IDG News Service - IBM has released a software patch for a serious security vulnerability in some versions of its DB2 database, according to the security company that discovered the problems.
If left unaddressed, the vulnerability could enable attackers to run malicious code on DB2 systems using the permissions of an administrative (root) account, according to Core Security Technologies Inc. in Boston.
DB2 is a popular relational database that competes with databases from Oracle Corp. and Microsoft Corp.'s SQL Server. Representatives of IBM weren't immediately available to comment.
IBM makes versions of DB2 for a number of operating systems, including Unix, Linux, Solaris and Windows. DB2 is used by more than 300,000 companies and 60 million users worldwide, according to IBM's Web site.
Buffer-overflow vulnerabilities were found in two components of DB2 Version 7.2 for Linux. Those components are accessible to DB2 users, but they run with root-level permissions, said Ejovi Nuwere, a security engineer at Core.
Attackers would need to know which DB2 components were vulnerable and target them with specially crafted, extra long commands to trigger the buffer overflow, he said.
Once that was accomplished, the attacker could retain the root-level account access and redirect the programs, gaining total control of the DB2 database and the system on which DB2 is running, Nuwere said.
The vulnerabilities aren't accessible to remote users. Attackers would first need to be able to connect to DB2 on a corporate intranet with a user account to launch an attack, he said.
IBM had a software patch for vulnerable DB2 systems available for download yesterday.
Although not as severe as vulnerabilities recently disclosed by Microsoft, the DB2 security holes should be addressed by companies that are using vulnerable versions of the software, said Core CEO Paul Paget.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
