CVE-2019-4448

Name of the Vulnerable Software and Affected Versions IBM DB2 High Performance Unload load for LUW versions 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2

Description The issue allows a low-privileged user to execute arbitrary code with root authority by loading arbitrary db2 libraries from a privileged context using the db2hpum and db2hpum debug binaries, which are setuid root and have built-in options for this purpose.

Recommendations For versions 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2, consider removing the setuid root bit from the db2hpum and db2hpum debug binaries as a temporary workaround to prevent arbitrary code execution with root authority. Restrict access to the db2hpum and db2hpum debug binaries to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.