Vulnerability in IBM DB2 could allow an authenticated user, without proper authorization, to view, modify and delete any file.
CVE ID: CVE-2012-3324
The IBM DB2 products listed below contain a security vulnerability that could
allow an authenticated user, without proper authority, to view, modify and delete any file.
The UTL_FILE module contains a security vulnerability that permits the routines within to view, modify and delete a file beyond the intended directory. The vulnerability is applicable to DB2 servers running on Windows, only.
UTL_FILE is a built-in module containing routines used by DB2 applications to access files located at the DB2 server. By design, the files it can operate on are constrained to files in the directory as specified by the first parameter. The vulnerability is in the processing of the file name where the constraint can be circumvented if the file name contains directory paths.
The privilege to execute the routines in UTL_FILE is by default, not granted to PUBLIC. Hence, a general user (PUBLIC) that has not been directly or indirectly granted any privileges will not be able to execute any routines in UTL_FILE directly. However, applications and stored procedures that make use of UTL_FILE are vulnerable if it accepts user input and the input value is passed directly to routines in UTL_FILE.
CVSS Base Score: 8.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77924 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:C/I:C/A:C)
The vulnerability only affects IBM DB2 V10.1 on Windows. AIX, Linux, Solaris and HP are not affected. The following IBM DB2 V10.1 editions running on Windows are affected:
IBM® DB2® 10.1 Express Edition
IBM® DB2® 10.1 Workgroup Server Edition
IBM® DB2® 10.1 Enterprise Server Edition
IBM® DB2® 10.1 Advanced Enterprise Server Edition
IBM® DB2® Connect™ 10.1 Application Server Edition
IBM® DB2® Connect™ 10.1 Enterprise Edition
IBM® DB2® Connect™ 10.1 Unlimited Edition for System i®
IBM® DB2® Connect™ 10.1 Unlimited Edition for System z®
NOTE: The DB2 Connect products mentioned are affected only if a local database has been created.
The recommended solution is to apply the appropriate fix for this vulnerability. Mitigation is also available.
The fix for this vulnerability is available for download for DB2 release V10.1 Fix Pack 1.
None known; apply fixes
The privilege to execute routines in UTL_FILE are by default, not granted to PUBLIC. Hence, a general user (PUBLIC) that has not been directly or indirectly granted any privileges will not be able to execute any routine in UTL_FILE directly. However, applications and stored procedures that make use of UTL_FILE are vulnerable if it accepts user input and the input value is passed directly to routines in UTL_FILE.
To control who has EXECUTE privilege, revoke EXECUTE privilege from PUBLIC if it has been granted and only grant it to users who needs it. As well, review applications and ensure user input are not passed directly to routines in UTL_FILE and ensure the file names are not qualified with any paths.
To obtain more information on the REVOKE routine privileges statement, see the following:
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
16 June 2018