NVD Vulnerability Detail

CVE-2019-4447

Summary	IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum_debug is a setuid root binary which trusts the PATH environment variable. A low privileged user can execute arbitrary commands as root by altering the PATH variable to point to a user controlled location. When a crash is induced the trojan gdb command is executed. IBM X-Force ID: 163488.
Publication Date	Aug. 27, 2019, 12:15 a.m.
Registration Date	Jan. 26, 2021, 11:42 a.m.
Last Update	Nov. 21, 2024, 1:43 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1:::::::*
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.1:if2::::::
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.1:if1::::::
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.1:::::::*
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.2:::::::*
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.2:if1::::::
execution environment
1	cpe:2.3:o:linux:linux_kernel:-:::::::*
2	cpe:2.3:o:microsoft:windows:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.ibm.com/support/docview.wss?uid=ibm10964592	Patch Vendor Advisory
2	http://www.ibm.com/support/docview.wss?uid=ibm10964592	Patch Vendor Advisory
3	https://exchange.xforce.ibmcloud.com/vulnerabilities/163488	VDB Entry Vendor Advisory
4	https://exchange.xforce.ibmcloud.com/vulnerabilities/163488	VDB Entry Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-427	制御されていない検索パスの要素	https://cwe.mitre.org/data/definitions/427.html

JVN Vulnerability Information

IBM DB2 High Performance Unload load における認可・権限・アクセス制御に関する脆弱性

Title	IBM DB2 High Performance Unload load における認可・権限・アクセス制御に関する脆弱性
Summary	IBM DB2 High Performance Unload load には、認可・権限・アクセス制御に関する脆弱性が存在します。ベンダは、本脆弱性を IBM X-Force ID: 163488 として公開しています。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 21, 2019, midnight
Registration Date	Sept. 5, 2019, 4:55 p.m.
Last Update	Sept. 5, 2019, 4:55 p.m.

Affected System

IBM

IBM DB2 High Performance Unload 6.1

IBM DB2 High Performance Unload 6.1.0.1

IBM DB2 High Performance Unload 6.1.0.1 IF1

IBM DB2 High Performance Unload 6.1.0.1 IF2

IBM DB2 High Performance Unload 6.1.0.2

IBM DB2 High Performance Unload 6.1.0.2 IF1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-4447	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4447
National Vulnerability Database (NVD)
2	CVE-2019-4447	https://nvd.nist.gov/vuln/detail/CVE-2019-4447

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
IBM Support Document
1	964592	https://www.ibm.com/support/pages/security-bulletin-multiple-privilege-escalation-vulnerabilities-ibm-db2-hpu
IBM X-Force Exchange
2	ibm-db2-cve20194447-priv-escalation (163488)	https://exchange.xforce.ibmcloud.com/vulnerabilities/163488

Change Log

No	Changed Details	Date of change
1	[2019年09月05日] 掲載	Sept. 5, 2019, 4:55 p.m.

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1:::::::*
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.1:if2::::::
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.1:if1::::::
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.1:::::::*
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.2:::::::*
cpe:2.3:a:ibm:db2_high_performance_unload_load:6.1.0.2:if1::::::
execution environment
1	cpe:2.3:o:linux:linux_kernel:-:::::::*
2	cpe:2.3:o:microsoft:windows:-:::::::*