IC66643: Security: Special group and user enumeration on Windows 2008 could trap the server.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Special group and user enumeration operation on the DB2 server
    or DB2 Administrator Server (DAS) could trap when running on
    Windows 2008.
    
    The group and user enumeration affected is not part of the
    normal connect or database authorization checking processing.
    The vulnerability requires a valid database connection to
    exploit.
    

Local fix

  • Do not grant connection privilege to PUBLIC.  Grant connect to
    trusted users, roles or groups, only.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users on Windows 2008                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Special group and user enumeration operation on the DB2      *
    * server or DB2 Administrator Server (DAS) could trap when     *
    * running on Windows 2008. The group and user enumeration      *
    * affected is not part of the normal connect or database       *
    * authorization checking processing. The vulnerability         *
    * requires a valid database connection to exploit.             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Do not grant connection privilege to PUBLIC.  Grant connect  *
    * to trusted users, roles or groups, only.                     *
    ****************************************************************
    

Problem conclusion

  • Fixed in DB2 v9.7 Fixpack 2
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC66643

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    970

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-02-24

  • Closed date

    2010-08-30

  • Last modified date

    2010-08-30

  • APAR is sysrouted FROM one or more of the following:

    IC66099

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R910 PSN

       UP

  • R950 PSN

       UP

  • R970 PSN

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.7

Reference #:

IC66643

Modified date:

2010-08-30

Translate my page

Machine Translation

Content navigation