IBM DB2 10.1 Gain Unauthorised Privileges Vulnerability

Summary

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a malicious user with access to the DB2 instance account to leverage a fenced execution process to execute arbitrary code as root.

Credit:

The information has been provided by IBM

The original article can be found at:

https://www.ibm.com/support/pages/security-bulletin-ibm®-db2®-vulnerable-privilege-escalation-root-malicious-use-fenced-user-cve-2019-4057

https://exchange.xforce.ibmcloud.com/vulnerabilities/156567


Details

When a DB2 instance is created a “fenced” user is specified to run external stored procedures/user defined functions. Db2 could allow malicious user with access to the Db2 instance owner account to leverage a fenced execution process to execute arbitrary code as root. This vulnerability exists even if fenced stored procedures are not used.

Vulnerable Systems:

IBM DB2 9.7 FP11
IBM DB2 9.7
IBM DB2 11.1.4.4 iFix001
IBM DB2 11.1
IBM DB2 10.5 FP10
IBM DB2 10.5
IBM DB2 10.1 FP6
IBM DB2 10.1

CVE Information:
CVE-2019-4057

Disclosure Timeline:
07/01/2019