IC65933: SECURITY: BUFFER OVERRUN IN REPEAT UDF (CVE-2010-0462).
Fixes are available
APAR status
Closed as program error.
Error description
-
The scalar function REPEAT contains a buffer overrun defect that malicious user could manipulate, causing the DB2 server to trap. A valid database connection is required to exploit the vulnerability.
Local fix
-
It is not possible to revoke EXECUTE privilege on the scalar function REPEAT from PUBLIC. To minimize the exposure, revoke CONNECT privilege from PUBLIC and only grant CONNECT privilege to trusted users.
Problem summary
-
**************************************************************** * USERS AFFECTED: * * All DB2 systems on all Linux, Unix and Windows platforms at * * service levels from Version 9.5 GA through to Version 9.5 * * Fix Pack 6. * **************************************************************** * PROBLEM DESCRIPTION: * * See "Error Description" * **************************************************************** * RECOMMENDATION: * * Upgrade to DB2 Version 9.5 Fix Pack 6 or see "Local Fix" * * portion for other suggestions. * ****************************************************************
Problem conclusion
-
The complete fix for this problem first appears in DB2 Version 9.5 Fix Pack 6 and all the subsequent Fix Packs.
Temporary fix
Comments
APAR Information
APAR number
IC65933
Reported component name
DB2 FOR LUW
Reported component ID
DB2FORLUW
Reported release
950
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-01-28
Closed date
2010-06-14
Last modified date
2010-08-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DB2 FOR LUW
Fixed component ID
DB2FORLUW
Applicable component levels
R950 PSN
UP
Document information
More support for:
DB2 for Linux, UNIX and Windows
Software version: 9.5
Reference #: IC65933
Modified date: 17 August 2010