Security News > 2020 > August > IBM AI-Powered Data Management Software Subject to Simple Exploit

The IBM Db2 is a family of hybrid data-management products containing artificial intelligence, which can be used to analyze and manage both structured and unstructured data within enterprises.

The lack of explicit memory protections "Allows any local users read-and-write access to that memory area," Trustwave researchers said, in their PoC exploit writeup for the bug, issued on Thursday.

While technically an attacker would need to be local, it's possible to remotely execute such a low-privileged process on a vulnerable machine to trigger an exploit: "Low-privileged processes, running on the same computer as Db2 database, can alter Db2 traces and capture sensitive data - and use that later for subsequent attacks," the researchers explained.

"The console application just reads the shared memory and thus can access Db2 trace information. It can be modified to change the Db2 trace as well. Finally, the attacker needs a low-privileged access to the computer where Db2 server is running."

All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on all platforms are affected by this latest shared-memory flaw, and users should update to the latest version to fix the issue, the firm said.

News URL

https://threatpost.com/ibm-ai-powered-data-management-software-subject-exploit/158497/