Updates for IBM's DB2 and WebSphere
IBM has released an update for the DB2 database which closes a security hole in the DB2JDS service, through which attackers can execute malicious code on affected systems via the Net. IBM does not mention any details in their security report, however they disclose that an attacker is able to exploit the hole by sending crafted data. Those who are unable to install the update should limit access to the DB2JDS service to trustworthy computers only.
A vulnerability in the Java Message Service (JMS) in IBM's WebSphere application server might also be exploited to cause a denial-of-service attack or to execute injected program code. The vulnerability is attributed to a "double-free", where the software tries to deallocate a previously freed memory reference for the second time. The Fix Pack 19 (18.104.22.168) closes this hole and fixes numerous additional problems. IBM doesn't disclose any specific details here either.
- error report for DB2 from IBM (registration required)
- WebSphere Application Server V6.0.2 Fix Pack 19 for Windows platforms, review from IBM