Multiple IBM DB2 Products CVE-2014-8910 File Disclosure Vulnerability

Multiple IBM DB2 products are prone to a file-disclosure vulnerability.

An attacker can exploit this issue to read arbitrary files on the system, that may aid in further attacks.

Information

Bugtraq ID: 75949
Class: Input Validation Error
CVE: CVE-2014-8910

Remote: Yes
Local: No
Published: Jul 20 2015 12:00AM
Updated: Sep 26 2018 07:00AM
Credit: The vendor reported this issue.
Vulnerable: IBM DB2 Workgroup Server Edition 9.7
IBM DB2 Express Edition 9.7
IBM DB2 Express Edition 10.5
IBM DB2 Express Edition 10.1
IBM DB2 Enterprise Server Edition 9.7
IBM DB2 Enterprise Server Edition 10.5
IBM DB2 Enterprise Server Edition 10.1
IBM DB2 Connect Unlimited Edition for System z 9.7
IBM DB2 Connect Unlimited Edition for System z 10.5
IBM DB2 Connect Unlimited Edition for System z 10.1
IBM DB2 Connect Unlimited Edition for System i 9.7
IBM DB2 Connect Unlimited Edition for System i 10.5
IBM DB2 Connect Unlimited Edition for System i 10.1
IBM DB2 Connect Enterprise Edition 9.7
IBM DB2 Connect Enterprise Edition 10.5
IBM DB2 Connect Enterprise Edition 10.1
IBM DB2 Connect Application Server Edition 9.7
IBM DB2 Connect Application Server Edition 10.5
IBM DB2 Connect Application Server Edition 10.1
IBM DB2 Advanced Workgroup Server Edition 9.7
IBM DB2 Advanced Workgroup Server Edition 10.5
IBM DB2 Advanced Workgroup Server Edition 10.1
IBM DB2 Advanced Enterprise Server Edition 9.7
IBM DB2 Advanced Enterprise Server Edition 10.5
IBM DB2 Advanced Enterprise Server Edition 10.1
IBM DB2 Workgroup Server Edition 10.5
IBM DB2 Workgroup Server Edition 10.1

Not Vulnerable: IBM DB2 Workgroup Server Edition 9.7 FP11
IBM DB2 Workgroup Server Edition 10.5 FP6
IBM DB2 Express Edition 9.7 FP11
IBM DB2 Express Edition 10.5 FP6
IBM DB2 Enterprise Server Edition 9.7 FP11
IBM DB2 Enterprise Server Edition 10.5 FP6
IBM DB2 Connect Unlimited Edition for System z 9.7 FP11
IBM DB2 Connect Unlimited Edition for System z 10.5 FP6
IBM DB2 Connect Unlimited Edition for System z 10.1 FP5
IBM DB2 Connect Unlimited Edition for System i 9.7 FP11
IBM DB2 Connect Unlimited Edition for System i 10.5 FP6
IBM DB2 Connect Unlimited Edition for System i 10.1 FP5
IBM DB2 Connect Enterprise Edition 9.7 FP11
IBM DB2 Connect Enterprise Edition 10.5 FP6
IBM DB2 Connect Enterprise Edition 10.1 FP5
IBM DB2 Connect Application Server Edition 9.7 FP11
IBM DB2 Connect Application Server Edition 10.5 FP6
IBM DB2 Connect Application Server Edition 10.1 FP5
IBM DB2 Advanced Workgroup Server Edition 9.7 FP11
IBM DB2 Advanced Workgroup Server Edition 10.5 FP6
IBM DB2 Advanced Enterprise Server Edition 9.7 FP11
IBM DB2 Advanced Enterprise Server Edition 10.5 FP6
IBM DB2 Workgroup Server Edition 10.1 FP5
IBM DB2 Express Edition 10.1 FP5
IBM DB2 Enterprise Server Edition 10.1 FP5
IBM DB2 Advanced Workgroup Server Edition 10.1 FP5
IBM DB2 Advanced Enterprise Server Edition 10.1 FP5

Exploit

Attackers can use readily available network tools to exploit this issue.

References:

• IBM DB2 Homepage (IBM)
  
• IT06354: SECURITY: IBM DB2 contains a file disclosure vulnerability using a SELE (IBM)
  
• Security Bulletin: IBM DB2 contains a file disclosure vulnerability using a SELE (IBM)
  

Source: www.securityfocus.com