IBM released a software patch for a serious security vulnerability in some versions of its DB2 Database, according to the security company that discovered the problems.
If left unaddressed, the new vulnerabilities could enable attackers to run malicious code on vulnerable DB2 systems using the permissions of an administrative (root) account, according to Core Security Technologies Inc. of Boston.
DB2 is a popular relational database that competes with databases from Oracle Corp. and Microsoft Corp.'s SQL Server.
IBM, of Armonk, New York, makes versions of DB2 for a number of operating systems including Unix, Linux, Sun Microsystems Inc.'s Solaris and Microsoft's Windows. DB2 is used by more than 300,000 companies and 60 million users worldwide, according to IBM's Web site.
Buffer overflow vulnerabilities were found in two components of DB2 Version 7.2 for Linux. Those components are accessible to DB2 users, but run with system administrator (root) level permissions, said Ejovi Nuwere, a security engineer at Core.
Attackers would need to know which DB2 components were vulnerable and target them with specially crafted, extra long commands to trigger the buffer overflow, he said.
Once that was accomplished, the attacker could retain the root level account access and redirect the programs, gaining total control of the DB2 database and the system on which DB2 is running, Nuwere said.
The vulnerabilities are not accessible to remote users. Attackers would first need to be able to connect to DB2 on a corporate intranet with a user account to launch an attack, he said.
IBM had a software patch for vulnerable DB2 systems available for download from a company FTP (File Transfer Protocol) site Wednesday.
While not as severe as recent vulnerabilities disclosed by Microsoft [See "Blaster II? Microsoft warns of new security flaws," Sept. 10], the DB2 security holes should be addressed by companies that are using vulnerable versions of the software, according to Core Chief Executive Officer (CEO) Paul Paget.
Representatives of IBM were not immediately available to comment on the vulnerability.