Skip to main content

Support & downloads  >  

Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.1 Fix Pack 6
 Flash (Alert)
 
Abstract
Fix Pack 6 for DB2 V9.1 is now available which includes fixes to close some serious security vulnerabilities. These fixes, where applicable, are also available in Fix Pack 2 for DB2 Version 9.5, and FixPak 17 for DB2 Universal Database™ (DB2 UDB) Version 8.1 (also known as FixPak 10 for DB2 UDB Version 8.2),
IBM® recommends that you review the vulnerability descriptions and deploy one of the above fix packs to remove the vulnerabilities on your affected DB2 installations.
 
Content
A set of security vulnerabilities was discovered in some DB2 database products by security research firms. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM and the security firms cooperated to allow time for the DB2 development organization to address these vulnerabilities before they were made public. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these vulnerabilities.
The affected DB2 UDB for Linux, UNIX, and Windows Version 8.1 and 8.2, Version 9.1 and Version 9.5 products are:
  • DB2 Enterprise Server Edition
  • DB2 Workgroup Server (all Editions)
  • DB2 Express Server (all Editions)
  • DB2 Personal Edition
  • DB2 Connect Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service vulnerabilities, it is not feasible to retrofit the same fixes into earlier DB2 UDB Version 8 and DB2 Version 9 fix packs, including all of the special builds of the above DB2 database products that precede DB2 UDB Version 8.1 FixPak 17, DB2 Version 9.1 Fix Pack 6 and DB2 Version 9.5 Fix Pack 2.

The specifics of the Security APARs incorporated into the above DB2 fix packs can be found in the following table:

Security APARs


V8 FP17
V9.1 FP6
V9.5 FP2
Platforms
ABSTRACT
n/a
All
SECURITY: DB2 SERVER TRAPS DUE TO SEGV IN SQLNLS_UNPADDEDCHARLEN()
All
SECURITY: VIEWS AND TRIGGERS SHOULD BE MARKED INOPERATIVE OR DROPPED IF DEFINER CANNOT MAINTAIN THE OBJECTS.
n/a
All
SECURITY: PASSWORD-RELATED CONNECTION STRING KEYWORD VALUES MAY APPEAR IN TRACE OUTPUT.




In addition to the Security APARs, here is a list of HIPER APARs included in these fix packs of which you should be aware.

HIPER APARs


V8 FP17
V9.1 FP6
V9.5 FP2
ABSTRACT
ANOMALY USING THE ROUND FUNCTION ON WINDOWS.
LI73598INDEX SCAN WITH EXCLUSIVE START KEY MAY RETURN INCORRECT
RESULTS
INCORRECT RESULTS FOR DISTINCT OUTER JOIN WITH AT LEAST 1 BOUND
DISTINCT & JOIN COLUMN
IZ29116IZ29117DB2 MAY RETURN INCORRECT RESULTS FOR OUTER JOIN WITH DISTINCT
IZ29157ONLINE INDEX CREATION OR REORGANIZATION MAY PRODUCE CORRUPTED INDEXES, ROLLFORWARD RECOVERY CAUSES DATA CORRUPTION OR ABENDS
ASYNCHRONOUS INDEX CLEANUP AFTER DETACHING A DATA PARTITION FROM A PARTITIONED TABLE MAY INTRODUCE INDEX CORRUPTION




DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?rs=71&uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered security vulnerabilities along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that this issue is causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.

My Notifications
Sign-up to receive e-mail notification of changes to this document.
    1. Sign in to My Notifications
    2. select Subscribe tab
    3. select "Information Management" from the Software column
    4. select the check box for "DB2 9 for Linux, UNIX and Windows"
        click the Continue button.
    5. select the check box for "Flashes" and all other document types
        click the Submit button.
Done! It's that easy!

For more information about My Notifications please click on
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Data Management
 Data Servers (Database Management Systems)
 DB2 for Linux, UNIX and Windows
 Installation - Fixpak
 Operating system(s):
  AIX, HP-UX, Linux, Solaris, Windows
 Software version:
  9.1
 Software edition:
  Enterprise Server, Workgroup Server
 Reference #:
  1323084
 IBM Group:
 Software Group
 Modified date:
 2009-02-27

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.