Vulnerability CVE-2014-3094 - CERT Civis.Net

Vulnerability Name:

CVE-2014-3094 (CCN-94260)

Assigned:

2014-08-29

Published:

2014-08-29

Updated:

2017-08-29

Summary:

Stack-based buffer overflow in IBM DB2 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux, UNIX, and Windows allows remote authenticated users to execute arbitrary code via a crafted ALTER MODULE statement.

CVSS v3 Severity:

8.0 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

8.5 High (CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
6.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

8.5 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
6.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2014-3094

Source: SECUNIA
Type: UNKNOWN
58616

Source: SECUNIA
Type: UNKNOWN
60845

Source: AIXAPAR
Type: Vendor Advisory
IT02291

Source: AIXAPAR
Type: UNKNOWN
IT02592

Source: AIXAPAR
Type: Vendor Advisory
IT02593

Source: AIXAPAR
Type: UNKNOWN
IT02594

Source: CCN
Type: IBM Security Bulletin 1681631
IBM DB2 LUW contains a denial of service vulnerability in ALTER MODULE statement handling. (CVE-2014-3094)

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21681631

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21683296

Source: CCN
Type: IBM Security Bulletin 1683296
IBM InfoSphere Balanced Warehouse, IBM Smart Analytics System and IBM PureData System for Operational Analytics are affected by an IBM DB2 LUW denial of service vulnerability in ALTER MODULE statement handling (CVE-2014-3094)

Source: BID
Type: UNKNOWN
69550

Source: CCN
Type: BID-69550
Multiple IBM DB2 Products CVE-2014-3094 Stack Based Buffer Overflow Vulnerability

Source: XF
Type: UNKNOWN
ibm-db2-cve20143094-bo(94260)

Source: XF
Type: UNKNOWN
ibm-db2-cve20143094-bo(94260)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:db2:9.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.7.0.9:a:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.8.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.8.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:9.8.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:*:-:*:*

OR cpe:/a:ibm:db2:10.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.1.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.5.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.5.0.3:a:*:*:*:*:*:*

AND

cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:*:*:*:*:*:*:*:*

Denotes that component is vulnerable