Imperva Discovers Critical Buffer Overrun Vulnerability in IBM DB2 Database.Application Defense Center Submitted Client-Server Protocol In computing, a client-server protocol is a protocol in which there is a single server which listens for connections, usually on a specific port (if this is TCP, UDP, or a similar protocol), and one or more clients which connect to it. Flaw to IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) ; Fixpack Patch Released
WHO: Imperva Application Defense Center (ADC)
WHAT: Discovered a client-server protocol vulnerability in IBM DB2
version 8 databases that enables any attacker with network access
to the database server to take down or even run arbitrary code on
the server's machine. The severity of this flaw is magnified by
the fact that it does not require database credentials in order to
be exploited. In addition, since this is a network level flaw,
attacks elude DB2's built-in auditing mechanism. IBM released
Fixpack 12 on May 12th which addresses this and other
vulnerabilities. The Imperva SecureSphere Database Security
Gateway automatically protects IBM DB2 version 8 databases
against this vulnerability. These protection capabilities are
outlined in the Imperva Security Advisory entitled "DB2 RDBMS -
Critical Buffer Overrun Vulnerability".
WHERE: The IBM Authorized Program Analysis Report (APAR) IY84096 which
documents this software defect as well as the corresponding
Fixpack are located at:
http://www-1.ibm.com/support/docview.wss?uid=swg1IY84096
The Imperva Security Advisory is available at:
http://www.imperva.com/application_defense_center/papers/
ibm-dbms-05052006.html
(Due to its length, this URL may need to be copied/pasted into
your Internet browser's address field. Remove the extra space if one
exists.)
WHEN: IBM released APAR IY84096 on May 30th, 2006.
HOW: ADC conducts ongoing research into database security issues, and
discovered this vulnerability as part of its inspection of
database access protocols. ADC's research findings are used to
enhance the SecureSphere product line with next generation attack
detection and protection features.
About Imperva Imperva is the leader in data security for the data center. The award-winning Adj. 1. award-winning - having received awards; "this award-winning bridge spans a distance of five miles" SecureSphere product line provides data security, auditing, and regulatory compliance for sensitive financial and identity data in corporate data centers. SecureSphere monitors and audits database activity as well as protects databases against insider abuse and external data theft via web applications. Deployment requires no changes to existing infrastructure and no manual tuning. Imperva SecureSphere is deployed in leading financial, healthcare, and retail organizations around the globe. Led by Shlomo Shlomo, meaning peace, is a common Hebrew male given name. The following individuals are often referred to only by the name Shlomo:
American writer and activist whose works include the novel Faggots (1978) and the play The Normal Heart (1985). In 1988 he founded the radical AIDS awareness group ACT UP (AIDS Coalition to Unleash Power). , a Check Point Software Technologies founder, Imperva is privately funded by Accel Partners, Greylock Partners, US Venture Partners, and Venrock Venrock is a pioneering venture capital firm formed in 1969 to build upon the successful investing activities of the Rockefeller family that began in the late 1930’s. It has offices in Menlo Park, California, New York City, Cambridge, Massachusetts, and Israel. Associates. About the Imperva Application Defense Center Imperva's Application Defense Center (ADC (1) See A/D converter. (2) (Apple Display Connector) A peripheral connector from Apple that combines digital video display, USB and power in one cable. ) is a research and professional services (job) professional services - A department of a supplier providing consultancy and programming manpower for the supplier's products. organization dedicated to building the most advanced application security knowledge base in the world. The ADC has over 20 years combined experience in application and database security research. ADC research combines extensive lab work with hands-on hands-on adj. Involving active participation; applied, as opposed to theoretical: "We're involved in hands-on operations, pulling levers, pushing buttons" Arthur R. Taylor. practice in real world environments. ADC findings include the discovery of over 50 commercial application vulnerabilities of which 18 have been published. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion