Security Bulletin: IBM solidDB, IBM solidDB Universal Cache Stored Procedure Vulnerability (CVE-2013-3031)

Flash (Alert)


Abstract

An SQL stored procedure that uses named arguments and default parameter values can be used to exploit a defect in the solidDB implementation.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2013-3031

DESCRIPTION:
An SQL stored procedure can access uninitialized data for addressing memory if the procedure call uses named arguments and default values for parameters, omitting some of the arguments. That typically causes an abnormal shutdown of the server.

CVSS:
CVSS Base Score: 4,0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84593 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)


AFFECTED PRODUCTS:
IBM solidDB 6.0 through 6.0.1069
IBM solidDB 6.3 through 6.3.0.10
IBM solidDB 6.5 through 6.5.0.11
IBM solidDB 7.0 through 7.0.0.3


REMEDIATION: The recommended solution is to upgrade the installation to a newer fix pack that includes the fix for this issue.

Fix:

For IBM solidDB 6.0.1069 and earlier:
- Upgrade to version 6.0.1070 or later

For IBM solidDB 6.3.0.55 (Interim Fix 10) and earlier:
- Upgrade to version 6.3.0.56 (Interim Fix 11) or later

For IBM solidDB 6.5.0.11 and earlier:
- Upgrade to version 6.5.0.12 or later

For IBM solidDB 7.0.0.3 and earlier:
- Upgrade to version 7.0.0.4 or later

First release with fix APAR Fix list/download URLs
6.0.1070 IC94044 IBM solidDB 6.0 downloads
6.3.0.56 Interim Fix 11 IC94043 IBM solidDB 6.3 Fix List and downloads
6.5.0.12 Fix Pack 12 IC88796 IBM solidDB 6.5 Fix List and downloads
7.0.0.4 Fix Pack 4 IC88797 IBM solidDB 7.0 Fix List and downloads



Workaround:
None known; apply fixes.

Mitigation:
None known.

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database - 84593
· CVE-2013-3031

CHANGE HISTORY:

August 23, 2013: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM solidDB

Software version:

6.0, 6.3, 6.5, 7.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1643599

Modified date:

2013-08-23

Translate my page

Machine Translation

Content navigation