SupportConnect - Ingres Security Alert

Ingres Security Alert

June 21, 2007

Dear Valued CA and Ingres Customer:

Information security is of utmost priority to Ingres and CA. A number of vulnerabilities have recently been identified in Ingres 2006 (version 9.0.4), Ingres r3, Ingres 2.6 and Ingres 2.5. We have given these vulnerabilities a security threat level of High, and recommend that the available security patches be applied immediately.

Fixes are available for the current release of Ingres (Ingres 2006), for Ingres r3 on Windows, Linux, Solaris, AIX and HP and for Ingres 2.5 and 2.6 versions on their respective platforms. The security fixes are available and can be quickly applied with little to no anticipated impact to systems.

Important Security Notice for Customers Using Products That Embed Ingres

CA customers, with a current CA support contract, can download fixes from CA SupportConnect from the MDB home page: http://supportconnect.ca.com/.

We would like to thank Chris Anley (chris@ngssoftware.com), Director and Founder of NGSSoftware, Ltd., for bringing the following vulnerabilities to our attention:

Ingres controllable pointer overwrite vulnerability - bug 115927
Description: An unauthenticated attacker can potentially execute arbitrary code within the context of the database server.

Ingres remote unauthenticated pointer overwrite 2 - bug 115927
Description: An unauthenticated attacker can exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server.

Ingres wakeup file overwrite - bug 115913
Description: The "wakeup" binary creates a file named "alarmwkp.def" in the current directory, truncating the file if it already exists. The "wakeup" binary is setuid "ingres" and world-executable. Consequently, an attacker can truncate a file with the privileges of the "ingres" user.

Ingres uuid_from_char stack overflow - bug 115911
Description: An attacker can pass a long string as an argument to uuid_from_char() to cause a stack buffer overflow and the saved returned address can be overwritten.

Ingres verifydb local stack overflow - bug 115911
Description: A local attacker can exploit a stack overflow in the Ingres verifydb utility duve_get_args function.

We would like to additionally thank iDefense Labs for bringing the following vulnerabilities to our attention.

Communication server heap corruption - bug 117523
Description: An attacker can execute arbitrary code within the context of the communications server (iigcc.exe). This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2023.

Data Access/JDBC server heap corruption - bug 117523
Description: An attacker can execute arbitrary code within the context of the Data Access server (iigcd.exe) in r3 or the JDCB server in older releases. This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2022.

All Ingres r3 patches available from CA have passed individual product testing, and certification within CA's Integration, Stress and Interoperability (ISI) lab. Fixes for all of these vulnerabilities are included in the 1198x set of patches. Ingres 2.6 SP5, for all platforms, includes these vulnerability fixes and has been tested by the embedding product teams.

For more information about Ingres security alerts and to register to proactively receive these alerts via email please send an email to: ingressvnotification-request@lists.ingres.com.

Regards,

Bill Maimone
Senior Vice President
Engineering
Ingres Corporation
Ken Williams
Director
Vulnerability Research
CA
Richard Owen
Senior Manager
Ingres Advisory Team
CA