Vulnerabilities > CVE-2009-1906 - Denial-Of-Service vulnerability in DB2 9.1/9.5
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The DRDA Services component in IBM DB2 9.1 before FP7 and 9.5 before FP4 allows remote attackers to cause a denial of service (memory corruption and application crash) via an IPv6 address in the correlation token in the APPID string, as demonstrated by an APPID string sent by the third-party DataDirect JDBC driver 3.7.32.
Nessus
NASL family Databases NASL id DB2_9FP7.NASL description According to its version, the IBM DB2 server running on the remote host is prior to 9.1 Fix Pack 7. It is, therefore, affected by multiple vulnerabilities : - In certain situations an INNER JOIN predicate is applied before the OUTER JOIN predicate, which could result in disclosure of sensitive information. (JR31886) - It may be possible to connect to DB2 servers without valid passwords, provided LDAP-based authentication is used, and the remote LDAP server is configured to allow anonymous binds. (JR32272) - By connecting to a DB2 server using a third-party DRDA client that uses IPV6 address format of the correlation token, it may be possible to crash the remote DB2 server. (IZ36683) last seen 2020-06-01 modified 2020-06-02 plugin id 36216 published 2009-04-22 reporter This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36216 title IBM DB2 9.1 < Fix Pack 7 Multiple Vulnerabilities NASL family Databases NASL id DB2_95FP4.NASL description The IBM DB2 database server running on the remote host is prior to 9.5 Fix Pack 4. It is, therefore, affected by multiple issues : - It may be possible to connect to DB2 servers without valid passwords, provided LDAP-based authentication is used and the remote LDAP server is configured to allow anonymous binds. (JR32268) - It may be possible to trigger a denial of service condition by sending malicious last seen 2020-06-01 modified 2020-06-02 plugin id 39007 published 2009-06-03 reporter This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/39007 title IBM DB2 < 9.5 Fix Pack 4 Multiple Vulnerabilities