| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.8 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in IBM DB2. The impacted element is an unknown function of the component OLAP Query Engine. Executing a manipulation can lead to denial of service. The identification of this vulnerability is CVE-2013-6717. There is no exploit available. It is advisable to implement a patch to correct this issue.
Details
A vulnerability has been found in IBM DB2 (Database Software) and classified as problematic. This vulnerability affects some unknown functionality of the component OLAP Query Engine. The manipulation with an unknown input leads to a denial of service vulnerability. The CWE definition for the vulnerability is CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. As an impact it is known to affect availability. CVE summarizes:
The OLAP query engine in IBM DB2 and DB2 Connect 9.7 through FP9, 9.8 through FP5, 10.1 through FP3, and 10.5 through FP2, and the DB2 pureScale Feature 9.8 for Enterprise Server Edition, allows remote authenticated users to cause a denial of service (database outage and deactivation) via unspecified vectors.
The weakness was shared 12/14/2013 as Security Bulletin: Executing a query with an OLAP specification causes the DB2 server to terminate database connections. as confirmed bulletin (Website). The advisory is shared for download at www-01.ibm.com. The vendor cooperated in the coordination of the public release. This vulnerability was named CVE-2013-6717 since 11/08/2013. The attack can be initiated remotely. A single authentication is required for exploitation. There are neither technical details nor an exploit publicly available.
The vulnerability scanner Nessus provides a plugin with the ID 71519 (IBM DB2 9.7 < Fix Pack 9 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Databases. The commercial vulnerability scanner Qualys is able to test this issue with plugin 19874 (IBM DB2 Two Denial of Service Vulnerabilities).
Applying the patch OLAP Fix Pack is able to eliminate this problem. The bugfix is ready for download at www-01.ibm.com. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (89116), Tenable (71519), SecurityFocus (BID 64336†), OSVDB (101079†) and Secunia (SA56451†). The entries VDB-6024 and VDB-11523 are related to this item. Once again VulDB remains the best source for vulnerability data.
Affected
- IBM DB2 Express 9.7/10.1/10.5
- IBM DB2 Workgroup Server 9.7/10.1/10.5
- IBM DB2 Enterprise Server 9.7/10.1/10.5
- IBM DB2 Advanced Enterprise Server 9.7/10.1/10.5
- IBM DB2 Advanced Workgroup Server 9.7/10.1/10.5
- IBM DB2 Connect Application Server 9.7/10.1/10.5
- IBM DB2 Connect Enterprise 9.7/10.1/10.5
- IBM DB2 Connect Unlimited for System i 9.7/10.1/10.5
- IBM DB2 Connect Unlimited for System z 9.7/10.1/10.5
- IBM DB2 pureScale Feature for Enterprise Server Edition 9.8
Product
Type
Vendor
Name
Version
- -
- 9.7
- 9.7.0.1
- 9.7.0.2
- 9.7.0.3
- 9.7.0.4
- 9.7.0.5
- 9.7.0.6
- 9.7.0.7
- 9.7.0.8
- 9.7.0.9
- 9.8
- 9.8.0.3
- 9.8.0.4
- 9.8.0.5
- 10.1
- 10.1.0.1
- 10.1.0.2
- 10.1.0.3
- 10.5
- 10.5.0.1
- 10.5.0.2
License
Website
- Vendor: https://www.ibm.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 3.8
VulDB Base Score: 4.3
VulDB Temp Score: 3.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Denial of serviceCWE: CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 71519
Nessus Name: IBM DB2 9.7 < Fix Pack 9 Multiple Vulnerabilities
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: OLAP Fix Pack
Timeline
11/08/2013 🔍12/14/2013 🔍
12/14/2013 🔍
12/14/2013 🔍
12/14/2013 🔍
12/18/2013 🔍
12/19/2013 🔍
12/24/2013 🔍
01/22/2014 🔍
06/04/2021 🔍
Sources
Vendor: ibm.comAdvisory: Security Bulletin: Executing a query with an OLAP specification causes the DB2 server to terminate database connections.
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2013-6717 (🔍)
GCVE (CVE): GCVE-0-2013-6717
GCVE (VulDB): GCVE-100-11524
X-Force: 89116 - IBM DB2 OLAP specification query denial of service, Low Risk
SecurityFocus: 64336
Secunia: 56451 - IBM Smart Analytics System Series DB2 OLAP Query Engine Denial of Service Vulnerability, Less Critical
OSVDB: 101079
Vulnerability Center: 42702 - IBM DB2 and DB2 Connect 9.7, 9.8, 10.1 and 10.5 and pureScale Remote DoS Vulnerability in OLAP Query Engine, Medium
See also: 🔍
Entry
Created: 12/18/2013 11:29Updated: 06/04/2021 12:33
Changes: 12/18/2013 11:29 (78), 05/18/2017 17:18 (3), 06/04/2021 12:26 (4), 06/04/2021 12:33 (1)
Complete: 🔍
Committer:
Cache ID: 216:B39:103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.