IBM Support

IC70539: SECURITY: REMOTE BUFFER OVERFLOW VULNERABILITY IN DB2 ADMINISTRATIVE SERVER

Fixes are available

DB2 Version 9.7 Fix Pack 3 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 4 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 5 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 6 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 3a for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 8 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 9a for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 10 for Linux, UNIX, and Windows

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • There exists a buffer overflow vulnerability with the DB2
Administrative Server (DAS). The vulnerability can cause a trap
in DAS, causing a denial of service, or can lead to an
escalation of privileges.

This vulnerability does not affect the DB2 server.

This problem was reported to IBM by an anonymous researcher
working with TippingPoint's Zero Day Initiative
(http://www.zerodayinitiative.com)

Local fix

  • If you are not using DAS, ensure that DAS is not started.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* Users of the DB2 Administrative Server.                      *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See Error Description.                                       *
****************************************************************
* RECOMMENDATION:                                              *
* Upgrade to DB2 Version 9.7 Fix Pack 3 or do not start DAS if *
* DAS is not needed.                                           *
****************************************************************

Problem conclusion

  • The problem was first fixed in DB2 Version 9.7 Fix Pack 3.

Temporary fix

  • See Local Fix.

Comments

APAR Information

  • APAR number

    IC70539

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    970

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-08-12

  • Closed date

    2011-01-27

  • Last modified date

    2011-01-27

  • APAR is sysrouted FROM one or more of the following:

    IC69986

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R910 PSN

       UP

  • R950 PSN

       UP

  • R970 PSN

       UP



Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 9.7

Reference #: IC70539

Modified date: 27 January 2011

Site availability

Site assistance