CVE-2007-6051

Vulnerability

IBM DB2 Universal Database (UDB) version 9.1 prior to FixPak 4 assigns incorrect privileges to the DB2ADMNS and DB2USERS alternative groups [1]. The exact nature of the privilege misassignment is not detailed in available references, but the vendor description confirms that the groups receive permissions that differ from those intended, potentially granting unauthorized capabilities to members of these groups [1].

Exploitation

Exploitation prerequisites and the specific sequence of steps required to leverage the incorrect privilege assignment are not disclosed in the available references [1]. The vulnerability exists in the privilege assignment logic during or after the initial setup of alternative groups, which may be exploited by any user who is a member of the DB2ADMNS or DB2USERS groups [1].

Impact

The impact of the incorrect privilege assignment is unknown, as the vendor description is too vague to confirm it is security-related [1]. However, if the assigned privileges are excessive, members of these groups could gain unintended access to database objects or administrative functions, potentially leading to information disclosure or unauthorized modifications [1]. The scope is limited to systems where these alternative groups are defined [1].

Mitigation

The vulnerability is fixed in DB2 UDB version 9.1 FixPak 4 (9.1.0.4) [1]. Organizations should upgrade to FixPak 4 or later to ensure correct privilege assignment for the DB2ADMNS and DB2USERS groups [1]. No workaround is documented in the available references [1].