Shared memory vulnerability in IBM's Db2 database could let nefarious insiders wreak havoc – so get patching
Lack of protections around trace facility gives local users read and write access
A bug-hunter has uncovered a vulnerability in IBM's popular enterprise database which, if left unpatched, could allow a local user to access data and kick off a denial-of-service attack.
According to TrustWave, "Only Db2 for LUW (Linux, Unix, Windows) is affected. Db2 for other platforms like IBM mainframes and z/OS are unaffected."
Martin Rakhmanov, security research manager at Trustwave, said: "Through recent research we've seen the emergence of shared memory vulnerabilities becoming a more common issue."
The Db2 trace facility could allow any local user to gain read and write access to a shared memory area because the developers had not included explicit memory protections around that function, he said. As such, nefarious insiders could exploit the vulnerability.
"This allows accessing critically sensitive data as well as the ability to change how the trace subsystem functions, which could result in a denial of service," Rakhmanov added.
The Db2 trace facility captures a log of control flow information – such as functions and associated parameter values – and is used by Db2 tech support to diagnose database problems.
In his post, Rakhmanov explained that by launching Process Explorer in Windows, for example, users can see there are no permissions guarding shared memory – anyone can read from and write to it. By then enabling Db2 tracing, the users can see what has been written to shared memory. As well as exposing the data, the vulnerability offers the possibility of launching a denial-of-service condition "simply by writing incorrect data over that memory section".
DB2 migration problems caused IBM to resurrect Netezza, according to analystREAD MORE
The vulnerability could potentially affect Db2 editions 9.7, 10.1, 10.5, 11.1, and 11.5. A special build patch was issued by IBM (here) over a month ago, but if you haven't patched, don't delay.
IBM has not responded to The Register's request for comment, but its own posting said: "Db2 could allow a local attacker to perform unauthorized actions on the system, caused by improper usage of shared memory. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service."
Needless to say, TrustWave has recommended Db2 users apply the available patch immediately.
Although lacking the limelight of more modern or cloud-native databases, Db2 still has a loyal userbase including Audi, Japan's Mizuho Bank, and Wells Fargo.
In March, Db2 users on IBM Cloud were hit by an outage lasting several hours. Customers running services hosted at its Dallas data centre – including Watson AI, IBM Cloud, and Db2 – were either partially or completely down.
In 2018, Big Blue issued a notice for CVE-2018-1897, an elevation-of-privilege flaw that, if exploited, could allow a logged-in attacker to execute code and commands as an admin. ®