||Home : Advisories : Buffer Overflow in IBM Net.Data db2www CGI program|
||Buffer Overflow in IBM Net.Data db2www CGI program
||7th September 2000
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Advisory
September 7, 2000
Buffer Overflow in IBM Net.Data db2www CGI program.
Net.Data is a middleware application used for Web development and is
available on Unix, Windows, OS/2, and mainframe platforms. The db2www
component of Net.Data is a CGI program that handles requests from Web
clients. An exploitable buffer overflow condition exists in the db2www
This vulnerability may allow a remote attacker to execute arbitrary code
under the privileges of a Web server or to crash a Web server.
All versions are affected.
AIX, OS/2, Linux, Windows NT, HP-UX 11, and Sun are affected.
Net.Data allows Web applications to interface with a variety of database
systems. It can encapsulate programs written in different languages
(including SQL, Perl, and Java) into macro language scripts. Net.Data
supports native APIs from different Web server vendors (Apache,
Microsoft, Netscape, and Lotus) to improve the performance of Web
applications. Net.Data powers other IBM applications such as
Net.Commerce and WebSphere Commerce Suite.
The problem is triggered when the program handles an extremely long
PATH_INFO CGI environmental variable. The stack of a function is
overflowed by this long variable causing the return address to be
overwritten. This vulnerability may allow an attacker to execute
arbitrary code with the privileges of the running Web server process.
Since Net.Data may run in the same address space of the Web server by
using Web server APIs, it may be possible to completely crash a Web
server under some configurations.
IBM recommends applying the security patch, which is available at the
Net.Data FTP site:
A separate patch is available for each platform:
(The AIX fix for version 6 will also work for version 2)
The ISS SAFEsuite assessment software, Internet Scanner, will be updated
to detect this vulnerability in an upcoming X-Press Update.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2000-0677 to this issue. This is a candidate for
inclusion in the CVE list (<http://cve.mitre.org>), which standardizes
names for security problems.
This vulnerability was discovered and researched by Oliver Atoa-Ortiz
of the ISS X-Force. Internet Security Systems would like to thank IBM
for their response and handling of this vulnerability.
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of
security management solutions for the Internet. By providing
industry-leading SAFEsuite security software, remote managed security
services, and strategic consulting and education offerings, ISS is a
trusted security provider to its customers, protecting digital assets
and ensuring safe and uninterrupted e-business. ISS' security
management solutions protect more than 5,500 customers worldwide
including 21 of the 25 largest U.S. commercial banks, 10 of the
largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe, Latin America and the Middle East. For more
information, visit the Internet Security Systems web site at
www.iss.net or call 888-901-7477.
Copyright (c) 2000 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail firstname.lastname@example.org for permission.
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
X-Force PGP Key available at: <http://xforce.iss.net/sensitive.php> as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
email@example.com of Internet Security Systems,
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----