Big Blue shoos Db2 blues before rogue staff turn the screws in hijack ruse (translation: patch your IBM databases)

IBM is advising folks this week to check if they should update their Db2 database installations following the discovery of a potentially serious security vulnerability.

Big Blue says that the flaw, designated CVE-2018-1897, is an elevation-of-privilege flaw that, if exploited, would allow a logged-in attacker to execute code and commands as an admin. That's bad news if you have rogue staff, or someone or some malware has been able to get a foothold in your enterprise.

The vulnerability lies in db2pdcfg, a configuration tool that allows administrators to troubleshoot performance problems with the database. If a hacker was able to send the tool a specially crafted command, a buffer overflow would be triggered, potentially leaving the door open for arbitrary code execution.

IBM has issued fixpacks for the Windows, Linux, and Solaris versions of Db2. Depending on the version being run, the updates will be known as V9.7 FP11, V10.1 FP6, or V10.5 FP10.

Discovery and private disclosure of the flaw was credited to researcher Eddie Zhu of Beijing DBSec Technology Co.

Word of the patch comes one day after IBM pushed out a patch for a separate security vulnerability in the AIX and Linux version of Db2.

That hole, CVE-2018-1723, describes a data disclosure flaw in the Spectrum Scale storage system used by Db2 that would potentially allow an unprivileged user with access to a single node the ability to view files that they would normally not have access to.

The vulnerability requires login access to the node, helping to reduce its scope and potential for attack.

IBM says the vulnerability is only present on versions 10.5 and 11.1 of Db2 for AIX and Linux that are also running pureScale. Admins with version 11.1.1 and 11.1.4 can obtain the needed patches for both versions from Big Blue's Fix Central. Those running version 10.5 will need to get a separate eFix package from IBM tech support. ®