IC94758: SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033)

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • DB2 server contain a security vulnerability which could allow an
    authenticated user to temporarily gain SELECT, INSERT, UPDATE or
    DELETE privileges on a table. To exploit the vulnerability, the
    user would need to have a valid security credential to connect
    to the database and EXPLAIN, SQLADM or DBADM authority.
    
    Under unspecified conditions, a user with the above authorities
    will be able to execute a DML statement such as SELECT, INSERT,
    UPDATE and DELETE on a table that they do not have authority
    for. Only DML statements are vulnerable.
    
    The following query will show which user has EXPLAIN / SQLADM /
    DBADM authority but no DATAACCESS authority:
    
    select substr(grantor,1,10) grantor , substr(grantee,1,20)
    grantee , granteetype, explainauth, dbadmauth, sqladmauth,
    dataaccessauth from SYSCAT.DBAUTH where dataaccessauth = 'N' and
    (explainauth = 'Y' or dbadmauth = 'Y' or sqladmauth = 'Y')
    
    GRANTOR GRANTEE GRANTEETYPE EXPLAINAUTH DBADMAUTH SQLADMAUTH
    DATAACCESSAUTH
    ---------- -------------------- ----------- -----------
    --------- ---------- --------------
    MYSECADM BOB U Y N N N
    MYSECADM ROLE_DBADM R N Y N N
    MYSECADM ROLE_SQLADM R N N Y N
    MYSECADM ROLE_EXPLAIN R Y N N N
    MYSECADM ALEX U N Y N N
    MYSECADM JOHN U N N Y N
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 Server systems on all Linux, Unix and Windows        *
    * platforms at Version 10.5 GA .                               *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 Version 10.5 Fix Pack 1                       *
    ****************************************************************
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IC94758

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    A50

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-08-08

  • Closed date

    2013-09-12

  • Last modified date

    2013-12-16

  • APAR is sysrouted FROM one or more of the following:

    IC94523

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R970 PSN

       UP

  • R980 PSN

       UP

  • RA10 PSN

       UP

  • RA50 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

10.5

Reference #:

IC94758

Modified date:

2013-12-16

Translate my page

Machine Translation

Content navigation