Security News > 2020 > August > Shared memory vulnerability in IBM's Db2 database could let nefarious insiders wreak havoc – so get patching
Security firm Trustwave said the shared memory vulnerability in Db2 - CVE-2020-4414 - was similar to the problems found with Cisco's Webex in June.
According to TrustWave, "Only Db2 for LUW is affected. Db2 for other platforms like IBM mainframes and z/OS are unaffected."
The Db2 trace facility could allow any local user to gain read and write access to a shared memory area because the developers had not included explicit memory protections around that function, he said.
The Db2 trace facility captures a log of control flow information - such as functions and associated parameter values - and is used by Db2 tech support to diagnose database problems.
IBM has not responded to The Register's request for comment, but its own posting said: "Db2 could allow a local attacker to perform unauthorized actions on the system, caused by improper usage of shared memory. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service."
News URL
https://go.theregister.com/feed/www.theregister.com/2020/08/21/ibm_db2_shared_memory_flaw/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-07-01 | CVE-2020-4414 | Incorrect Permission Assignment for Critical Resource vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local attacker to perform unauthorized actions on the system, caused by improper usage of shared memory. | 3.6 |