IBM Support

Security Bulletin: DB2 Escalation of Privilege Vulnerability (CVE-2011-4061)

Flash (Alert)


Abstract

The IBM Tivoli Monitoring Agent shipped with IBM DB2 V9.5 and V9.7 products contains an escalation of privilege vulnerability.

Content

VULNERABILITY DETAILS
CVE ID: CVE-2011-4061

DESCRIPTION:

The IBM DB2 products listed below bundle IBM Tivoli Monitoring Agent (ITMA), provided for users of the IBM Data Studio Administrative Console product. ITMA is intended to be used with DB2 only for supplying monitoring information to the IBM Data Studio Administrative Console monitoring feature. There is a vulnerability in ITMA that can permit a local user to exploit to gain escalated privilege. The vulnerability exists in ITMA for certain DB2 products/editions on specified UNIX and Linux operating platforms, but not on DB2 for Windows.

CVSS:
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/68354 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

The following IBM DB2 V9.5 and V9.7 editions running on AIX, Linux, HP and Solaris:

IBM® DB2® 9.7 Express Edition
IBM® DB2® 9.7 Workgroup Server Edition
IBM® DB2® 9.7 Enterprise Server Edition
IBM® DB2® 9.7 Advanced Enterprise Server Edition
IBM® DB2® Connect™ 9.7 Application Server Edition
IBM® DB2® Connect™ 9.7 Enterprise Edition
IBM® DB2® Connect™ 9.7 Unlimited Edition for System i®
IBM® DB2® Connect™ 9.7 Unlimited Edition for System z®


IBM® DB2® 9.5 Express Edition
IBM® DB2® 9.5 Workgroup Server Edition
IBM® DB2® 9.5 Enterprise Server Edition
IBM® DB2® 9.5 Advanced Enterprise Server Edition
IBM® DB2® Connect™ 9.5 Application Server Edition
IBM® DB2® Connect™ 9.5 Enterprise Edition
IBM® DB2® Connect™ 9.5 Unlimited Edition for System i®
IBM® DB2® Connect™ 9.5 Unlimited Edition for System z®


REMEDIATION: The currently recommended interim solution is to follow the workaround and/or the mitigation steps described below. When a fix becomes available, apply the appropriate fix.

Fix:
Fixes for this vulnerability are planned to be made available in future fix packs of DB2 releases V9.5 and V9.7.

Workaround:

The workaround is to remove the SUID bit from the executable kbbacf1. The impact of the change is that logging into the service console will no longer be possible due to the authentication being unsuccessful unless ITMA is run as root.

First, verify whether the fix is necessary. As root, issue the following command from DB2_DIR/itma:

find . -type f -name kbbacf1 -exec ls -l {} \;

No fix is necessary if SUID bit not set. If it comes back with the SUID bit which looks like something similar to the following then you will need to apply the fix:

-rwsr-xr-x 1 root root 8558 Nov  3 20:03 ./tmaitm6/lx8266/bin/kbbacf1

please refer to the following procedure:

1. Change to the directory given by the find command (e.g. tmaitm6/lx8266/bin)
2. Issue the following command as root to remove the SUID bit from kbbacf1:

chmod 0755 kbbacf1


Mitigation:
DB2 installs ITMA by default. However, ITMA is not required unless you are using IBM Data Studio Administrative Console to monitor DB2. If you are not using ITMA for this purpose, you can uninstall it to mitigate the vulnerability. Refer to the following links for the uninstall information:

V9.7:
http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=/com.ibm.db2.luw.qb.server.doc/doc/t0054822.html

V9.5:
http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/index.jsp?topic=/com.ibm.db2.luw.qb.server.doc/doc/t0054822.html


REFERENCES:
· Complete CVSS v2 Guide
· On-line Calculator V2
· X-Force Vulnerability Database - IBM DB2 DT_RPATH code execution
· CVE-2011-4061

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.


Cross reference information
Segment Product Component Platform Version Edition
Information Management DB2 Connect 9.7, 9.5

Document information

More support for: DB2 for Linux, UNIX and Windows
3rd Party Tools - Tivoli

Software version: 9.5, 9.7

Operating system(s): AIX, HP-UX, Linux, Solaris

Software edition: Advanced Enterprise Server, Enterprise Server, Express, Workgroup Server

Reference #: 1576372

Modified date: 2015-08-07