Vulnerability Name:

CVE-2017-1105 (CCN-120668)

Assigned:2016-11-30
Published:2017-06-22
Updated:2017-07-07
Summary:IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) is vulnerable to a buffer overflow that could allow a local user to overwrite DB2 files or cause a denial of service. IBM X-Force ID: 120668.
CVSS v3 Severity:7.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
6.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): High
5.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
4.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:3.6 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
3.6 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2017-1105

Source: CCN
Type: IBM Security Bulletin 2003877 (DB2 for Linux, UNIX and Windows)
Buffer overflow vulnerability in IBM DB2 LUW (CVE-2017-1105)

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg22003877

Source: CCN
Type: IBM Security Bulletin 2008363 (BigInsights)
BigInsights is affected by multiple vulnerabilities in Db2

Source: CCN
Type: IBM Security Bulletin 2009194 (Spectrum Protect)
Multiple DB2 vulnerabilities affect IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1105, CVE-2017-1297)

Source: BID
Type: Third Party Advisory, VDB Entry
99264

Source: CCN
Type: BID-99264
Multiple IBM DB2 CVE-2017-1105 Local Buffer Overflow Vulnerability

Source: SECTRACK
Type: UNKNOWN
1038773

Source: MISC
Type: Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/120668

Source: XF
Type: UNKNOWN
ibm-db2-cve20171105-dos(120668)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:data_server_client:-:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_server_driver_for_odbc_and_cli:-:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_server_driver_package:-:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_server_runtime_client:-:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:advanced_enterprise:*:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:advanced_workgroup:*:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:express:*:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:workgroup:*:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:advanced_enterprise:*:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:advanced_workgroup:*:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:express:*:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:workgroup:*:*:*
  • OR cpe:/a:ibm:db2:10.5:*:*:*:advanced_enterprise:*:*:*
  • OR cpe:/a:ibm:db2:10.5:*:*:*:advanced_workgroup:*:*:*
  • OR cpe:/a:ibm:db2:10.5:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:db2:10.5:*:*:*:express:*:*:*
  • OR cpe:/a:ibm:db2:10.5:*:*:*:workgroup:*:*:*
  • OR cpe:/a:ibm:db2:11.1:*:*:*:advanced_enterprise:*:*:*
  • OR cpe:/a:ibm:db2:11.1:*:*:*:advanced_workgroup:*:*:*
  • OR cpe:/a:ibm:db2:11.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:db2:11.1:*:*:*:express:*:*:*
  • OR cpe:/a:ibm:db2:11.1:*:*:*:workgroup:*:*:*
  • OR cpe:/a:ibm:db2_connect:9.7:*:*:*:application_server:*:*:*
  • OR cpe:/a:ibm:db2_connect:9.7:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:db2_connect:9.7:*:*:*:unlimited:*:*:*
  • OR cpe:/a:ibm:db2_connect:10.1:*:*:*:application_server:*:*:*
  • OR cpe:/a:ibm:db2_connect:10.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:db2_connect:10.1:*:*:*:unlimited:*:*:*
  • OR cpe:/a:ibm:db2_connect:10.5:*:*:*:application_server:*:*:*
  • OR cpe:/a:ibm:db2_connect:10.5:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:db2_connect:10.5:*:*:*:unlimited:*:*:*
  • OR cpe:/a:ibm:db2_connect:11.1.0.0:*:*:*:application_server:*:*:*
  • OR cpe:/a:ibm:db2_connect:11.1.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:db2_connect:11.1.0.0:*:*:*:unlimited:*:*:*
  • AND
  • cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm data server client -
    ibm data server driver for odbc and cli -
    ibm data server driver package -
    ibm data server runtime client -
    ibm db2 9.7
    ibm db2 9.7
    ibm db2 9.7
    ibm db2 9.7
    ibm db2 9.7
    ibm db2 10.1
    ibm db2 10.1
    ibm db2 10.1
    ibm db2 10.1
    ibm db2 10.1
    ibm db2 10.5
    ibm db2 10.5
    ibm db2 10.5
    ibm db2 10.5
    ibm db2 10.5
    ibm db2 11.1
    ibm db2 11.1
    ibm db2 11.1
    ibm db2 11.1
    ibm db2 11.1
    ibm db2 connect 9.7
    ibm db2 connect 9.7
    ibm db2 connect 9.7
    ibm db2 connect 10.1
    ibm db2 connect 10.1
    ibm db2 connect 10.1
    ibm db2 connect 10.5
    ibm db2 connect 10.5
    ibm db2 connect 10.5
    ibm db2 connect 11.1.0.0
    ibm db2 connect 11.1.0.0
    ibm db2 connect 11.1.0.0
    linux linux kernel -
    microsoft windows -