Users of IBM Db2 data management software are being warned of a shared-memory vulnerability that could allow an attacker to gain read and write access and perform unauthorized actions on a targeted system.

Discovered by security researcher Martin Rakhmanov at Trustwave, who revealed the details today, the issue affects IBM Db2 versions for Linux, Unix and Windows (9.7, 10.1, 10.5, 11.1, 11.5). The vulnerability stems from the platform’s developers forgetting to put explicit memory protections around the shared memory used by the Db2 trace facility.

IBM released a patch for the vulnerability in June, but as with all security-related vulnerabilities, the concern is that not every user will have installed the patch. Trustwave is advising all IBM Db2 customers to update the software as soon as possible.

The Db2 trace facility allows users to isolate data points by monitoring selected parameters. While providing a log of control inflow information including functions and associated parameter value which are helpful for technical support, the data can also be used for nefarious purposes by a hacker who gains access.

The lack of protection, allowing an attacker to gain read/write access, opens the door to critically sensitive data as well as the ability to change how the trace subsystem functions, allowing for a denial of service condition for the database. “This means that an unprivileged local user can abuse this to cause a denial of service condition simply by writing incorrect data over that memory section,” Rakhmanov noted.

International Business Machines Corp. developers are not alone in having overlooked putting explicit memory protections around shared memory. Cisco System Inc.’s WebEx service was also found to have a similar issue in June. In that case, attackers could exploit the vulnerability to hijack Webex accounts, allowing them to log in to WebEx accounts, download recordings and view or edit meetings.

Image: IBM