CVE-2017-1520
low
CVSS v3
3.7
CVSS v2
4.3
VIR risk
3.7
Description
IBM DB2 9.7, 10,1, 10.5, and 11.1 is vulnerable to an unauthorized command that allows the database to be activated when authentication type is CLIENT. IBM X-Force ID: 129830.
Predictions
Exploit likelihood
47%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@us.ibm.com — https://exchange.xforce.ibmcloud.com/vulnerabilities/129830
Vendor advisory: psirt@us.ibm.com — http://www.ibm.com/support/docview.wss?uid=swg22007186
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| linux-kernel | - | not-affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ibm | db2 | 9.7 | |
| ibm | db2 | 9.7.0.1 | |
| ibm | db2 | 9.7.0.2 | |
| ibm | db2 | 9.7.0.3 | |
| ibm | db2 | 9.7.0.4 | |
| ibm | db2 | 9.7.0.5 | |
| ibm | db2 | 9.7.0.6 | |
| ibm | db2 | 9.7.0.7 | |
| ibm | db2 | 9.7.0.8 | |
| ibm | db2 | 9.7.0.9 | |
| ibm | db2 | 9.7.0.10 | |
| ibm | db2 | 9.7.0.11 | |
| ibm | db2 | 10.1 | |
| ibm | db2 | 10.1.0.1 | |
| ibm | db2 | 10.1.0.2 | |
| ibm | db2 | 10.1.0.3 | |
| ibm | db2 | 10.1.0.4 | |
| ibm | db2 | 10.1.0.5 | |
| ibm | db2 | 10.5 | |
| ibm | db2 | 10.5.0.1 | |
| ibm | db2 | 10.5.0.2 | |
| ibm | db2 | 10.5.0.3 | |
| ibm | db2 | 10.5.0.4 | |
| ibm | db2 | 10.5.0.5 | |
| ibm | db2 | 10.5.0.6 | |
| ibm | db2 | 10.5.0.7 | |
| ibm | db2 | 11.1.0.0 | |
| ibm | db2_connect | 9.7 | |
| ibm | db2_connect | 9.7.0.1 | |
| ibm | db2_connect | 9.7.0.2 | |
| ibm | db2_connect | 9.7.0.3 | |
| ibm | db2_connect | 9.7.0.4 | |
| ibm | db2_connect | 9.7.0.5 | |
| ibm | db2_connect | 9.7.0.6 | |
| ibm | db2_connect | 9.7.0.7 | |
| ibm | db2_connect | 9.7.0.8 | |
| ibm | db2_connect | 9.7.0.9 | |
| ibm | db2_connect | 9.7.0.10 | |
| ibm | db2_connect | 9.7.0.11 | |
| ibm | db2_connect | 10.1 | |
| ibm | db2_connect | 10.1.0.1 | |
| ibm | db2_connect | 10.1.0.2 | |
| ibm | db2_connect | 10.1.0.3 | |
| ibm | db2_connect | 10.1.0.4 | |
| ibm | db2_connect | 10.1.0.5 | |
| ibm | db2_connect | 10.5 | |
| ibm | db2_connect | 10.5.0.1 | |
| ibm | db2_connect | 10.5.0.2 | |
| ibm | db2_connect | 10.5.0.3 | |
| ibm | db2_connect | 10.5.0.4 | |
| ibm | db2_connect | 10.5.0.5 | |
| ibm | db2_connect | 10.5.0.6 | |
| ibm | db2_connect | 10.5.0.7 | |
| ibm | db2_connect | 11.1.0.0 | |
References
- http://www.ibm.com/support/docview.wss?uid=swg22007186
- http://www.securityfocus.com/bid/100684
- http://www.securitytracker.com/id/1039308
- https://exchange.xforce.ibmcloud.com/vulnerabilities/129830
- http://www.ibm.com/support/docview.wss?uid=swg22007186
- http://www.securityfocus.com/bid/100684
- http://www.securitytracker.com/id/1039308
- https://exchange.xforce.ibmcloud.com/vulnerabilities/129830
CWEs
CWE-287
Verify integrity in audit chain (admin only). AS-IS.