IBM Support

Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 10.5

Flashes (Alerts)


Abstract

This document contains a list of fixes for Security and HIPER APARs in DB2 Version 10.5. IBM® recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations.

Content

A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues.

The affected DB2 UDB for Linux, UNIX, and Windows products are:

DB2 Connect Server (all Editions)
DB2 Developer Edition
DB2 Enterprise Server (all Editions)
DB2 Express Server (all Editions)
DB2 Workgroup Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 10.5 fix packs.

Select a Fix Pack: 10 9 8 7 6 5 4 3a 3 1

-->

DB2 Version 10.5 Fix Pack 10
Security APARs
IT24461 SECURITY: PRIVELEGE ESCALATION VULNERABILIY IN THE DB2 DAS COMPONENT ON WINDOWS
IT24475 SECURITY: PRIVILEGE ESCALATION VIA UNTRUSTED LIBRARY PATH
IT24824 SECURITY: FORMAT STRING VULNERABILITIES EXISTS IN DB2SUPP
IT24837 SECURITY: IBM JAVA UPDATE
IT24215 SECURITY: DB2 IS AFFECTED BY MULTIPLE ARBITRARY FILE OVERWRITE VULNERABILITIES
IT24464 SECURITY: RAH.EXE BUFFER OVERFLOW
IT24478 SECURITY: BUFFER OVERFLOW IN DB2LICM
IT24645 SECURITY: DB2CONVERT IS VULNERABLE TO BUFFER OVERFLOW
IT24802 SECURITY: MULTIPLE VULNERABILITIES IN DB2EXMIG AND DB2EXFMT
IT24212 SECURITY: DB2GENP ARBITRARY FILE OVERWRITE VULNERABILITY
IT24058 SECURITY: UPDATE GSKIT TO THE NEWEST FIPS CERTIFIED VERSION
IT23797 SECURITY: UNSAFE DESERIALIZATION IN DB2 JDBC DRIVER
IT22414 SECURITY: DB2 INSTALL USES WEAK PASSWORD ENCRYPTION
HIPER APARs
IT25336 INFORMATIONAL:  IF COLUMNAR TABLES ARE PRESENT THEN UPGRADE FROM 10.5FP10 to 11.1 MIGHT REQUIRE A SPECIAL BUILD
IT20883 WRONG RESULTS OR SQL901N MAY OCCUR WHEN EXECUTING A SQL STATEMENT CONTAINING TWO OR MORE NOT IN OR NOT EXISTS PREDICATES
IT21971 DOING LIKE ON A CODEUNITES32 FIXED LENGTH COLUMN  IN THE COLUMNAR ORGANIZED TABLE  COULD RETURN AN INCORRECT RESULT
IT22352 DB2 : IF ANY COMMAND WITH RECLAIM EXTENTS OPTION IS RUN ON AN MDC TABLE DURING A BACKUP, A ROLLFORWARD ON IT COULD FAIL
IT22548 INCORRECT RESULT WHEN USING THE XMLTABLE FUNCTION AND REFERENCING ELEMENTS THAT DON'T EXIST IN THE SOURCE DOCUMENT
IT22791 POSSIBLE WRONG RESULTS WITH VARCHAR_FORMAT WHEN USING 'DY DDD YYYY' FORMAT
IT23260 INCORRECT RESULTS WITH AGGREGATION ON OUTER JOINED TABLE WITH FOREIGN KEY ON NULL PRODUCING TABLE
IT23267 A QUERY OVER NICKNAMES CONTAINING FETCH FIRST N ROWS ONLY CLAUSE MAY RETURN INCORRECT RESULTS
IT23341 WRONG RESULTS ARE POSSIBLE WHEN EXECUTING A SQL STATEMENT ELIGIBLE FOR ZIGZAG JOIN ON A NON-PARTITIONED INDEX
IT23938 IN CDE, INCORRECT RESULTS MIGHT BE RETURNED FOR A QUERY THAT REFERENCES A CORRELATED SCALARY SUBQUERY IN A PREDICATE
IT24347 INDEX CORRUPTION MIGHT BE INTRODUCED ON A COMPRESSED INDEX DURING RECOVERY PROCESSING
IT24688 QUERIES USING THE SAME UNNEST IN DIFFERENT PARTS OF THE PLAN COULD RETURN WRONG RESULTS FOR SOME COLUMNS
IT24743 CRASH RECOVERY MIGHT FAIL OR INTRODUCE DATABASE CORRUPTION WHEN USING AN ENCRYPTED DATABASE
IT25194 TO_NCHAR() RETURNS WRONG RESULT WITH UNION
IT27891 PARALLEL IXSCANS FOR COLUMN-ORGANIZED TABLES MIGHT CAUSE AN ABEND/WRONG RESULTS IF UPDATE ACTIVITY OCCURS IN THE SAME CONNECTION


