A vulnerability was found in IBM DB2 9.7/10.1/10.5/11.1 (Database Software). It has been rated as critical. This issue affects an unknown function. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is integrity, and availability. The summary by CVE is:

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-ForceID: 140045.

The bug was discovered 05/22/2018. The weakness was presented 05/25/2018 (Website). It is possible to read the advisory at exchange.xforce.ibmcloud.com. The identification of this vulnerability is CVE-2018-1450 since 12/13/2017. Attacking locally is a requirement. The successful exploitation requires a simple authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 3 days. During that time the estimated underground price was around $0-$5k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 20100 (IBM DB2 Multiple File Overwrite Vulnerabilities (swg22016181)).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

See 118222, 118224 and 118225 for similar entries.

Productinfo

Type

• Database Software

Vendor

• IBM

Name

• DB2

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion