IBM Informix vulnerability CVE-2020-4799 in Spatial Datablade Module
A security warning was issued on October 8, 2020 (CVE-2020-4799) for IBM Informix Dynamic Server.
This vulnerability affects the Spatial Datablade Module in Informix Server versions 12.10 and 14.10.
A specific function in the Spatial Datablade can be called with an out-of-range parameter. A local user logged on with SQL privileges could use this vulnerability to attempt to execute an SQL injection. If the attack is successful, the attacker would be able to grant himself extended user rights and execute his own code.
Help provides a Fix Pack that IBM has released on Fix Central.
IBM offers two possible solutions:
- If you are not using the Spatial Datablade, you can disable access by simply renaming it:
Change to the directory $INFORMIXDIR/extend
and rename the Spatial Datablade directory, for example: mv spatial.8.22.* spatial.do.not.use
- If you are using the Spatial Datablade, please go to the IBM Fix Central page. IBM has released corresponding Fix Packs for download: