JR25941: SECURITY VULNERABILITY RELATED TO INCORRECT AUTHORIZATION CHECKS

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • It is possible to bypass DB2 authorization checking.
    This vulnerability can enable a user who holds SELECT
    privilege on a table to update or delete the contents of
    the table, even if they do not hold the required update
    and/or delete privileges.
    

Local fix

  • To workaround this vulnerability it is necessary to remove the
    ability for users with only select privilege
    from creating a table alias, or accessing a table via an alias.
    This can be effected as follows:
    
    
    REVOKE implicit_schema on database from public
    
    REVOKE all CREATEIN privileges granted to PUBLIC or individual
    users or groups on any schemas :
    
    To check which schemas have CREATEIN granted, the following sql
    can be used :
    
    
    select char( GRANTEE, 24 ) as GRANTEE, GRANTEETYPE, char(
    SCHEMANAME, 24 ) as SCHEMANAME, CREATEINAUTH from
    SYSCAT.SCHEMAAUTH
    
    eg :
    
    GRANTEE GRANTEETYPE SCHEMANAME
    CREATEINAUTH
    ------------------------ ----------- ------------------------
    ------------
    PUBLIC G TESTUSER
    Y
    
    
    Eg to revoke creatin from schema testuser do :
    
    
    REVOKE CREATEIN on SCHEMA testuser from PUBLIC
    
    
    Finally drop all existing table aliases.  If a table alias is
    still required then a view is suggested as an alternative.
    
    Existing aliases can be identified using the following select
    statement :
    
    select char( TABSCHEMA, 16 ) as TABSCHEMA, char( TABNAME, 16 )
    as TABNAME, char( DEFINER, 16 ) as DEFINER, TYPE,
     STATUS, char( TBSPACE, 16 ) as TBSPACE from SYSCAT.TABLES where
    TYPE = 'A'
    

Problem summary

  • USERS AFFECTED:  All DB2 UDB systems on all Linux, Unix, and
    Windows platforms at service levels from Version 9.1 GA through
    9.1 FP1 are vulnerable.
    
    PROBLEM DESCRIPTION:  It is possible to bypass DB2
    authorization checking.  This vulnerability can enable a user
    who holds SELECT privilege on a table to update or
    delete the contents of the table, even if they do not hold the
    required update and/or delete privileges.
    
    PROBLEM SUMMARY:
    If this APAR is not applied table level privileges could be
    overridden.
    

Problem conclusion

  • Problem was first fixed in DB2 UDB V9.1 FP2
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR25941

  • Reported component name

    DB2 UDB WSE WIN

  • Reported component ID

    5765F3501

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-02-12

  • Closed date

    2007-02-22

  • Last modified date

    2007-03-13

  • APAR is sysrouted FROM one or more of the following:

    JR25940

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 UDB WSE WIN

  • Fixed component ID

    5765F3501

Applicable component levels

  • R910 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

910

Reference #:

JR25941

Modified date:

2007-03-13

Translate my page

Machine Translation

Content navigation