IBM has released a software patch for a serious security vulnerability in versions of its DB2 Database running on Linux.
If left unaddressed, the vulnerability could enable attackers to run malicious code on DB2 systems using the permissions of an administrative (root) account, according to Core Security Technologies.
The vulnerability in its flagship database is a blow to IBM, which has positioned itself as a champion of Linux.
IBM makes versions of DB2 for the Unix, Linux, Sun Solaris and Microsoft Windows operating systems. More than 300,000 companies and 60 million users use DB2 worldwide, according to IBM's website.
Buffer overflow vulnerabilities were found in two components of DB2 Version 7.2 for Linux. Those components are accessible to DB2 users, but run with system administrator (root) level permissions, said Ejovi Nuwere, a security engineer at Core.
Attackers would need to know which DB2 components were vulnerable and target them with specially crafted, extra-long commands to trigger the buffer overflow.
Once that was accomplished, the attacker could retain the root level account access and redirect the programs, gaining total control of the DB2 database and the system on which DB2 is running.
Nuwere added that the vulnerabilities are not accessible to remote users. Attackers would first need to be able to connect to DB2 on a corporate intranet with a user account to launch an attack.
IBM had a software patch for vulnerable DB2 systems available for download from a company File Transfer Protocol site yesterday.
While not as severe as recent vulnerabilities disclosed by Microsoft, the DB2 security holes should be addressed by companies using vulnerable versions of the software, according to core chief executive Officer Paul Paget.
Representatives of IBM were not immediately available to comment on the vulnerability.
Paul Roberts writes for IDG News Service