COMMUNICATION CONTENT
June 21, 2007
Dear Valued Ingres Customer:
Information security is of utmost priority to Ingres. A number of vulnerabilities have recently been identified in Ingres 2006 (version 9.0.4), Ingres r3, Ingres 2.6 and Ingres 2.5. We have given these vulnerabilities a security threat level of High, and recommend that the available security patches be applied immediately.
Fixes are available for the current release of Ingres (Ingres 2006), for Ingres r3 on Windows, Linux, Solaris, AIX and HP and for Ingres 2.5 and 2.6 versions on their respective platforms. The security fixes are available and can be quickly applied with little to no anticipated impact to systems.
Ingres customers with a current support contract can review the following knowledge base document for information on downloading the available fixes:
https://servicedesk.ingres.com/CAisd/pdmweb.ingres? OP=SHOW_DETAIL+PERSID=KD:415738+HTMPL=kt_document_view.htmpl
CA customers using Ingres r3 with a current CA support contract can download fixes from CA Support Connect from the MDB home page.
We would like to thank Chris Anley (chris@ngssoftware.com), Director and Founder of NGSSoftware, Ltd., for bringing the following vulnerabilities to our attention.
Ingres controllable pointer overwrite vulnerability – bug 115927
Description: An unauthenticated attacker can potentially execute arbitrary code within the context of the database server.
Ingres remote unauthenticated pointer overwrite 2 – bug 115927
Description: An unauthenticated attacker can exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server.
Ingres wakeup file overwrite – bug 115913
Description: The "wakeup" binary creates a file named "alarmwkp.def" in the current directory, truncating the file if it already exists. The "wakeup" binary is setuid "ingres" and world-executable. Consequently, an attacker can truncate a file with the privileges of the "ingres" user.
Ingres uuid_from_char stack overflow – bug 115911
Description: An attacker can pass a long string as an argument to uuid_from_char() to cause a stack buffer overflow and the saved return address can be overwritten.
Ingres verifydb local stack overflow – bug 115911
Description: A local attacker can exploit a stack overflow in the Ingres verifydb utility duve_get_args function.
We would like to additionally thank iDefense Labs for bringing the following vulnerabilities to our attention.
Communication server heap corruption – bug 117523
Description: An attacker can execute arbitrary code within the context of the communications server (iigcc.exe). This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2023.
Data Access/JDBC server heap corruption – bug 117523
Description: An attacker can execute arbitrary code within the context of the Data Access server (iigcd.exe) in r3 or the JDCB server in older releases. This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2022.
For more information about Ingres security alerts and to register to proactively receive these alerts via email please subscribe to the security alert email list.
Regards,
Bill Maimone
Senior Vice President, Engineering
Ingres Corporation
