Closed as program error.
It is possible to bypass DB2 authorization checking. This vulnerability can enable a user who holds SELECT privilege on a table to update or delete the contents of the table, even if they do not hold the required update and/or delete privileges.
To workaround this vulnerability it is necessary to remove the ability for users with only select privilege from creating a table alias, or accessing a table via an alias. This can be effected as follows: REVOKE implicit_schema on database from public REVOKE all CREATEIN privileges granted to PUBLIC or individual users or groups on any schemas : To check which schemas have CREATEIN granted, the following sql can be used : select char( GRANTEE, 24 ) as GRANTEE, GRANTEETYPE, char( SCHEMANAME, 24 ) as SCHEMANAME, CREATEINAUTH from SYSCAT.SCHEMAAUTH eg : GRANTEE GRANTEETYPE SCHEMANAME CREATEINAUTH ------------------------ ----------- ------------------------ ------------ PUBLIC G TESTUSER Y Eg to revoke creatin from schema testuser do : REVOKE CREATEIN on SCHEMA testuser from PUBLIC Finally drop all existing table aliases. If a table alias is still required then a view is suggested as an alternative. Existing aliases can be identified using the following select statement : select char( TABSCHEMA, 16 ) as TABSCHEMA, char( TABNAME, 16 ) as TABNAME, char( DEFINER, 16 ) as DEFINER, TYPE, STATUS, char( TBSPACE, 16 ) as TBSPACE from SYSCAT.TABLES where TYPE = 'A'
USERS AFFECTED: All DB2 UDB systems on all Linux, Unix, and Windows platforms at service levels from Version 9.1 GA through 9.1 FP1 are vulnerable. PROBLEM DESCRIPTION: It is possible to bypass DB2 authorization checking. This vulnerability can enable a user who holds SELECT privilege on a table to update or delete the contents of the table, even if they do not hold the required update and/or delete privileges. PROBLEM SUMMARY: If this APAR is not applied table level privileges could be overridden.
Problem was first fixed in DB2 UDB V9.1 FP2
Reported component name
DB2 UDB WSE WIN
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
DB2 UDB WSE WIN
Fixed component ID
Applicable component levels