Skip to main content

IC81837: SECURITY: DENIAL OF SERVICE SECURITY VULNERABILITY IN DB2'S XML FEATURE (CVE-2012-0712).


Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • There is a security vulnerability in the DB2's XML Feature which
would allow an authenticated, malicious user to remotely
cause a denial of service.  To exploit the vulnerability, the
user would need to have valid security credentials, and CONNECT
and CREATEIN privilege to the database.

Local fix

  • The vulnerability could be mitigated by revoking CONNECT and
CREATEIN privilege from public.

REVOKE CONNECT ON DATABASE FROM PUBLIC
REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC

REVOKE CONNECT ON DATABASE FROM PUBLIC
REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All DB2 systems on all Linux, Unix and Windows platforms at  *
* service levels Version 9.8 GA  through to Version 9.8 Fix    *
* Pack 4.                                                      *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See Error Description                                        *
****************************************************************
* RECOMMENDATION:                                              *
* Upgrade to DB2 Version 9.8 Fix Pack 5.                       *
****************************************************************

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
9.8 Fix Pack 5 and all the subsequent Fix Packs.

Temporary fix

  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    IC81837
    •  
    
  • Reported component name
    DB2 FOR LUW
    •  
    
  • Reported component ID
    DB2FORLUW
    •  
    
  • Reported release
    980
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2012-03-06
    •  
    
  • Closed date
    2012-05-30
    •  
    
  • Last modified date
    2012-06-11
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
     IC80736
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    DB2 FOR LUW
    •  
   
  • Fixed component ID
    DB2FORLUW
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R950 PSN
       UP
    •  
   
  • R970 PSN
       UP
    •  
   
  • R980 PSN
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
DB2 for Linux, UNIX and Windows


	




	
Software version:

	9.8

	





	
Reference #:

IC81837






Modified date:

2012-06-11








Translate my page














































 



Content navigation