IC68015: SECURITY: FUNCTIONS ARE NOT INVALIDATED NOR DROPPED ALTHOUGH OWNER LOSES PRIVILEGES VIA PUBLIC TO ACCESS UNDERLYING OBJECTS.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When privileges on a database object are revoked from PUBLIC,
    the dependent functions are not being marked INVALID.  Hence,
    users with execute privilege on the function are still able to
    call it successfully.  If already impacted by this APAR,
    affected functions should either be dropped and recreated
    manually or the owner of the functions should be granted
    sufficient privilege to access underlying database objects as
    appropriate.
    

Local fix

  • Grant and revoke privileges to specific users, groups or roles
    on database objects that user defined functions depend on
    instead of to PUBLIC.  Otherwise, apply DB2 Version 9.7 Fix Pack
    3.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 Version 9.7 GA through to Fix Pack 2 servers         *
    * onLinux, Unix and Windows that rely on privileges to PUBLIC  *
    * tocontrol privileges.                                        *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Incorrect checking leads to an exposure where users arestill *
    * able to use functions that depend on other databaseobjects,  *
    * for which privileges have been revoked via PUBLIC.           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Grant privileges explicitly to groups, roles or usersinstead *
    * of relying on privileges via PUBLIC.                         *
    ****************************************************************
    

Problem conclusion

  • Problem first fixed in DB2 Version 9.7 Fix Pack 3 and all
    subsequent Fix Packs.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC68015

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    970

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-04-19

  • Closed date

    2010-09-14

  • Last modified date

    2010-09-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC69537

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R970 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.7

Reference #:

IC68015

Modified date:

2010-09-20

Translate my page

Machine Translation

Content navigation