IC66642: Security: Special group and user enumeration on Windows 2008 could trap the server.

Fixes are available

DB2 Version 9.5 Fix Pack 6a for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 8 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows

APAR status

Closed as program error.

Error description

Special group and user enumeration operation on the DB2 server
or DB2 Administrator Server (DAS) could trap when running on
Windows 2008.

The group and user enumeration affected is not part of the
normal connect or database authorization checking processing.
The vulnerability requires a valid database connection to
exploit.

Local fix

Do not grant connection privilege to PUBLIC.  Grant connect to
trusted users, roles or groups, only.

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* All users on Windows 2008                                    *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* Special group and user enumeration operation on the DB2      *
* server or DB2 Administrator Server (DAS) could trap when     *
* running on Windows 2008. The group and user enumeration      *
* affected is not part of the normal connect or database       *
* authorization checking processing. The vulnerability         *
* requires a valid database connection to exploit.             *
****************************************************************
* RECOMMENDATION:                                              *
* Do not grant connection privilege to PUBLIC.  Grant connect  *
* to trusted users, roles or groups, only.                     *
****************************************************************

Problem conclusion

```
Fixed in DB2 v9.5 Fixpack 6
```

Temporary fix

Comments

APAR Information

APAR number
IC66642
Reported component name
DB2 FOR LUW
Reported component ID
DB2FORLUW
Reported release
950
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-02-24
Closed date
2010-08-30
Last modified date
2010-08-30

APAR is sysrouted FROM one or more of the following:

IC66099
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
DB2 FOR LUW
Fixed component ID
DB2FORLUW

Applicable component levels

R910 PSN
UP
R950 PSN
UP
R970 PSY
UP

Rate this page:

(0 users)Average rating

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Document information

DB2 for Linux, UNIX and Windows

Software version:
9.5

Reference #:
IC66642

Modified date:
2010-08-30

IC66642: Security: Special group and user enumeration on Windows 2008 could trap the server.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R910 PSN

R950 PSN

R970 PSY

Rate this page:

Copyright and trademark information

Rate this page:

Add comments

Document information

Translate my page

Content navigation

Footer links