Re: iDefense Security Advisory 02.22.07: IBM DB2 Universal Database DB2INSTANCE File Creation Vulnerability
A few notes on this advisory and IBM's IY94817.
1) The real IY94817 document (not the stub) requires registration to
even access in the first place, which is an unfortunate practice
that too many vendors undertake. The URL was also broken for some
time. Now that I've registered, I *STILL* can't get access to this
file:
"IY94817: SECURITY: DB2DIAG.LOG SYMBOLIC LINK OVERWRITE
VULNERABILITY"
http://www-1.ibm.com/support/docview.wss?uid=swg1IY94817
Why is it so difficult just to get some basic security information?
Security advisories should be easy for the public to access. A
sysadmin shouldn't have to register with hundreds of web sites just
to get good security information.
This kind of thing happens all the time, unfortunately.
2) Anyway, this document:
http://www-1.ibm.com/support/docview.wss?uid=swg21255745
says "The vulnerability allows a local user to write to any file on
the system through the use of symbolic links (also known as
symlinks or soft links)."
According to the document that I can't access, this apparently
involves some file called DB2DIAG.LOG.
3) But iDefense's advisory says nothing about symlinks. It talks
about "file creation" and using DB2INSTANCE to point to an
attacker-controlled directory, along with insecure umask settings -
but such features don't necessarily involve symlinks.
So - is there one vulnerability or two? If there are two - does
IY94817 actually fix the iDefense-reported issue, or does it fix an
unrelated issue? Finally, I thought that one of the IBM documents
mentioned buffer overflows, but now that I can't access all the
documents, I can't find where this was mentioned.
The reason why I'm asking is this:
>A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has
>not been assigned yet.
We assigned CVE-2007-1027 to IBM's writeup of DB2DIAG.LOG symlink, but
we can't be sure it applies to the iDefense advisory.
- Steve