Vulnerability Details : CVE-2014-0907
Multiple untrusted search path vulnerabilities in unspecified (1) setuid and (2) setgid programs in IBM DB2 9.5, 9.7 before FP9a, 9.8, 10.1 before FP3a, and 10.5 before FP3a on Linux and UNIX allow local users to gain root privileges via a Trojan horse library.
Products affected by CVE-2014-0907
- cpe:2.3:a:ibm:db2:9.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1.0.1:*:*:*:*:*:*:*
Threat overview for CVE-2014-0907
Top countries where our scanners detected CVE-2014-0907
Top open port discovered on systems with this issue
523
IPs affected by CVE-2014-0907 39
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-0907!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-0907
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-0907
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
References for CVE-2014-0907
-
http://www.securitytracker.com/id/1030670
IBM DB2 Unsafe Library Loading Lets Local Users Gain Elevated Privileges - SecurityTracker
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/91869
IBM multiple products SETGID and SETUID privilege escalation CVE-2014-0907 Vulnerability Report
-
http://www.ibm.com/support/docview.wss?uid=swg21610582#4
IBM Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 10.1Vendor Advisory
-
http://seclists.org/fulldisclosure/2014/Jun/7
Full Disclosure: CVE-2014-0907 - SetUID/SetGID Programs Allow Privilege Escalation Via Insecure RPATH In IBM DB2
-
http://www-01.ibm.com/support/docview.wss?uid=isg400001841
IBM Tivoli Composite Application Manager for Transactions Internet Service Monitoring 7.4 Interim Fix 13 README Tivoli Composite Application Manager for Transactions 7.4.0.0 7.4.0.0-TIV-CAMIS-IF0013 R
-
http://www.securityfocus.com/bid/67617
Multiple IBM DB2 Products CVE-2014-0907 Local Privilege Escalation Vulnerability
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT00686
IBM IT00686: SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2014-0907)
-
http://www.securitytracker.com/id/1030671
IBM Tivoli Composite Application Manager for Transactions Unsafe Library Loading Lets Local Users Gain Elevated Privileges - SecurityTracker
-
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-0907/
CVE-2014-0907 - Portcullis
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT00685
IBMid - Sign in or create an IBMid
-
http://www.ibm.com/support/docview.wss?uid=swg1IT00686
IBM IT00686: SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2014-0907)
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT00687
IBM IT00687: SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2014-0907)
-
http://www-304.ibm.com/support/docview.wss?uid=swg21676135
IBM Security Bulletin: IBM Tivoli Composite Application Manager for Transactions is affected by a Local escalation of privilege vulnerability (CVE-2014-0907)
-
http://www-01.ibm.com/support/docview.wss?uid=isg400001843
IBM Tivoli Composite Application Manager for Transactions Internet Service Monitoring 7.3.0.1 Interim Fix 29 README Tivoli Composite Application Manager for Transactions 7.3.0.1 7.3.0.1-TIV-CAMIS-IF00
-
http://www.ibm.com/support/docview.wss?uid=swg21672100
IBM Security Bulletin: Local escalation of privilege vulnerability in IBM® DB2® (CVE-2014-0907).Vendor Advisory
-
http://packetstormsecurity.com/files/126940/IBM-DB2-Privilege-Escalation.html
IBM DB2 Privilege Escalation ≈ Packet Storm
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT00627
IBMid - Sign in or create an IBMid
-
http://www-01.ibm.com/support/docview.wss?uid=swg21680454
IBM Security Bulletin: TSM client SetUID elevation of privilege (CVE-2014-0907)
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT00684
IBM IT00684: SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2014-0907)
Jump to