IZ37696: SECURITY: MALICIOUS CONNECT DATA STREAM CAN CAUSE DENIAL OF SERVICE.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • A malicious connect data stream can cause the DB2 server
    to go into an infinite loop, incapacitating the server
    .
    This problem was reported to IBM by Dennis Yurichev.
    

Local fix

  • In the past, we recommended setting DB2_MINIMUM_CLIENT_LEVEL to
    SQL07031 to disable DB2RA connects (DB2 V7 and lower clients)
    to workaround DB2RA connect security vulnerabilities, however,
    this vulnerability is in the DRDA protocol and thus the
    workaround will not work.  The DRDA protocol is used by DB2 V8
    (and higher) clients and servers.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    All DB2 systems on all Linux, Unix and Windows platforms at
    service levels from
    Version 8.1 GA through to Version 8.1 Fix Pack 17.
    ****************************************************************
    PROBLEM DESCRIPTION:
    A malicious DRDA connect data stream can cause the DB2 server
    to go into infinite loop, incapacitating the server.
    .
    This problem was reported to IBM by Dennis Yurichev.
    ****************************************************************
    RECOMMENDATION:
    Upgrade to DB2 Version 8.1 Fix Pack 17a.
    ****************************************************************
    

Problem conclusion

  • The DB2 server will keep the machine busy and the overall
    performance of the machine will degrade.
    The complete fix for this problem first appears in DB2 Version
    8.1 Fix Pack 17a and all the subsequent Fix Packs.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ37696

  • Reported component name

    DB2 UDB ESE AIX

  • Reported component ID

    5765F4100

  • Reported release

    820

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-11-17

  • Closed date

    2009-02-13

  • Last modified date

    2009-02-13

  • APAR is sysrouted FROM one or more of the following:

    IZ36534

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 UDB ESE AIX

  • Fixed component ID

    5765F4100

Applicable component levels

  • R820 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

820

Reference #:

IZ37696

Modified date:

2009-02-13

Translate my page

Machine Translation

Content navigation