IBM Support

Possible security vulnerabilities with Informix Dynamic Server, CSDK, and I-Connect product installers

Troubleshooting


Problem

Two possible security vulnerabilities have been identified with the installation scripts for IBM® Informix® Dynamic Server (IDS), IBM® Informix® Client Software Development Kit (CSDK), and IBM® Informix® Connect.

Symptom

The two possible vulnerabilities are:

  • The default permissions of the installation scripts could allow an unprivileged user to insert code which could compromise security during installation.
  • The installation process creates temporary files in the /tmp directory. It is possible for a user with access to /tmp to link to these files and thereby compromise security.

The APARs reported for these defects are:

Product installer
Install script
APAR ID
IBM® Informix® Connect
installconn

Environment

The following products and operating systems are affected:

Product Name
Product Version(s)
Hardware Vendor
Operating System
IBM® Informix® Dynamic Server
10.00
All
Unix, Linux
IBM® Informix® Client SDK
2.90
All
Unix, Linux
IBM® Informix® Connect
2.90
All
Unix, Linux

Resolving The Problem

These defects are planned to be addressed in:

Product
Platform
Version
IBM® Informix® Dynamic Server
Solaris Opteron, Linux zSeries
10.00.xC5R1
IBM® Informix® Dynamic Server
All others
10.00.xC6
IBM® Informix® CSDK
All
2.90.xC4R1
IBM® Informix® Connect
All
2.90.xC4R1


When released, contact your local technical support office for an upgrade to the version where the problem is addressed.

You can obtain current information about reported Informix APARs from any of the Informix Product Support Centers. To access one of the Informix Product Support Centers, visit the Informix Product Family Support page.

Important: To access APAR information, you must sign in using an IBM Registration ID. Your free ID is your single point of access to IBM web applications that use IBM Registration. If you are not currently registered, you can register now.

If you are interested in learning more about Authorized Program Analysis Reports, review the Technote: Informix APAR Information.


HOW TO AVOID THIS PROBLEM
  • Change the permissions of the install script for your product to 755.
  • Use the -log option when performing your product installation to redirect the temporary files created to a secure directory.

[{"Product":{"code":"SSGU8G","label":"Informix Servers"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF015","label":"IRIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"10.0","Edition":"Workgroup;Enterprise;Express","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSGU8G","label":"Informix Servers"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Informix Client Software Development Kit (CSDK)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF015","label":"IRIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"10.0","Edition":"Workgroup;Enterprise;Express","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSVT2J","label":"Informix Tools"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Informix Connect","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF015","label":"IRIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"2.9","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSVT2J","label":"Informix Tools"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":null,"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF015","label":"IRIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"2.9","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
20 January 2022

UID

swg21247438