Core Security Technologies issued an advisory disclosing a vulnerability that could affect large numbers of organizations using IBM’s SolidDB relational database management system, as well as those organizations using the many third party products in which the IBM technology has been integrated.
A vulnerability researcher of Core Labs, the research arm of Core Security Technologies, found that by sending certain packets of information to systems using SolidDB it is possible to trigger a non-recoverable error in the program and thus terminate related server processes, creating the potential for remote denial-of-service (DoS) attacks. As a result, many other products that utilize SolidDB are also vulnerable to the same type of compromise.
Core Labs initially discovered the vulnerability in IBM SolidDB as part of its ongoing research efforts into security issues found in other products that utilize the in-memory caching software, namely HP OpenView Network Node Manager. The DoS flaw specifically affects IBM SolidDB Server versions 6.30.0.29 and 6.30.0.33. Other versions may also be vulnerable but were not tested by Core.
IBM issued the update SolidDB/Universal Cache 6.3 Fix Pack 3 that addresses the vulnerability on November 13, 2009. The vendor claims that there are currently over 3 million deployments of SolidDB in various telecommunications networks, enterprise applications, and embedded software and systems, including use in products made by Cisco, HP, Alcatel, and Nokia Siemens.
“One of the important issues highlighted by this discovery is how vulnerabilities resident in these types of technologies that are widely used in other products can have a chain reaction in exposing large numbers of organizations to potential attacks,” said Ivan Arce, CTO, Core Security Technologies. “This is one of the main reasons why it is so important for technology partners to have dedicated vulnerability and security response processes in place when they license each others’ products – to ensure that all affected end users can be advised of any problems as soon as possible when the issues are discovered to help protect themselves.”
More information on this vulnerability and the systems affected is available online. (Source: Core Security Technologies/GST)