COMMAND

    db2www

SYSTEMS AFFECTED

    IBM Net.Data db2www CGI

PROBLEM

    Following  is  based  on  a  Internet  Security  Systems  Security
    Advisory.   Net.Data  is  a  middleware  application  used for Web
    development and is available on Unix, Windows, OS/2, and mainframe
    platforms.  The db2www component of Net.Data is a CGI program that
    handles requests from Web clients.  An exploitable buffer overflow
    condition exists in the db2www program.

    This  vulnerability  may  allow  a  remote  attacker  to   execute
    arbitrary code under the privileges of a Web server or to crash  a
    Web server.

    Net.Data allows Web  applications to interface  with a variety  of
    database  systems.   It   can  encapsulate  programs  written   in
    different languages  (including SQL,  Perl, and  Java) into  macro
    language scripts.   Net.Data supports  native APIs  from different
    Web server  vendors (Apache,  Microsoft, Netscape,  and Lotus)  to
    improve  the  performance  of  Web  applications.  Net.Data powers
    other IBM applications such as Net.Commerce and WebSphere Commerce
    Suite.

    The problem  is triggered  when the  program handles  an extremely
    long  PATH_INFO  CGI  environmental  variable.   The  stack  of  a
    function is overflowed  by this long  variable causing the  return
    address  to  be  overwritten.   This  vulnerability  may  allow an
    attacker  to  execute  arbitrary  code  with the privileges of the
    running Web server  process.  Since  Net.Data may run  in the same
    address space of the Web server  by using Web server APIs, it  may
    be  possible  to  completely  crash   a  Web  server  under   some
    configurations.

    The ISS SAFEsuite assessment  software, Internet Scanner, will  be
    updated  to  detect  this  vulnerability  in  an  upcoming X-Press
    Update.

SOLUTION

    IBM recommends applying the security patch, which is available  at
    the Net.Data FTP site:

        ftp://ftp.software.ibm.com/software/net.data/fixes

    A separate patch is available for each platform:

       AIX: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.aix.tar.gz
       (The AIX fix for version 6 will also work for version 2)

       HP-UX 11: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.hp-ux.tar.gz

       Linux: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-7.1-0008.linux.tar.gz

       OS/2: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-7.1-0008.os2.zip

       Sun Solaris: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.sunsol.tar.gz

       Windows NT: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-01-0008.winnt.zip