The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Db2 | Ibm | * | 8.0 (including) |
| Db2 | Ibm | * | 9.1 (including) |
| Db2 | Ibm | * | 9.5 (including) |
| Db2 | Ibm | 8.0-fix_pack15 (including) | 8.0-fix_pack15 (including) |
| Db2 | Ibm | 8.0-fp1 (including) | 8.0-fp1 (including) |
| Db2 | Ibm | 8.0-fp10 (including) | 8.0-fp10 (including) |
| Db2 | Ibm | 8.0-fp11 (including) | 8.0-fp11 (including) |
| Db2 | Ibm | 8.0-fp12 (including) | 8.0-fp12 (including) |
| Db2 | Ibm | 8.0-fp13 (including) | 8.0-fp13 (including) |
| Db2 | Ibm | 8.0-fp14 (including) | 8.0-fp14 (including) |
| Db2 | Ibm | 8.0-fp15 (including) | 8.0-fp15 (including) |
| Db2 | Ibm | 9.1-fp1 (including) | 9.1-fp1 (including) |
| Db2 | Ibm | 9.1-fp2 (including) | 9.1-fp2 (including) |
| Db2 | Ibm | 9.1-fp3 (including) | 9.1-fp3 (including) |
| Db2 | Ibm | 9.1-fp3a (including) | 9.1-fp3a (including) |
| Db2 | Ibm | 9.1-fp4a (including) | 9.1-fp4a (including) |
| Db2 | Ibm | 9.5-fp2 (including) | 9.5-fp2 (including) |
| Db2 | Ibm | 9.5-fp3 (including) | 9.5-fp3 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT
- http://secunia.com/advisories/31787
- http://secunia.com/advisories/35235
- http://securitytracker.com/id?1022319
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR32268
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR32272
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR32273
- http://www-01.ibm.com/support/docview.wss?uid=swg21293566
- http://www-01.ibm.com/support/docview.wss?uid=swg21318189
- http://www-01.ibm.com/support/docview.wss?uid=swg21386689
- http://www.securityfocus.com/bid/35171
- http://www.securityfocus.com/bid/36540
- https://exchange.xforce.ibmcloud.com/vulnerabilities/50909
- ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT
- http://secunia.com/advisories/31787
- http://secunia.com/advisories/35235
- http://securitytracker.com/id?1022319
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR32268
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR32272
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR32273
- http://www-01.ibm.com/support/docview.wss?uid=swg21293566
- http://www-01.ibm.com/support/docview.wss?uid=swg21318189
- http://www-01.ibm.com/support/docview.wss?uid=swg21386689
- http://www.securityfocus.com/bid/35171
- http://www.securityfocus.com/bid/36540
- https://exchange.xforce.ibmcloud.com/vulnerabilities/50909