DB2 Crack Lets in Attackers Without Database Credentials

By Lisa Vaas Print this article Print

Big Blue promptly fixes flaw—unlike, it tartly says, some big database vendors.

Security researchers have uncovered a critical client/server protocol flaw in IBM's DB2 database.

Imperva's Application Defense Center reported on June 12 that it had discovered the vulnerability—which allows any attacker with network access to the database server to bring it down or to run arbitrary code—in DB2 Version 8.

The flaw's severity is magnified by the fact that an attacker doesn't need database credentials to exploit the weakness, according to Imperva.

Also, due to the fact that this is a network-level flaw, attacks slip by DB2's built-in auditing mechanism.

When requested for comment on the flaw, IBM took the opportunity to thumb its nose at archrival Oracle, whose "Unbreakable" slogan and slow patch times have gotten it into sticky PR situations in the past few years.

"IBM realizes that it is unrealistic to claim that any database is 'unbreakable' and that code—by its very nature—may contain some flaws," IBM engineers relayed in a statement e-mailed by a spokesperson.

"This is why the IBM development teams are continually working with various security entities throughout the industry to evaluate our code and detect any potential problems," IBM's statement continues. "Our engineers then work to quickly address any problems with an immediate patch rather than leaving our customers exposed until the next scheduled Fixpack release."

Read the full story on eWEEK.com: DB2 Crack Lets in Attackers Without Database Credentials

This article was originally published on 2006-06-12
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.