Security and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.5 Fix Pack 4

A set of vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues.

The affected DB2 for Linux, UNIX, and Windows products are:

• DB2 Enterprise Server Edition
• DB2 Workgroup Server (all Editions)
• DB2 Express Server (all Editions)
• DB2 Personal Edition
• DB2 Connect Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 UDB Version 8, DB2 Version 9.1 and DB2 Version 9.5 fix packs.

The specifics of the Security APARs incorporated into the above DB2 fix pack can be found in the following table:

Security APARs

V8 FP18	V9.1 FP8	V9.5 FP4	V9.7 FP1	ABSTRACT
		JR32268		UNAUTHORIZED CONNECTIONS POSSIBLE ON DATABASE SERVERS WITH LDAP-BASED AUTHENTICATION
IZ50074	IZ50078	IZ50079		SECURITY: USER WITHOUT SUFFICIENT PRIVILEGE COULD INSERT, UPDATE OR DELETE ROWS IN A TABLE
IZ40343	IZ40340	IZ40352	IC64759	DASAUTO COMMAND CAN BE RUN BY NON-PRIVILEGED USERS

In addition to the Security APARs, here is a list of HIPER APARs included in this fix pack of which you should be aware.


HIPER APARs

		V9.5 FP4	ABSTRACT
		LI74152	A DECIMAL DIVISION RETURNS AN INCORRECT RESULT IF THE RESULTING PRECISION IS 32 AND MIN_DEC_DIV_3=YES
		JR31883	A QUERY MAY RETURN INCORRECT RESULTS WHEN ITS OUTER JOIN OPERATOR IS EXPECTED TO OUTPUT AT MOST ONE ROW
		IZ47448	DATABASE BACKUP IMAGE DOES NOT CONTAIN ALL FILES FOR SMS TABLE SPACES WITH "FILE SYSTEM CACHING" ENABLED AND DB2_MMAP_READ=ON
		IZ43316	INCORRECT RESULTS ON USING THE "NOT LIKE" PREDICATE ON A DATABASE CREATED WITH THE UCA500R1 COLLATION KEYWORD
		IZ50916	INCORRECT RESULTS POSSIBLE IN QUERIES THAT WERE BOUND WITH REOPT ONCE AND INVOLVE LIKE PREDICATES

Use the following links to view and download DB2 fix packs:

• View all DB2 Fix Packs
• Return and view the DB2 V9.5 FP4 download page

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered security vulnerabilities along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that this issue is causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.

---

My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select " Information Management" from the Software column
4. select the check box for " DB2 9 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for " Flashes" and all other document types
click the Submit button.
Done! It's that easy!

For more information about My Notifications please click on

• the Benefits and features or
• Read the overview or
• take an guided tour of My Notifications.

---