Home>Blog>The Hacker News Headlines>Experts Reported Security Bug in IBM’s Db2 Data Management Software
The Hacker News Headlines

Experts Reported Security Bug in IBM’s Db2 Data Management Software

ibm data management softwareibm data management software

Cybersecurity researchers today disclosed details of a memory
vulnerability in IBM’s Db2 family of data management products that
could potentially allow a local attacker to access sensitive data
and even cause a denial of service attacks.

The flaw (CVE-2020-4414[1]), which impacts IBM Db2
V9.7, V10.1, V10.5, V11.1, and V11.5 editions on all
platforms[2], is caused by improper
usage shared memory, thereby granting a bad actor to perform
unauthorized actions on the system.

By sending a specially crafted request, an attacker could
exploit this vulnerability to obtain sensitive information or cause
a denial of service, according to Trustwave SpiderLabs security and
research team, which discovered the issue.

cybersecurity

“Developers forgot to put explicit memory protections around the
shared memory used by the Db2 trace facility,” SpiderLabs’s Martin
Rakhmanov said. “This allows any local users read and write
access to that memory area. In turn, this allows accessing
critically sensitive data as well as the ability to change how the
trace subsystem functions, resulting in a denial of service
condition in the database.”

IBM released a
patch[4] on June 30 to remediate
the vulnerability.

data-securitydata-security

CVE-2020-4414 is caused by the unsafe usage of shared memory the
Db2 trace utility employs to exchange information with the
underlying OS on the system.

The Db2 trace utility is used to record Db2 data and events,
including reporting Db2 system information, collecting data
required for performance analysis and tuning, and capture data
access audit trail for security purposes.

Given that the shared memory stores sensitive information, an
attacker with access to the system could create a malicious
application to overwrite the memory with rogue data dedicated to
tracing data.

“This means that an unprivileged local user can abuse this to cause
a denial of service condition simply by writing incorrect data over
that memory section,” Rakhmanov said.

Even more concerning, a low-privileged process running on the
same computer as the Db2 database could alter Db2 trace and capture
sensitive data and use the information to carry out other
attacks.

If the flaw sounds familiar, that’s because it’s the same type
of memory leakage vulnerability that impacted Cisco’s WebEx video
conferencing service (CVE-2020-3347[5]) that could local
authenticated attackers to get hold of usernames, authentication
tokens, and meeting information.

It’s recommended that Db2 users update their software to the
latest version to mitigate the risk.

[3]

References

  1. ^
    CVE-2020-4414
    (nvd.nist.gov)
  2. ^
    editions on all platforms
    (www.ibm.com)
  3. ^
    Martin Rakhmanov
    (www.trustwave.com)
  4. ^
    released a patch
    (www.ibm.com)
  5. ^
    CVE-2020-3347
    (www.trustwave.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.