-->

DB2 Version 10.5 Fix Pack 9
Security APARs
IT21164 SECURITY: ESCALATION TO ROOT VULNERABILITY IN DB2.
IT21394 ESCALATION TO ROOT VULNERABILITY IN DB2.
IT21454 SECURITY: DB2CONNECT SERVER CAN CRASH UNDER SPECIFIC CONDITIONS.
IT21462 SECURITY: USER WITHOUT PROPER AUTHORITY CAN ACTIVATE DATABASE.
IT21463 SECURITY: DB2 CAN BE USED TO OVERWRITE ARBITRARY FILES OWNED BY DB2 INSTANCE
HIPER APARs
IT12781 DB2 MAY CONVERT VIEW COLUMN TYPES INCORRECTLY OR RETURN SQL0418N UPON REVALIDATION OF A VIEW WITH UNTYPED EXPRESSIONS
IT15618 IF ARRAY USED IN AN OPEN CURSOR IS MODIFIED WRONG RESULT OR A TRAP ARE POSSIBLE
IT16693 SELECT ROW CHANGE TOKEN WILL RETURN WRONG RESULT WHEN USING RIDSCAN (ROW IDENTIFIER SCAN)
IT16825 ONLINE BACKUP WITH COMPRESSION AND ENCRYPTION MAY CREATE A CORRUPTED BACKUP FILE
IT16918 INCORRECT QUERY RESULTS WHEN USING OFFSET-CLAUSE AND/OR FETCH-FIRST-CLAUSE
IT17311 WRONG RESULT IN STORED PROCEDURE QUERY WHEN ADD/DROP CHECK CONSTRAINT
IT17395 SELECT AGAINST MDC TABLE WITH A RANGE PREDICATE IN SMP MIGHT RETURN A WRONG RESULT.
IT17472 INCORRECT RESULTS ARE POSSIBLE WHEN JOIN AGAINST CDE TABLES IS DONE  AND AN UNDOCUMENTED JOIN SUPPORT REGISTRY VARIABLE SET
IT17512 IN Db2 DPF, POSSIBLE WRONG RESULT WHEN OUTER JOIN PREDICATE COL1=COL2 AND BOTH COLUMNS ARE FROM THE OUTER TABLE
IT17679 WRONG RESULTS AGAINST COLUMN ORGANIZED TABLE ARE POSSIBLE WITH EXPANDING JOIN PLAN
IT17789 SQL STATEMENT WITH AN EXISTS PREDICATE AND A JOIN INVOLVING NON-DETERMINISTIC CORRELATED SUBQUERY MAY RETURN MORE ROWS
IT17951 POSSIBLE WRONG RESULTS WHEN THE INPUT PARAMETERS OF AN INLINED SQL SCALAR UDF CONTAINS AN OLAP SPECIFICATION
IT18020 INCORRECTLY GENERATED DERIVED PREDICATES MIGHT CAUSE INCORRECT QUERY RESULTS DUE TO TRAILING BLANKS
IT18022 A CORRELATED SCALAR SUBQUERY IN AN UPDATE STATEMENT MAY NOT CORRECTLY RETURN SQL0811N IF SPECIFIC REGISTRY IS SET
IT18102 AN SQL STATEMENT IN A PARTITIONED DATABASE ENV CONTAINING THE ROW_NUMBER() OVER() OPERATION MIGHT PRODUCE INCONSISTENT RESULTS
IT18201 WRONG RESULT IS POSSIBLE IF GENERATED ALWAYS EXPRESSION REFERENCES A BUILT-IN FUNCTION WITH MORE THEN ONE STRING INPUT
IT18206 WRONG RESULT IS POSSIBLE IN ORACLE COMPATIBILITY MODE UNICODE DB WHEN COMPARING A CHAR COLUMN WITH A GRAPHIC CONSTANT
IT18237 PREDICATE COMPARING SUBSTR ON CODEUNITES32 COLUMN  IN THE COLUMNAR ORGANIZED TABLE TO HOST VAR COULD RETURN AN INCORRECT RESULT
IT18343 Db2 MAY RETURN INCORRECT RESULTS IF USING A CASE STATEMENT TO COMPARE FIXED CHAR/GRAPHIC STRINGS IN VARCHAR2 COMPATIBILITY MODE
IT18505 Db2 CAN RETURN WRONG RESULTS WHEN USING THE SPECIAL REGISTER 'CURRENT DECFLOAT ROUNDING MODE' IN A QUERY IN AN MPP ENVIRONMENT
IT18514 Db2 MAY RETURN SQLCODE:-901 OR RETURN WRONG RESULTS ON QUERIES WITH PLANS THAT INVOVLE SORT ON AN ENCRYPTED DATABASE
IT18732 WHEN RUNNING THE DYNAMIC SQL IN A PACKAGE, THE WRONG STATEMENT COULD BE PICKED UP, RESULTING IN WRONG RESULT.
