DB2 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered in the Windows version when the 'Everyone' group is granted read and write access to certain DB2 resources, which could allow a malicious user to gain access to plaintext Windows user names and passwords from the 'DB2SHMSECURITYSERVICE' section resulting in a loss of confidentiality and/or integrity.

Currently, there are no known workarounds or upgrades to correct these issues. However, IBM has released a patch to address this vulnerability.

• Keyword: #NISR05012005F APAR IY62300
• Security Tracker: 1011562
• Related OSVDB ID: 10513 10514 10515 10516 10517 10518 10519 10520 10521 10522 12754 12755 12756 12757
• Bugtraq ID: 11402
• Secunia Advisory ID: 12733
• ISS X-Force ID: 17605
• CVE ID: 2005-4868 (see also: NVD)
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0028.html
• Vendor Specific Advisory URL: http://www-1.ibm.com/support/docview.wss?rs=71&context=SSEPGG&uid=swg21179535&loc=en_US&cs=utf-8&lang=en
  http://www-1.ibm.com/support/docview.wss?uid=swg1IY62300
  http://www-1.ibm.com/support/docview.wss?uid=swg21181228
• Vendor Specific News/Changelog Entry: http://www-1.ibm.com/support/docview.wss?uid=swg1IY62300
• Vendor URL: http://www-306.ibm.com/software/data/db2/udb/
• Other Advisory URL: http://www.nextgenss.com/advisories/db2-01.txt
  http://www.nextgenss.com/advisories/db205012005F.txt

• Chris Anley - chrisanleyhushmail.com -