CVE-2009-4334

The Self Tuning Memory Manager (STMM) component in IBM DB2 9.1 before FP8, 9.5 before FP5, and 9.7 before FP1 uses 0666 permissions for the STMM log file, which allows local users to cause a denial of service or have unspecified other impact by writing to this file.

CVSS v2.0 4.6 MEDIUM

4.6^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg1IC64019
http://secunia.com/advisories/37759	Vendor Advisory
ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v97/APARLIST.TXT
http://www-01.ibm.com/support/docview.wss?uid=swg21412902	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ48106
http://www.securityfocus.com/bid/37332
http://www.vupen.com/english/advisories/2009/3520	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ50355
http://www-01.ibm.com/support/docview.wss?uid=swg21293566	Patch
ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT
ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v91/APARLIST.TXT

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:db2:9.5:fp3a::::::
	cpe:2.3:a:ibm:db2:9.7:::::::*
	cpe:2.3:a:ibm:db2:9.1:fp2::::::
	cpe:2.3:a:ibm:db2:9.1:fp6a::::::
	cpe:2.3:a:ibm:db2:9.1:::::::*
	cpe:2.3:a:ibm:db2:9.5:fp1::::::
	cpe:2.3:a:ibm:db2:9.5:fp2::::::
	cpe:2.3:a:ibm:db2:9.5:fp2a::::::
	cpe:2.3:a:ibm:db2:9.5:fp3::::::
	cpe:2.3:a:ibm:db2:9.1:fp3a::::::
	cpe:2.3:a:ibm:db2:9.1:fp4::::::
	cpe:2.3:a:ibm:db2:9.5:::::::*
	cpe:2.3:a:ibm:db2:9.1:fp1::::::
	cpe:2.3:a:ibm:db2:9.1:fp5::::::
	cpe:2.3:a:ibm:db2:9.1:fp3::::::
	cpe:2.3:a:ibm:db2:9.1:fp6::::::
	cpe:2.3:a:ibm:db2:9.1:fp4a::::::
	cpe:2.3:a:ibm:db2:9.5:fp3b::::::
	cpe:2.3:a:ibm:db2:9.1:fp7::::::

Information

Published : 2009-12-16 10:30

Updated : 2010-06-28 21:00

NVD link : CVE-2009-4334

Mitre link : CVE-2009-4334

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

ibm

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC64019", "name": "IC64019", "tags": [], "refsource": "AIXAPAR"}, {"url": "http://secunia.com/advisories/37759", "name": "37759", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v97/APARLIST.TXT", "name": "ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v97/APARLIST.TXT", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21412902", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21412902", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IZ48106", "name": "IZ48106", "tags": [], "refsource": "AIXAPAR"}, {"url": "http://www.securityfocus.com/bid/37332", "name": "37332", "tags": [], "refsource": "BID"}, {"url": "http://www.vupen.com/english/advisories/2009/3520", "name": "ADV-2009-3520", "tags": ["Vendor Advisory"], "refsource": "VUPEN"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IZ50355", "name": "IZ50355", "tags": [], "refsource": "AIXAPAR"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21293566", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21293566", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT", "name": "ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT", "tags": [], "refsource": "CONFIRM"}, {"url": "ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v91/APARLIST.TXT", "name": "ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v91/APARLIST.TXT", "tags": [], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Self Tuning Memory Manager (STMM) component in IBM DB2 9.1 before FP8, 9.5 before FP5, and 9.7 before FP1 uses 0666 permissions for the STMM log file, which allows local users to cause a denial of service or have unspecified other impact by writing to this file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-4334", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2009-12-16T18:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ibm:db2:9.5:fp3a:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp6a:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.5:fp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.5:fp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.5:fp2a:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.5:fp3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp3a:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp4a:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.5:fp3b:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:db2:9.1:fp7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2010-06-29T04:00Z"}

4.6 /10