IZ08134: SECURITY: REMOTE DENIAL OF SERVICE DURING CONNECT / ATTACH PROCE SSING

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as fixed if next.

Error description

  • A malicious CONNECT/ATTACH data stream that simulates a DB2 UDB
    V7 client connect/attach request can cause an instance crash,
    resulting in a denial of service.
    This problem was reported to IBM by Esteban Martinez Fayo and
    Ariel Sanchez of
    Application Security Inc
    
    This APAR includes an additional fix that was not included with
    IZ05043 (delivered in V8 fixpak 16) but which was included with
    sysroute APAR IZ07299 (delivered in V9.1 fix pack 5)
    

Local fix

  • Disable or restrict remote access to the database server.
    Disable the DB2 TCP/IP listener if not required (set SVCENAME
    to NULL in the database manager configuration), or use a
    firewall to restrict connections to the DB2 TCP/IP listener
    port.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    ALL
    ****************************************************************
    PROBLEM DESCRIPTION:
    TACH data stream that simulates a DB2 UDB V7 client
    connect/attach request can cause an instance crash,   resulting
    in a denial of servic
    ****************************************************************
    RECOMMENDATION:
    Upgrade to db2_v82fp17 and higher.
    ****************************************************************
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IZ08134

  • Reported component name

    DB2 UDB ESE AIX

  • Reported component ID

    5765F4100

  • Reported release

    820

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-11-06

  • Closed date

    2008-09-04

  • Last modified date

    2008-09-04

  • APAR is sysrouted FROM one or more of the following:

    IZ05043

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 UDB ESE AIX

  • Fixed component ID

    5765F4100

Applicable component levels

  • R820 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

820

Reference #:

IZ08134

Modified date:

2008-09-04

Translate my page

Machine Translation

Content navigation