Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 10.5

Flash (Alert)


Abstract

This document contains a list of fixes for Security and HIPER APARs in DB2 Version 10.5.

IBM® recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations.

Content

A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues.
The affected DB2 UDB for Linux, UNIX, and Windows products are:

DB2 Connect Server (all Editions)
DB2 Developer Edition
DB2 Enterprise Server (all Editions)
DB2 Express Server (all Editions)
DB2 Workgroup Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 10.5 fix packs.

Select a Fix Pack: 3 1

DB2 Version 10.5 Fix Pack 3
Security APARs
IC94939 SECURITY: DENIAL OF SERVICE VULNERABILITY IN DB2's FAST COMMUNICATIONS MANAGER. (CVE-2013-4032)
IC97472 SECURITY: NULL POINTER DEREFERENCE IN DB2'S XSLT PARSING ENGINE (CVE-2013-5466).
IC97738 SECURITY: QUERY WITH OLAP SPECIFICATION CAUSES DB2 SERVER TO SHUTDOWN DATABASE. (CVE-2013-6717)
HIPER APARs
IC94890 THERE MIGHT BE A DOUBLE FREE OR LIST CORRUPTION IN THE SQLRLC_CSM_DEFUNCT() FUNCTION
IC95146 THE LOAD COMMAND WITH THE REMOTE FETCH OR SOURCEUSEREXIT OPTIONS MIGHT FAIL TO INSERT SOME ROWS INTO A TABLE
IC95522 THE QUERY STATEMENT WITH A SUBQUERY PREDICATE MIGHT NOT RETURN ROWS AFTER ENABLING DB2_COMPATIBILITY_VECTOR=ORA
IC95669 TCP CONNECTIONS FROM NON-HADR DATABASE SOFTWARE TO THE STANDBY MIGHT ALTER THE HADR STATE AND STALL LOG SHIPPING ON THE PRIMARY
IC95689 THE ROUND FUNCTION WITH A MINIMUM VALUE FOR INTEGER AND BIGINT VALUES IS NOT RETURNING THE CORRECT RESULTS
IC96922 USER-DEFINED FUNCTION WITH INDEX EXTENSION EXPLOITATION MIGHT RETURN INCORRECT RESULTS IF INDEX IS NOT PRESENT
IC97269 THE DBMS_LOB.COMPARE FUNCTION AND DBMS_LOB.READ PROCEDURE DO NOT PROCESS CLOBS CORRECTLY IF MULTI-BYTE CHARACTERS ARE PRESENT
IC97290 INSTANCE MIGHT ABEND OR RETURN INCORRECT RESULTS DUE TO AN INCORRECT EXECUTION SECTION FOR STAR JOIN
IC97340 QUERIES WITH THE XMLTABLE FUNCTION MIGHT RETURN INCORRECT RESULTS
IC97805 UNEXPECTED LOCK ESCALATIONS ON DB2 PURESCALE SYSTEMS USING STMM LOCKLIST TUNING OR MANUAL DYNAMIC UPDATE OF LOCKLIST SETTING
IC97928 ALTER TABLE DROP COLUMN ON A TABLE WITH AN INDEX WITH RANDOM ORDERING MIGHT LEAD TO INDEX CORRUPTION
IC98160 POSSIBLE INCORRECT RESULT ON MULTIPLE OUTER JOINS AND A COMBINATION OF EQUALITY JOIN PREDICATES AND LOCAL PREDICATES
IC98350 A QUERY WITH AN OR PREDICATE MIGHT RETURN INCORRECT RESULTS
IV53366 WRONG RESULTS POSSIBLE FOR CHAR AND GRAPHIC COLUMNS IN COLUMN-ORGANIZED TABLES DURING PREDICATE PROCESSING

DB2 Version 10.5 Fix Pack 1
Security APARs
IC94758 SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033)
HIPER APARs
IC93971 INDEX / DATA MISMATCH MIGHT OCCUR IN AN MDC TABLE AFTER A DEFERRED ROLLOUT
IC94095 EXCESSIVELY LARGE MEMORY ALLOCATION ATTEMPTS FROM FAST INTEGER SORT DUE TO WRONG MEMORY SIZE CALCULATION
IC94298 RANGE PARTITIONED TABLES DEFINED WITH A NULLS FIRST PARTITIONING COLUMN MIGHT RETURN INCORRECT RESULTS
IC94991 BITWISE SCALAR FUNCTIONS MIGHT RETURN INCORRECT RESULTS WHEN USED WITH DECFLOAT DATATYPE ON AIX POWER7
IC98875 QUERY ON PARTITIONED TABLE MIGHT FAIL WITH SQLD_BADPAGE AND SQLDFETCHDIRECT PROBE: 5395 ERRORS WHEN RUNNING EHL
IV46859 LOAD INTO COLUMN-ORGANIZED TABLE MAY CORRUPT DATA RESULTING IN INCORRECT RESULTS
IV46889 ERRORS AFTER RESTORING AN ONLINE BACKUP TAKEN WHILE LOADING INTO A COLUMN-ORGANIZED TABLE





DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.


My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select "Information Management" from the Software column
4. select the check box for "DB2 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for "Flashes" and all other document types
click the Submit button.


Cross reference information
Segment Product Component Platform Version Edition
Information Management DB2 Connect 10.5

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

10.5

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1647054

Modified date:

2014-02-18

Translate my page

Machine Translation

Content navigation