Fixes are available
DB2 UDB Version 8.1 FixPak 15 (also known as Version 8.2 FixPak 8 )
DB2 UDB Version 8.1 FixPak 17 (also known as Version 8.2 FixPak 10 )
DB2 UDB Version 8.1 FixPak 17a (also known as Version 8.2 FixPak 10a)
DB2 UDB Version 8.1 FixPak 16 (also known as Version 8.2 FixPak 9 )
DB2 UDB Version 8.1 FixPak 18 (also known as Version 8.2 FixPak 11)
Closed as program error.
It is possible to bypass DB2 authorization checking. This vulnerability can enable a user who holds SELECT privilege on a table to update or delete the contents of the table, even if they do not hold the required update and/or delete privileges.
To workaround this vulnerability it is necessary to remove the ability for users with only select privilege from creating a table alias, or accessing a table via an alias. This can be effected as follows: REVOKE implicit_schema on database from public REVOKE all CREATEIN privileges granted to PUBLIC or individual users or groups on any schemas : To check which schemas have CREATEIN granted, the following sql can be used : select char( GRANTEE, 24 ) as GRANTEE, GRANTEETYPE, char( SCHEMANAME, 24 ) as SCHEMANAME, CREATEINAUTH from SYSCAT.SCHEMAAUTH eg : GRANTEE GRANTEETYPE SCHEMANAME CREATEINAUTH ------------------------ ----------- ------------------------ ------------ PUBLIC G TESTUSER Y Eg to revoke creatin from schema testuser do : REVOKE CREATEIN on SCHEMA testuser from PUBLIC Finally drop all existing table aliases. If a table alias is still required then a view is suggested as an alternative. Existing aliases can be identified using the following select statement : select char( TABSCHEMA, 16 ) as TABSCHEMA, char( TABNAME, 16 ) as TABNAME, char( DEFINER, 16 ) as DEFINER, TYPE, STATUS, char( TBSPACE, 16 ) as TBSPACE from SYSCAT.TABLES where TYPE = 'A'
SECURITY: Alias on table allows override of update / delete privilege
Fixed in fixpak 15 for v8
Reported component name
DB2 UDB WSE WIN
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
DB2 UDB WSE WIN
Fixed component ID
Applicable component levels
R820 PSY UP