Skip to main content

IC80728: SECURITY: REMOTE ESCALATION OF PRIVILEGE VULNERABILITY IN DAS (CVE-2012-0711).


Fixes are available

DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • There is a security vulnerability in the DB2 Administration
Server (DAS) which a malicious user can remotely
exploit to gain elevated privilege or to cause a denial of
service.

This vulnerability does not apply to DAS running on the
Windows platforms.

This problem was reported to IBM by an anonymous researcher
working with the iDefense Vulnerability Contributor Program
(VCP).

Local fix

  • DB2 installs DAS by default. However, DAS is only required for
using the Control Center tools or performing remote
administration.  If you do not use these features then do not
enable DAS.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All DB2 systems on all Linux and Unix platforms at service   *
* levels from Version 9.5 GA through to Version 9.5 Fix Pack   *
* 8.                                                           *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See Error Description.                                       *
****************************************************************
* RECOMMENDATION:                                              *
* Upgrade to DB2 Version 9.5 Fix Pack 9 or see "Local Fix"     *
* portion for other suggestions.                               *
****************************************************************

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
9.5 Fix Pack 9 and all the subsequent Fix Packs.

Temporary fix

  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    IC80728
    •  
    
  • Reported component name
    DB2 FOR LUW
    •  
    
  • Reported component ID
    DB2FORLUW
    •  
    
  • Reported release
    950
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2012-01-09
    •  
    
  • Closed date
    2012-03-06
    •  
    
  • Last modified date
    2012-07-06
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
     IC80561
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    DB2 FOR LUW
    •  
   
  • Fixed component ID
    DB2FORLUW
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R910 PSN
       UP
    •  
   
  • R950 PSN
       UP
    •  
   
  • R970 PSN
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
DB2 for Linux, UNIX and Windows


	




	
Software version:

	9.5

	





	
Reference #:

IC80728






Modified date:

2012-07-06








Translate my page














































 



Content navigation