2 flaws found

General Network security, firewalls, port filtering/forwarding, wireless security, anti-spyware, as well as spam control and privacy discussions.
Post Reply
User avatar
denolth2
Regular Member
Posts: 354
Joined: Tue Nov 28, 2000 12:00 am
Location: mushroom forest

2 flaws found

Post by denolth2 »

saw this news this morning:
taken from:
http://searchsecurity.techtarget.com/ne ... 65,00.html

Two Major Databases Spring Security Leaks
By Lisa Vaas
October 1, 2003

Two major databases have sprung security leaks.

The security firm Application Security Inc. reported this week that IBM's DB2 Universal Database and MySQL AB's MySQL open-source database have a total of three vulnerabilities that range from low- to high-risk levels.

The first DB2 weakness is a buffer overflow in db2dart. This entails a UDP service used for discovery of DB2 databases on a network. The UDP service is overwhelmed when more than 20 bytes of information are sent.

All versions of DB2 are affected, although the risk level is only medium. The fix is IBM's FixPak 10a, available here.

DB2's second new weakness is a vulnerability to denial-of-service attacks in its discovery service. This is a service used in turn to locate another service when configuring connections. Again, if a packet larger than 20 bytes comes in to the server, the service shuts down.

This vulnerability also affects all versions of DB2. The second DB2 flaw has a low risk level. The fix is available here.
http://www-3.ibm.com/cgi-bin/db2www/dat ... d2w/report

ASI CTO Aaron Newman told eWeek in an interview that these most recent DB2 flaws don't pose a major threat to enterprises because they entail mere privilege esca-lations. "These were not high vulnerabilities," said Newman, in New York. "They're more privilege esca-lations. It's not something where an anonymous hacker would be able to break in."

For its part, the MySQL database has potential for a buffer overflow in its "get_salt_from_password" function. This is a serious risk, and it affects all versions of MySQL. According to Newman, a malicious user could grant him- or herself administrative privi-leges and then use the function to trigger a buffer overflow.

It can't, however, be used to give an intruder control of the MySQL database, through which control of the operating system can be gained, Newman said. For the MySQL patch, click here.. http://www.mysql.com/downloads/patches.html
sittin' in da mushroom forest, pondering what mushroom ponder.... :o
Top
User avatar
blebs
Posts: 12819
Joined: Sat Dec 02, 2000 12:00 am
Location: North Canton, Ohio

Post by blebs »

Very Interesting. Thanks!

You still sitin in the mushroom forest pondering what mushrooms ponder?
Top
User avatar
denolth2
Regular Member
Posts: 354
Joined: Tue Nov 28, 2000 12:00 am
Location: mushroom forest

Post by denolth2 »

actually got laid off from the mushroom forest and pondering when I'll be able to get back into a steady job again...other than that, shoveling soil out of a section of basement I've been clearing out for the past month, with 6 trailer loads of soil dumped, and now proceeding to put gravel into the floor area for the concrete we'll be pouring early next week...hopefully find a job by the time that project is done.... :D

nothing exciting except labor intensive house renovations.....
sittin' in da mushroom forest, pondering what mushroom ponder.... :o
Top
Post Reply

Return to “Network Security”