UPDATED 22:59 EST / AUGUST 20 2020

SECURITY

Db2 shared memory vulnerability opened door to attackers, but IBM issued a patch

Users of IBM Db2 data management software are being warned of a shared-memory vulnerability that could allow an attacker to gain read and write access and perform unauthorized actions on a targeted system.

Discovered by security researcher Martin Rakhmanov at Trustwave, who revealed the details today, the issue affects IBM Db2 versions for Linux, Unix and Windows (9.7, 10.1, 10.5, 11.1, 11.5). The vulnerability stems from the platform’s developers forgetting to put explicit memory protections around the shared memory used by the Db2 trace facility.

IBM released a patch for the vulnerability in June, but as with all security-related vulnerabilities, the concern is that not every user will have installed the patch. Trustwave is advising all IBM Db2 customers to update the software as soon as possible.

The Db2 trace facility allows users to isolate data points by monitoring selected parameters. While providing a log of control inflow information including functions and associated parameter value which are helpful for technical support, the data can also be used for nefarious purposes by a hacker who gains access.

The lack of protection, allowing an attacker to gain read/write access, opens the door to critically sensitive data as well as the ability to change how the trace subsystem functions, allowing for a denial of service condition for the database. “This means that an unprivileged local user can abuse this to cause a denial of service condition simply by writing incorrect data over that memory section,” Rakhmanov noted.

International Business Machines Corp. developers are not alone in having overlooked putting explicit memory protections around shared memory. Cisco System Inc.’s WebEx service was also found to have a similar issue in June. In that case, attackers could exploit the vulnerability to hijack Webex accounts, allowing them to log in to WebEx accounts, download recordings and view or edit meetings.

Image: IBM

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU