Skip to main content

IC81390: SECURITY: UNAUTHORIZED ACCESS TO TABLES


Fixes are available

DB2 Version 9.7 Fix Pack 6 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 8 for Linux, UNIX, and Windows

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • There is a security vulnerability in DB2 servers which could
allow
an authenticated, malicious user to read data from a table for
which they do not have the authority to view.

To exploit this vulnerability, the user needs to have valid
security credentials, and CONNECT and CREATEIN privileges
to the database.

Local fix

  • This vulnerability can be mitigated by revoking the CONNECT and
CREATEIN privileges from PUBLIC.  You can revoke the CONNECT and
CREATEIN privileges from PUBLIC by issuing the following
statements: revoke

REVOKE CONNECT ON DATABASE FROM PUBLIC
REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All DB2 systems on all Linux, Unix and Windows platforms at  *
* service levels Version 9.7 GA  through to Version 9.7 Fix    *
* Pack 5.                                                      *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See Error Description                                        *
****************************************************************
* RECOMMENDATION:                                              *
* Upgrade to DB2 Version 9.7 Fix Pack 6 or see "Local Fix"     *
* portion for other suggestions.                               *
****************************************************************

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
9.7 Fix Pack 6 and all the subsequent Fix Packs.

Temporary fix

  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    IC81390
    •  
    
  • Reported component name
    DB2 FOR LUW
    •  
    
  • Reported component ID
    DB2FORLUW
    •  
    
  • Reported release
    970
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2012-02-13
    •  
    
  • Closed date
    2012-05-31
    •  
    
  • Last modified date
    2012-05-31
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
     IC81387
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    DB2 FOR LUW
    •  
   
  • Fixed component ID
    DB2FORLUW
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R950 PSN
       UP
    •  
   
  • R970 PSN
       UP
    •  
   
  • R980 PSN
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
DB2 for Linux, UNIX and Windows


	




	
Software version:

	9.7

	





	
Reference #:

IC81390






Modified date:

2012-05-31








Translate my page














































 



Content navigation