IZ01828: SECURITY VULNERABILITY IN AUTH_LIST_GROUPS_FOR_AUTHID.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Exploitation of an issue in the AUTH_LIST_GROUPS_FOR_AUTHID
    function could allow an attacker to cause a denial of service
    or execute arbitrary code on the database server system.  On
    Windows systems, the attacker may be able to obtain
    Administrator privileges.  This flaw could be exploited
    remotely by any user who is able to establish a database
    connection.  This flaw affects DB2 9 on all platforms. This
    flaw does not exist in versions of DB2 prior to DB2 9.
    .
    This flaw was reported to IBM by Ariel Sanchez of Application
    Security, Inc.
    

Local fix

  • The complete fix for this problem first appears in DB2 Version
    9 Fix Pack 3.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This flaw affects DB2 9 on all platforms.  This flaw does not
    exist in versions of DB2 prior to DB2 9.
    ****************************************************************
    PROBLEM DESCRIPTION:
    Exploitation of an issue in the AUTH_LIST_GROUPS_FOR_AUTHID
    function could allow an attacker to cause a denial of service or
    execute arbitrary code on the database server system.  On
    Windows systems, the attacker may be able to obtain
    Administrator privileges.  This flaw could be exploited remotely
    by any user who is able to establish a database connection.
    ****************************************************************
    RECOMMENDATION:
    Install V9 FP3
    ****************************************************************
    

Problem conclusion

  • The vulnerability is removed in V9 FP3
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ01828

  • Reported component name

    DB2 UDB ESE AIX

  • Reported component ID

    5765F4100

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-07-23

  • Closed date

    2007-08-21

  • Last modified date

    2007-08-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 UDB ESE AIX

  • Fixed component ID

    5765F4100

Applicable component levels

  • R910 PSN

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

910

Reference #:

IZ01828

Modified date:

2007-08-23

Translate my page

Machine Translation

Content navigation