IBM Support

IC72119: Users able to update statistics for tables without appropriate privileges

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Users are able to incorrectly update statistics columns
    in SYSSTAT.TABLES for tables upon which they do not have
    appropriate privileges.  Thus, a malicious user may be able to
    introduce query performance degradations by modifying table
    statistics via this view.
    
    Normally, in order to update the statistics for a
    table via this view, you must have CONTROL or explicit
    DATAACCESS privilege on the table.    This APAR fix addresses
    this problem.
    

Local fix

  • Revoke UPDATE privilege from PUBLIC on the SYSSTAT.TABLES view
    until this APAR is applied. Namely, run:
    
    revoke update on sysstat.tables from public
    
    You may continue updating statistics with appropriate privileges
    via the SYSCAT.TABLES view if needed, which is not affected by
    this problem.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * DB2 Version 9.7 GA through to Fix Pack 3 servers on Linux,   *
    * Unix and Windows platforms, updating                         *
    * the SYSSTAT.TABLES view.                                     *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * The view definition doesn't check for the correct user       *
    * authorization.                                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply DB2 Version 9.7 Fix Pack 4 and run db2updv97 to update *
    * the view definition text. Otherwise, please refer to the     *
    * Local Fix.                                                   *
    ****************************************************************
    

Problem conclusion

  • Problem is first fixed in DB2 Version 9.7 Fix Pack 4 and all
    subsequent Fix Packs.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC72119

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    970

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-10-21

  • Closed date

    2011-04-28

  • Last modified date

    2011-04-28

  • APAR is sysrouted FROM one or more of the following:

    IC71413

  • APAR is sysrouted TO one or more of the following:

    IC72571

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R970 PSY

       UP



Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 9.7

Reference #: IC72119

Modified date: 28 April 2011


Translate this page: