IBM Support

IT03761: Security: Unauthorized Access to user data vulnerability in DB2 during certain LOAD operations into CDE tables (CVE-2014-4805)

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • During certain LOAD operations into Columnar Data Engine (CDE)
    tables,  a temporary file may be created with a copy of user
    data. This file is created such that it is not only readable by
    DB2 instance owner but also anyone else in the same user group
    as the instance owner. As the file only exists for the duration
    of LOAD command and is automatically removed on completion (both
    success and error), hence the vulnerability exists only
    temporarily.
    
    Refer to security bulletin below for details:
    http://www-01.ibm.com/support/docview.wss?uid=swg21681723
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 systems on all Linux, Unix and Windows platforms at  *
    * service levels Version 10.5 GA through to Version 10.5 Fix   *
    * Pack 3.                                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 Version 10.5 Fix Pack 4.                      *
    * Refer to security bulletin for remediation:                  *
    * http://www-01.ibm.com/support/docview.wss?uid=swg21681723    *
    ****************************************************************
    

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
    10.5 Fix Pack 4 and all the subsequent Fix Packs.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT03761

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    A50

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-08-13

  • Closed date

    2014-08-29

  • Last modified date

    2014-08-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • RA50 PSN

       UP



Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 10.5

Reference #: IT03761

Modified date: 29 August 2014