Technote (FAQ)
Question
Fix Pack 17 for DB2 V8.1 and Fix Pack 2 for DB2 V9.5 are now available which include fixes to close some serious security vulnerabilities. These fixes, where applicable, are also available in Fix Pack 5 for DB2 Version 9.1.
IBM® recommends that you review the vulnerability descriptions and deploy one of the above fix packs to remove the vulnerabilities on your affected DB2 installations.
Answer
A set of security vulnerabilities was discovered in some DB2 database products by security research firms. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM and the security firms cooperated to allow time for the DB2 development organization to address these vulnerabilities before they were made public. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these vulnerabilities.
The affected DB2 for Linux, UNIX, and Windows Version 8.1 and 8.2, Version 9.1 and Version 9.5 products are:
DB2 Client component and DB2 products or components other than those listed above are not affected.
Due to the complexity of the fixes required to eliminate the reported service vulnerabilities, it is not feasible to retrofit the same fixes into earlier DB2 UDB Version 8 and DB2 Version 9 fix packs, including all of the special builds of the above DB2 database products that precede DB2 UDB Version 8.1 FixPak 17, DB2 Version 9.1 Fix Pack 5 and DB2 Version 9.5 Fix Pack 2.
The specifics of the Security APARs incorporated into the above DB2 fix packs can be found in the following table:
Security APARs
|
V8 FP17
|
V9.1 FP5
|
V9.5 FP2
|
Platforms
|
ABSTRACT
|
|
n/a
|
All
|
SECURITY: REMOTE DENIAL OF SERVICE DURING CONNECT / ATTACH PROCESSING | ||
|
All
|
Buffer overflow condition in DAS server code. | |||
|
n/a
|
Windows
|
SECURITY VULNERABILITY IN DEPLOYMENT OF CLR STORED PROCEDURES FROM IBM DATABASE ADD-INS FOR VISUAL STUDIO | ||
|
All
|
DB USER CAN CREATE OR OVERWRITE FILES USING INSTANCE OWNER'S ID | |||
|
JR30228 (FP16)
|
Windows
|
SECURITY VULNERABILITY: DB2FMP PROCESS ON WINDOWS RUNNING WITH OS PRIVILEGE | ||
|
n/a
|
n/a
|
All
|
SECURITY: MALICIOUS PACKETS SENT TO DB2JDS CAUSES CRASH. | |
|
JR32272
(FP7) |
JR32268
(FP4) |
All
|
UNAUTHORIZED CONNECTIONS POSSIBLE ON DATABASE SERVERS WITH LDAP-BASED AUTHENTICATION |
In addition to the Security APARs, here is a list of HIPER APARs included in these fix packs of which you should be aware.
HIPER APARs
|
V8 FP17
|
V9.1 FP5
|
V9.5 FP2
|
ABSTRACT
|
| INCORRECT RESULT MAY BE RETURNED IN OPTLEVEL 5 OR HIGHER IF THE QUERY HAS A FULL OUTER JOIN USED AS AN INPUT TO UNION ALL. | |||
|
n/a
|
n/a
|
rollforward - sqldCompressRec, probe:787 - Compression dictionary is invalid | |
|
n/a
|
DATA CORRUPTION WHEN A LOB OBJECT ASSOCIATED WITH A TABLE GROWS LARGER THAN 2 TB | ||
|
n/a
|
n/a
|
HIGH MEMORY USAGE/PAGING WITH LOCAL CONNECTIONS OR ATTACHMENTS USING SOLARIS 10 | |
|
n/a
|
n/a
|
A QUERY MAY RETURN UNEXPECTED RESULTS IN DPF/SMP ENVIRONMENTS WHEN SELECTING A DECFLOAT COLUMN OR PERFORMING AGGREGATION ON IT | |
| CASTING OF A ROUND FUNCTION TO A DECIMAL CAN PRODUCE INCONSISTENT RESULTS ON WINDOWS OPERATING SYSTEMS | |||
|
n/a
|
n/a
|
XML LOAD: RESTARTING IN BUILD PHASE IGNORES UNIQUE VALUES KEY VIOLATIONS | |
|
n/a
|
n/a
|
WRONG RESULT IN QUERY WITH XMLEXISTS AND "FETCH FIRST N ROWS ONLY" | |
| INDEX SCAN USING EXCLUSIVE START KEY MIGHT RETURN INCORRECT RESULTS | |||
|
IZ12174
(FP1) |
IDENTITY/SEQ. COLumns ARE RESET back to 'START WITH' value AFTER 'RESTART' AND 'SET' ARE ISSUED IN SEQUENCE AGAINST THE TABLE | ||
| INCORRECT RESULTS FOR OUTER JOINS WITH SELECT DISTINCT |
DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?rs=71&uid=swg27007053
The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered security vulnerabilities along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that this issue is causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.
My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select "Information Management" from the Software column
4. select the check box for "DB2 9 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for "Flashes" and all other document types
click the Submit button.
Done! It's that easy!
For more information about My Notifications please click on
Related information
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Information Management | DB2 Connect | AIX, HP-UX, Linux, Solaris, Windows | 9.5, 9.1, 8 | All Editions |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.