CVE-2019-4447

Summary

IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum_debug is a setuid root binary which trusts the PATH environment variable. A low privileged user can execute arbitrary commands as root by altering the PATH variable to point to a user controlled location. When a crash is induced the trojan gdb command is executed. IBM X-Force ID: 163488.

Affected Software

VendorProductVersion RangeStatus
IBMDB2 High Performance Unload load for LUW6.1affected
IBMDB2 High Performance Unload load for LUW6.1.0.1affected
IBMDB2 High Performance Unload load for LUW6.1.0.1IF1affected
IBMDB2 High Performance Unload load for LUW6.1.0.2affected
IBMDB2 High Performance Unload load for LUW6.1.0.2IF1affected
IBMDB2 High Performance Unload load for LUW6.1.0.1IF2affected

Weaknesses

  • Gain Privileges

ADP Enrichment

CVE Program Container

Additional References

References