Security Bulletin
Summary
Security vulnerabilities have been discovered in DB2®, IBM SDK Java™ Technology Edition, and GNU C Library (glibc) shipped with IBM PureData™ System for Transactions.
Vulnerability Details
DB2 vulnerabilities:
CVE ID: CVE-2014-3094
DESCRIPTION:
DB2 is vulnerable to a stack buffer overflow attack, caused by improper bounds checking in the handling of ALTER MODULE statements. A remote, authenticated user could overflow a buffer and execute arbitrary code with DB2 instance owner privileges or cause the server to crash.
CVSS:
CVSS Base Score: 8.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94260 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVE-ID: CVE-2014-3095
DESCRIPTION:
IBM DB2 contains a denial of service vulnerability. A remote, authenticated user could use a specially-crafted SELECT statement with a subquery containing a UNION to crash the DB2 server and cause a disruption of service.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94263 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:N/A:P)
IBM SDK Java vulnerabilities:
CVE ID: CVE-2013-0169
DESCRIPTION:
The TLS (Transport Layer Security) protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-0411
DESCRIPTION:
An unspecified vulnerability related to JSSE (Java Secure Socket Extension) allows remote attackers to affect confidentiality and integrity.
CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
GNU C Library vulnerability:
CVE-ID: CVE-2014-5119
DESCRIPTION:
The GNU C Library (glibc) is vulnerable to a heap-based buffer overflow, caused by an off-by-one error in the __gconv_translit_find() function. By setting the CHARSET environment variable to a malicious value, a local attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with root privileges.
The attack does not require authentication or specialized knowledge and techniques, but local network access is necessary. An exploit would affect the integrity of data, confidentiality of information and the availability of the system.
CVSS:
CVSS Base Score: 7.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95044 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
IBM PureData System for Transactions: V1.0
Remediation/Fixes
To obtain a fix for these vulnerabilities, contact IBM Support.
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with IBM Support.
Get Notified about Future Security Bulletins
References
Change History
12 October 2014: Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21686147