Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.1 Fix Pack 8

Flash (Alert)


Abstract

Fix Pack 8 for DB2 V9.1 is now available which includes fixes for some serious security vulnerabilities and HIPER APARs. These fixes, where applicable, are also available in Fix Pack 18 for DB2 Version 8, Fix Pack 4 for DB2 Version 9.5 and Fix Pack 1 for DB2 Version 9.7.

IBM® recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations.

Content


A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these vulnerabilities.

The affected DB2 UDB for Linux, UNIX, and Windows products are:

  • DB2 Enterprise Server Edition
  • DB2 Workgroup Server (all Editions)
  • DB2 Express Server (all Editions)
  • DB2 Personal Edition
  • DB2 Connect Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 UDB Version 8, DB2 Version 9.1 and DB2 Version 9.5 fix packs.

The specifics of the Security APARs incorporated into the above DB2 fix packs can be found in the following table:


Security APARs



V8
FP18
V9.1
FP8
V9.5
FP5
V9.7
FP1
ABSTRACT
IZ50074 IZ50078 IZ50079
(in FP4)
SECURITY: USER WITHOUT SUFFICIENT PRIVILEGE COULD INSERT, UPDATE OR DELETE ROWS IN A TABLE.
IZ55883 SECURITY: USER CAN PERFORM "SET SESSION AUTHORIZATION" WITHOUT SETSESSIONUSER PRIVILEGE.
IZ40343 IZ40340 IZ40352
(in FP4)
IC64759 DASAUTO COMMAND CAN BE RUN BY NON-PRIVILEGED USERS
IC62476 IC62501 IC62502 Security: db2licm utility vulnerability
IC61746 IC61962 IC62625 IC63525 SECURITY: Remote exploits of DB2 provided routines.
IZ51857 IZ52080 IZ52083 IC63302 Security: Manipulation of db2ra data stream of Load utility request can cause seg fault.
IC62543 IC62583 IC64852 SECURITY: SEQUENCE OR GLOBAL VARIABLE CAN BE USED WITHOUT THE
APPROPRIATE PRIVILEGE
IC64324 IC64298 IC64325 In a rare case, calling a SQL stored procedure could cause the DB2 server to trap
IZ38818 IZ38819 IC64853 VISIBILITY OF PASSWORDS IN SET ENCRYPTION PASSWORD STATEMENT AS SEEN VIA GET SNAPSHOT DYNAMIC SQL



In addition to the Security APARs, here is a list of HIPER APARs included in these fix packs of which you should be aware.


HIPER APARs


V8
FP18
V9.1
FP8
V9.5
FP5
V9.7
FP1
ABSTRACT
IZ48160 IZ34995
(in FP3)
DB2 instance might stop abnormally with 'Bad Data Page' or 'Key
Not Found' error on MDC table after buffer pool resize.
LI74151 LI74152
(in FP4)
A DECIMAL DIVISION RETURNS AN INCORRECT RESULT IF THE RESULTING PRECISION IS 32 AND MIN_DEC_DIV_3=YES
IZ53585 CREATING A COMPRESSION DICTIONARY DURING AN OFFLINE (TABLE REORG OR LOAD) MAY DAMAGE A TABLE UNDER CERTAIN CONDITIONS
IZ53555 IZ55552 IC62088 LOAD UTILITY MAY MARK A ROW BIT INCORRECTLY CAUSING INDEX SCAN TO RETURN INCORRECT RESULTS
IC64680 IC64539 IC64540 IC64541 SQLSETSTMTATTRW(SQL_ATTR_CHAINING_END) RETURNS 0, EVEN WHEN ONE OF THE PREVIOUS CHAINED STATEMENTS FAILED
IC61781 IC64825 IC64767 ALTER BUFFERPOOL REDUCE OR STMM MAY HANG IF SET WRITE SUSPEND HAD BEEN ISSUED



DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?rs=71&uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.


My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select " Information Management" from the Software column
4. select the check box for " DB2 9 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for " Flashes" and all other document types
click the Submit button.

For more information about My Notifications please click on

Rate this page:

(0 users)Average rating

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1403619

Modified date:

2009-10-05

Translate my page

Machine Translation

Content navigation