IC81379: SECURITY: DENIAL OF SERVICE SECURITY VULNERABILITY IN DB2'S XML FEATURE (CVE-2012-0712).

Fixes are available

DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows

APAR status

Closed as program error.

Error description

There is a security vulnerability in the DB2's XML Feature which
would allow an authenticated, malicious user to remotely
cause a denial of service.  To exploit the vulnerability, the
user would need to have valid security credentials, and CONNECT
privilege to the database.

Local fix

The vulnerability could be mitigated by revoking CONNECT
privilege from public:

REVOKE CONNECT ON DATABASE FROM PUBLIC

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* All DB2 systems on all Linux, Unix and Windows platforms at  *
* service levels from Version 9.5 GA through to Version 9.5    *
* Fix Pack 8.                                                  *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See Error Description.                                       *
****************************************************************
* RECOMMENDATION:                                              *
* Upgrade to DB2 Version 9.5 Fix Pack 9 or see "Local Fix"     *
* portion for other suggestions.                               *
****************************************************************

Problem conclusion

The complete fix for this problem first appears in DB2 Version
9.5 Fix Pack 9 and all the subsequent Fix Packs.

Temporary fix

Comments

APAR Information

APAR number
IC81379
Reported component name
DB2 FOR LUW
Reported component ID
DB2FORLUW
Reported release
950
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-02-13
Closed date
2012-03-06
Last modified date
2012-07-06

APAR is sysrouted FROM one or more of the following:

IC80736
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
DB2 FOR LUW
Fixed component ID
DB2FORLUW

Applicable component levels

R950 PSN
UP
R970 PSN
UP

Rate this page:

(0 users)Average rating

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Document information

DB2 for Linux, UNIX and Windows

Software version:
9.5

Reference #:
IC81379

Modified date:
2012-07-06

IC81379: SECURITY: DENIAL OF SERVICE SECURITY VULNERABILITY IN DB2'S XML FEATURE (CVE-2012-0712).

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R950 PSN

R970 PSN

Rate this page:

Copyright and trademark information

Rate this page:

Add comments

Document information

Translate my page

Content navigation

Footer links