Skip to main content


IZ36534: SECURITY: MALICIOUS CONNECT DATA STREAM CAN CAUSE DENIAL OF SERVICE.

Fixes are available

DB2 Version 9.1 Fix Pack 7  for Linux, UNIX and Windows
DB2 Version 9.1 Fix Pack 6a for Linux, UNIX and Windows
DB2 Version 9.1 Fix Pack 7a  for Linux, UNIX and Windows
DB2 Version 9.1 Fix Pack 8  for Linux, UNIX and Windows

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A malicious connect data stream can cause the DB2 server
to go into an infinite loop, incapacitating the server
.
This problem was reported to IBM by Dennis Yurichev.

Local fix

  • In the past, we recommended setting DB2_MINIMUM_CLIENT_LEVEL to
SQL07031 to disable DB2RA connects (DB2 V7 and lower clients)
to workaround DB2RA connect security vulnerabilities, however,
this vulnerability is in the DRDA protocol and thus the
workaround will not work.  The DRDA protocol is used by DB2 V8
(and higher) clients and servers.

Problem summary

  • ****************************************************************
USERS AFFECTED:
All DB2 systems on all Linux, Unix and Windows platforms at
service levels from Version 9.1 GA through to Version 9.1 Fix
Pack 6.
****************************************************************
PROBLEM DESCRIPTION:
A malicious DRDA connect data stream can cause the DB2 server
to go into infinite loop, incapacitating the server.
.
This problem was reported to IBM by Dennis Yurichev.
****************************************************************
RECOMMENDATION:
Upgrade to DB2 V9.1 FP6a and above.
****************************************************************

Problem conclusion

  • The DB2 server will keep the machine busy and the overall
performance of the machine will degrade.
.
The complete fix for this problem first appears in DB2 Version
9.1 Fix Pack 6a and all the subsequent Fix Packs.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IZ36534
    • 

  • Reported component name
    DB2 UDB ESE AIX
    • 

  • Reported component ID
    5765F4100
    • 

  • Reported release
    910
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2008-11-03
    • 

  • Closed date
    2009-02-13
    • 

  • Last modified date
    2009-02-13
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IZ37696 IZ37697
    

    • 



Fix information


    

  • Fixed component name
    DB2 UDB ESE AIX
    • 

  • Fixed component ID
    5765F4100
    • 



Applicable component levels


    

  • R910  PSN
       UP
    • 








		


		
Copyright and trademark information

		

			
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

		

		


		

		
Rate this page

		

			
Please take a moment to complete this form to help us better serve you.

		

		
		

		
		
		
		
		
		
		

		

			
This material provides me with the information I need.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		
		

		

			
This material is clear and easy to understand.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		

		

		

			
Did the information help you to achieve your goal?

		

		

		

			
			
			
		

		

		


		

		

			
What updates, improvements, or related information would you like to see in this document?

		

		

			

		

		


		

			
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

		

		

			
Input the verification number to submit feedback:

		

		

			


		

		

		

			

		

		

		


		

		
		





Close [x]









   



Maintenance Window
 








     

  • The IBM Technical support pages, including the Downloads and Drivers Finders will be temporarily unavailable for up to 4 hours due to planned maintenance. This will take place between Saturday November 14, 2009 9:00 PM ET and Sunday, November 15, 2009 7:00 AM ET. During the maintenance, you will not be able to search or download from these pages.
    • 






   
















Close [x]









   



Unscheduled Maintenance Window









There is no unscheduled maintenance scheduled at this time.





   










		

			


			

				





		

		
		


		
Document information

		

			
Product categories:

		
		
Software
Data Management
Data Servers (Database Management Systems)
DB2 for Linux, UNIX and Windows

		
		

		
			
Software version:

			
910

			

		

		

		
			
Reference #:

			

		IZ36534
			

			

		

			
IBM Group:

			
Software Group

			

			
Modified date:

			
2009-02-13

		

		


		
Translate my page

		

			

			

			
			

			
			
			
			

		

		


		
Rate this page

		

			
		

		


		

		
			
Availability Notices