precise) - medium.	2015-05-07