Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.1 Fix Pack 9 and Fix Pack 10

Flash (Alert)


Abstract

Fix Pack 9 and Fix Pack 10 for DB2 V9.1 is now available which includes fixes for some security vulnerabilities and HIPER APARs. These fixes, where applicable, are also available in Fix Pack 6a for DB2 Version 9.5 and Fix Pack 2 for DB2 Version 9.7.

IBM® recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations.

Content

A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues.
The affected DB2 UDB for Linux, UNIX, and Windows products are:

  • DB2 Enterprise Server Edition
  • DB2 Workgroup Server (all Editions)
  • DB2 Express Server (all Editions)
  • DB2 Personal Edition
  • DB2 Connect Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 9.1, DB2 Version 9.5 and DB2 Version 9.7 fix packs.

The specifics of the Security APARs incorporated into the above DB2 fix packs can be found in the following table:


Security APARs



V9.1
FP9
V9.5
FP6a
V9.7
FP2
ABSTRACT
IC65922 SECURITY: BUFFER OVERRUN IN REPEAT UDF.
IC67848 SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555
IZ46773 IZ46774 IC63548 SECURITY APAR: MODIFIED SQL DATA table function is not dropped when definer loses required privileges to maintain the objects.
IC65408 IC65703 IC65742 SECURITY: VULNERABILITY IN DB2STST.
IC65749 IC65756 IC65762 Security: DB2DART CAN OVERWRITE FILES OWNED BY THE NSTANCE OWNER.
IC65922 IC65933 IC65935 SECURITY: BUFFER OVERRUN IN REPEAT UDF (CVE-2010-0462)
IC66099 IC66642 IC66643 Security: Special group and user enumeration on Windows 2008 could trap the server.
IC67848 IC68054 IC68055 SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555
IC66811
(in FP10)
IC66814 IC66815 SECURITY: User continues to have privilege to execute a non-DDL statement after their DBADM authority has been revoked.
IC69986
(in FP10)
IC70538 IC70539
(in FP3)
SECURITY: REMOTE BUFFER OVERFLOW VULNERABILITY IN DB2 ADMINISTRATIVE SERVER
IC71203
(in FP10)
IC72028
(in FP7)
IC72029
(in FP3)
SECURITY: DB2 DAS REMOTE CODE EXECUTION VULNERABILITY
IC72118
(in FP10)
IC71413
(in FP7)
IC72119
(in FP4)
Users able to update statistics for tables without appropriate privileges
IC71263
(in FP7)
IC71375
(in FP4)
SECURITY: User continues to have privilege to execute a non-DDL statement after role membership has been revoked from its group




In addition to the Security APARs, here is a list of HIPER APARs included in these fix packs of which you should be aware.


HIPER APARs


V9.1
FP9
V9.5
FP6a
V9.7
FP2
ABSTRACT
IZ62236 IC63414
(in FP5)
IC63415
(in FP1)
OUTER JOIN OPERATION MAY RETURN INCORRECT RESULTS WITH A PREDICATE WITH A SUBQUERY RETURNING NOT MORE THAN ONE ROW
IZ55549 IZ55987
(in FP5)
IC62219
(in FP1)
DYNAMIC SQL STATEMENTS WITH HOST VARIABLES, USING A REOPT ALWAYS OPTIMIZER GUIDELINE, MAY RETURN WRONG RESULTS
IZ70791 INCORRECT RESULTS ARE RETURNED WHEN SELECT DISTINCT SUBQUERY IS ROUTED TO MATERIALIZED QUERY TABLES (MQT)
IC65432 LOAD FROM CURSOR FROM A TABLE WITH LOB COLUMN IN DPF ENVIRONMENT MIGHT LOAD WRONG RESULTS IN THE TARGET TABLE LOB COLUMN
IZ70791 IZ70790 N/A INCORRECT RESULTS ARE RETURNED WHEN SELECT DISTINCT SUBQUERY IS ROUTED TO MATERIALIZED QUERY TABLES (MQT)
IC65432 IC65445 N/A LOAD FROM CURSOR FROM A TABLE WITH LOB COLUMN IN DPF ENVIRONMENT MIGHT LOAD WRONG RESULTS IN THE TARGET TABLE LOB COLUMN



DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?rs=71&uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.


My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select " Information Management" from the Software column
4. select the check box for " DB2 9 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for " Flashes" and all other document types
click the Submit button.

For more information about My Notifications please click on

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1426108

Modified date:

2011-04-20

Translate my page

Machine Translation

Content navigation