IY94817: SECURITY: DB2DIAG.LOG SYMBOLIC LINK OVERWRITE VULNERABILITY

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Description:
    
    A vulnerability exists in several set-uid DB2 binaries that can
    be exploited by a local user.  The vulnerability allows a local
    user to write to any file on the system through the use of
    symbolic links (also known as symlinks or soft links). This
    problem does not affect Windows systems.
    
    This problem was reported to iDefense by an anonymous researcher
    working with the iDefense Vulnerability Contributor Program.
    

Local fix

Problem summary

  • Users affected: All DB2 products on Linux and UNIX
    Problem description: Refer to Error Description.  If this APAR
    is not applied, your system is susceptible to a security
    vulnerability.
    Problem summary: Refer to Error Description.
    

Problem conclusion

  • Problem was first fixed in Version 9 Fix Pack 2 (s070210)
    

Temporary fix

Comments

APAR Information

  • APAR number

    IY94817

  • Reported component name

    DB2 UDB ESE AIX

  • Reported component ID

    5765F4100

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-02-12

  • Closed date

    2007-02-22

  • Last modified date

    2007-07-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IY95104

Fix information

  • Fixed component name

    DB2 UDB ESE AIX

  • Fixed component ID

    5765F4100

Applicable component levels

  • R910 PSY UP

       IY94817



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

910

Reference #:

IY94817

Modified date:

2007-07-20

Translate my page

Machine Translation

Content navigation