CVE-2014-6159

Vulnerability

IBM DB2 on Linux, UNIX, and Windows contains a denial-of-service vulnerability in the handling of ALTER TABLE statements when the AUTO_REVAL configuration parameter is set to IMMEDIATE (the default is DEFERRED). A remote authenticated user with control privileges on a target table can execute a specially crafted ALTER TABLE statement, causing the DB2 server to terminate abnormally. Affected versions include DB2 9.7 before Fix Pack 10 (FP10), 9.8 through Fix Pack 5 (FP5), 10.1 through Fix Pack 4 (FT4), and 10.5 through Fix Pack 4 (FP4). The vulnerability also affects the IBM DB2 component used in InfoSphere BigInsights Big SQL [1][2].

Exploitation

To exploit this vulnerability, an attacker must have valid security credentials to connect to the database and must possess control privileges on the target table. The attacker then sends a crafted ALTER TABLE statement over the network. No additional user interaction is required. The attack complexity is medium, as the attacker needs to craft the statement appropriately [1].

Impact

Successful exploitation results in a denial of service: the DB2 server crashes and must be restarted. There is no impact on data confidentiality or integrity. The CVSS v2 base score is 6.3 (AV:N/AC:M/Au:S/C:N/I:N/A:C) [1].

Mitigation

IBM has released fixes for the affected versions: DB2 9.7 FP10, 10.1 FT5, and 10.5 FP5. For InfoSphere BigInsights, apply the corresponding DB2 fix pack. As a workaround, administrators can set the AUTO_REVAL parameter to DEFERRED (the default) to avoid the vulnerable code path. No known exploitation in the wild or KEV listing has been reported [1][2].