IC81387: SECURITY: UNAUTHORIZED ACCESS TO TABLES

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • There is a security vulnerability in DB2 servers which an
    authenticated, malicious user to read data from a table for
    which they do not have the authority to view.
    
    To exploit this vulnerability, the user needs to have valid
    security credentials, and CONNECT and CREATEIN privileges
    to the database.
    

Local fix

  • This vulnerability can be mitigated by revoking the CONNECT and
    CREATEIN privileges from PUBLIC.  You can revoke the CONNECT and
    CREATEIN privileges from PUBLIC by issuing the following
    statements: revoke
    
    REVOKE CONNECT ON DATABASE FROM PUBLIC
    REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 systems on all Linux, Unix and Windows platforms at  *
    * service levels from Version 9.5 GA through to Version 9.5    *
    * Fix Pack 8.                                                  *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description.                                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 Version 9.5 Fix Pack 9 or see "Local Fix"     *
    * portion for other suggestions.                               *
    ****************************************************************
    

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
    9.5 Fix Pack 9 and all the subsequent Fix Packs.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC81387

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    950

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-02-13

  • Closed date

    2012-03-05

  • Last modified date

    2012-03-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC81390 IC81836

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R950 PSN

       UP

  • R970 PSN

       UP

  • R980 PSN

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.5

Reference #:

IC81387

Modified date:

2012-03-06

Translate my page

Machine Translation

Content navigation