IC85513: SECURITY: The UTL_FILE COULD ALLOW UNAUTHORIZED ACCESS TO FILES (CVE-2012-3324).

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • he UTL_FILE module contains a security vulnerability that
    permits the routines within to view, modify and delete a file
    beyond the intended directory.  The vulnerability is applicable
    to DB2 servers running on Windows, only.
    
    UTL_FILE is a built-in module containing routines used by DB2
    applications to access files located at the DB2 server.  By
    design, the files it can operate on are constrained to files in
    the directory as specified by the first parameter.  The
    vulnerability is in the processing of the file name where the
    constraint can be circumvented if the file name contains
    directory paths.
    
    The privilege to execute the routines in UTL_FILE is by default,
    not granted to PUBLIC.  Hence, a general user (PUBLIC) that has
    not been directly or indirectly granted any privileges will not
    be able to execute any routines in UTL_FILE directly. However,
    applications and stored procedures that make use of UTL_FILE are
    vulnerable if it accepts user input and the input value is
    passed directly to routines in UTL_FILE.
    

Local fix

  • To have better control who has EXECUTE privilege, revoke EXECUTE
    privilege from PUBLIC if it has been granted and only grant it
    to users who needs it.   Review applications and ensure user
    input are not passed directly to routines in UTL_FILE.   Ensure
    the file names are not qualified with any paths.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * Users using system module routines on a windows machine.     *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Security Bulletin:  IBM DB2 Security Vulnerability in    *
    * the UTL_FILE module (CVE-2012-3324)                          *
    * http://www.ibm.com/support/docview.wss?uid=swg21611040       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 Version 10.1 Fix Pack 1                       *
    ****************************************************************
    

Problem conclusion

  • Problem was  first fixed in DB2 version 10.1 Fix Pack 1
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC85513

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    A10

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-07-25

  • Closed date

    2012-09-17

  • Last modified date

    2012-09-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R970 PSN

       UP

  • R980 PSN

       UP

  • RA10 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

10.1

Reference #:

IC85513

Modified date:

2012-09-17

Translate my page

Machine Translation

Content navigation