IBM Support

IC71413: Users able to update statistics for tables without appropriate privileges

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Users are able to incorrectly update statistics columns
    in SYSSTAT.TABLES for tables upon which they do not have
    appropriate privileges.  Thus, a malicious user may be able to
    introduce query performance degradations by modifying table
    statistics via this view.
    
    Normally, in order to update the statistics for a
    table via this view, you must have CONTROL or explicit
    DATAACCESS privilege on the table.    This APAR fix addresses
    this problem.
    

Local fix

  • Revoke UPDATE privilege from PUBLIC on the SYSSTAT.TABLES view
    until this APAR is applied. Namely, run:
    
    revoke update on sysstat.tables from public
    
    You may continue updating statistics with appropriate privileges
    via the SYSCAT.TABLES view if needed, which is not affected by
    this problem.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * DB2 Version 9.5 GA through to Fix Pack 6 servers on Linux,   *
    * Unix and Windows platforms.                                  *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * A user may gain unauthorized access to the catalog data in a *
    * SYSSTAT view.                                                *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply DB2 Version 9.5 Fix Pack 7 and run the db2updv95       *
    * utility.                                                     *
    ****************************************************************
    

Problem conclusion

  • First fixed in DB2 Version 9.5 Fix Pack 7 and all subsequent Fix
    Packs.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC71413

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    950

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-09-23

  • Closed date

    2011-04-26

  • Last modified date

    2011-04-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC72118 IC72119

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R950 PSN

       UP



Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 9.5

Reference #: IC71413

Modified date: 26 April 2011