CVE-2007-6045

Vulnerability

The vulnerability affects DB2WATCH and DB2FREEZE utilities in IBM DB2 Universal Database (UDB) version 9.1 prior to Fixpak 4 [1]. The security advisory (APAR IZ03655) describes the issue as a security vulnerability, but does not disclose the specific nature of the flaw, the affected code path, or any required configurations [1]. The problem is tagged as a HIPER (high-impact pervasive) bug, indicating significant potential severity [1].

Exploitation

No public exploit details are provided in the available references [1][2]. The fix list entry for DB2 Version 9.1 [2] does not elaborate on attack vectors. The advisory notes that the tools are standalone executables, and the recommended local fix is to remove Db2watch and Db2freeze using the rm command [1]. This suggests that an attacker might require some level of local access or the ability to exploit the tools when invoked, but exact prerequisites are unspecified [1].

Impact

The impact is officially described as 'unknown' — no specific confidentiality, integrity, or availability outcome is stated [1][2]. The advisory labels the issue a security vulnerability and a program error, but does not document the consequences of successful exploitation [1]. Given the HIPER classification, the impact could be significant, but no details are available.

Mitigation

IBM fixed the vulnerability in DB2 Version 9.1 Fixpak 4, released in late 2007 [1]. The problem was first fixed in FixPak 4, as noted in the APAR closure [1]. Subsequent fix packs (up to 12) also contain the fix [1]. As a workaround, IBM suggests removing the Db2watch and Db2freeze binaries entirely [1]. No KEV listing is mentioned in the references.