-----BEGIN PGP SIGNED MESSAGE-----



Internet Security Systems Security Advisory

September 7, 2000





Buffer Overflow in IBM Net.Data db2www CGI program.



Synopsis:

Net.Data is a middleware application used for Web development and is

available on Unix, Windows, OS/2, and mainframe platforms. The db2www

component of Net.Data is a CGI program that handles requests from Web

clients. An exploitable buffer overflow condition exists in the db2www

program.



Impact:

This vulnerability may allow a remote attacker to execute arbitrary code

under the privileges of a Web server or to crash a Web server.



Affected Versions:

All versions are affected.



Platforms Affected:

AIX, OS/2, Linux, Windows NT, HP-UX 11, and Sun are affected.



Description:

Net.Data allows Web applications to interface with a variety of database

systems. It can encapsulate programs written in different languages

(including SQL, Perl, and Java) into macro language scripts. Net.Data

supports native APIs from different Web server vendors (Apache,

Microsoft, Netscape, and Lotus) to improve the performance of Web

applications. Net.Data powers other IBM applications such as

Net.Commerce and WebSphere Commerce Suite.



The problem is triggered when the program handles an extremely long

PATH_INFO CGI environmental variable. The stack of a function is

overflowed by this long variable causing the return address to be

overwritten. This vulnerability may allow an attacker to execute

arbitrary code with the privileges of the running Web server process.

Since Net.Data may run in the same address space of the Web server by

using Web server APIs, it may be possible to completely crash a Web

server under some configurations.



Recommendations:

IBM recommends applying the security patch, which is available at the

Net.Data FTP site:

http://ftp.software.ibm.com/software/net.data/fixes



A separate patch is available for each platform:



AIX:

http://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.aix.tar.gz

(The AIX fix for version 6 will also work for version 2)



HP-UX 11:

http://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.hp-ux.tar.gz



Linux:

http://ftp.software.ibm.com/software/net.data/fixes/netdata-all-7.1-0008.linux.tar.gz



OS/2:

http://ftp.software.ibm.com/software/net.data/fixes/netdata-all-7.1-0008.os2.zip



Sun Solaris:

http://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.sunsol.tar.gz



Windows NT:

http://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-01-0008.winnt.zip





The ISS SAFEsuite assessment software, Internet Scanner, will be updated

to detect this vulnerability in an upcoming X-Press Update.



Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned

the name CAN-2000-0677 to this issue. This is a candidate for

inclusion in the CVE list (<http://cve.mitre.org>), which standardizes

names for security problems.



Credits:

This vulnerability was discovered and researched by Oliver Atoa-Ortiz

of the ISS X-Force. Internet Security Systems would like to thank IBM

for their response and handling of this vulnerability.



_____



About Internet Security Systems (ISS)



Internet Security Systems (ISS) is a leading global provider of

security management solutions for the Internet. By providing

industry-leading SAFEsuite security software, remote managed security

services, and strategic consulting and education offerings, ISS is a

trusted security provider to its customers, protecting digital assets

and ensuring safe and uninterrupted e-business. ISS' security

management solutions protect more than 5,500 customers worldwide

including 21 of the 25 largest U.S. commercial banks, 10 of the

largest telecommunications companies and over 35 government agencies.

Founded in 1994, ISS is headquartered in Atlanta, GA, with additional

offices throughout North America and international operations in Asia,

Australia, Europe, Latin America and the Middle East. For more

information, visit the Internet Security Systems web site at

www.iss.net or call 888-901-7477.



Copyright (c) 2000 Internet Security Systems, Inc.



Permission is hereby granted for the redistribution of this Alert

electronically. It is not to be edited in any way without express

consent of the X-Force. If you wish to reprint the whole or any part

of this Alert in any other medium excluding electronic medium, please

e-mail xforce@iss.net for permission.



Disclaimer



The information within this paper may change without notice. Use of

this information constitutes acceptance for use in an AS IS condition.

There are NO warranties with regard to this information. In no event

shall the author be liable for any damages whatsoever arising out of

or in connection with the use or spread of this information. Any use

of this information is at the user's own risk.



X-Force PGP Key available at: <http://xforce.iss.net/sensitive.php> as

well as on MIT's PGP key server and PGP.com's key server.



Please send suggestions, updates, and comments to: X-Force

xforce@iss.net  of Internet Security Systems,

Inc.



-----BEGIN PGP SIGNATURE-----

Version: 2.6.3a

Charset: noconv



iQCVAwUBObfYmTRfJiV99eG9AQFPXQP+NchHZLv9Pebmo6b5VG9OXClfJcP3Xl3D

ZTvf1x24vpP08IZ+ODAc5byWlJegC0631KVoBf5ZG0JZ6AEcxyitU2hzvgkwlEzm

f8ia6ALEDojWYPKMSWyDIYERSvkQp0iaQkRTaBqKYjArFbIw6DTfCPYTHtF+RPHf

FlzIBvEed3M=

=ZPiB

-----END PGP SIGNATURE-----