IT18761 TRUNC ON MINIMUM  INTEGER VALUE MIGHT RETURN 0 WHEN (VALUE, -X) IS DONE
IT18771 PURESCALE: QUERY MIGHT RETURNS WRONG RESULT WHEN INPLACE (ONLINE) TABLE REORGANIZATION IS RUNNING
IT19095 DB2 MIGHT PRODUCE INCORRECT RESULT WHEN EXECUTING XQUERY WITH MULTIPLE OR SUBTERMS
IT19808 COMPILED COMPOUND SQL OR A PL/SQL ANONYMOUS BLOCK CAN DELETE ALL ROWS OF A ON COMMIT DELETE ROWS TEMPORARY TABLE
IT19976 SQL QUERIES WITH IN OR NOT IN CLAUSE MAY PRODUCE INCORRECT RESULTS FOR A COLUMN-ORGANIZED TABLE
IT20436 INCORRECT RESULT OR SQL0811N ARE POSSIBLE WHEN SQL CONTAINS SCALAR NOT EXISTS SUBQUERY
IT20475 INCORRECT RESULTS ARE POSSIBLE WHEN CONCURRENT QUERIES ACCESS COLUMNAR ORGANIZED TABLES AND USE  CS ISOLATION
IT20517 IN DPF, WHEN UNIQUE TQ IS PRESENT IN THE PLAN AND SPECIAL INTERNAL PERFORMANCE OPTIMIZATION IS HAPPENING, POSSIBLE DUPLICATE VALUES RETURNED
IT20597 WRONG RESULTS MIGHT OCCUR WHEN SCALAR SUB-QUERY IS ON THE LEFT HAND SIDE OF A NOT IN PREDICATE
IT20790 INCORRECT RESULT POSSIBLE WHEN CASE AND ANOTHER PREDICATE  HAVE THE SAME COMPARISON OPERATION
IT21015 AGAINST COLUMNAR TABLES, COMBINATION OF EXCLUSIVE TABLE LOCK AND UNCOMMITTED INSERT AND SELECT COULD RETURN INCORRECT RESULTS
IT21060 SQL QUERIES WITH IN OR NOT IN CLAUSE MAY PRODUCE INCORRECT RESULTS FOR A COLUMN-ORGANIZED TABLE
IT21077 UPDATE OF UNIQUE COLUMNS MIGHT RESULT IN DUPLICATES IN A TABLE WITH A UNIQUE INDEX
IT21760 Db2 MAY RETURN WRONG RESULTS WITH ORACLE COMPATIBILITY AND SUBSTR
IT21897 WRONG RESULT IS POSSIBLE WHEN CODEUNITS 32 IS USED IN A ROW DATA TYPE ASSIGNMENT AND CAST IS USED
IT21971 DOING LIKE ON A CODEUNITES32 FIXED LENGTH COLUMN  IN THE COLUMNAR ORGANIZED TABLE  COULD RETURN AN INCORRECT RESULT
IT22360 WRONG RESULT IS POSSIBLE WHEN EXPRESSION ON JOIN COLUMN
IV89630 ON COLUMN ORGANIZED TABLES, Db2 MIGHT INSERT INCORRECT NUMBER OF ROWS FOR INSERT FROM SELECT THAT INCLUDES ANTI JOIN
IV92833 WRONG RESULT IS POSSIBLE WHEN COLUMNAR TABLES ARE INVOLVED IN A A PLAN WITH A UNION AND CSE IS PUSHED DOWN ON TO CDE
IV97815 A QUERY AGAINST COLUMNAR ORGANIZED TABLE AND ARITHMETIC ON BOTH TIME AND DECIMAL DATATYPES MAY RETURN INCORRECT RESULT


-->

DB2 Version 10.5 Fix Pack 8
Security APARs
IT11536 SECURITY: DB2 IS AFFECTED BY SECURITY VULNERABILITIES IN IBM GPFS (CVE-2015-4974, CVE-2015-4981 & CVE-2015-7403)
IT12488 SECURITY: DB2 SERVER MAY CRASH DUE TO MALFORMATTED DRDA MESSAGES (CVE-2016-0211)
IT12642 SECURITY: GSKIT UPGRADE DUE TO SECURITY VULNERABILITIES (CVE-2015-7420, CVE-2015-7421 & CVE-2016-0201)
IT12675 SECURITY: DB2 may trap when running query with AVG OLAP function on Oracle compatible database (CVE-2016-0215)
IT15000 SECURITY:  DB2 IS VULNERABLE TO THE DLL-PLANTING VULNERABILITY IN INSTALLSHIELD (CVE-2016-2542)
IT15578 SECURITY: DB2 IS AFFECTED BY OPEN SOURCE APACHE XERCES-C XML PARSER VULNERABILITIES (CVE-2016-0729)
IT16323 SECURITY: DB2 PURESCALE AFFECTED BY MULTIPLE VULNERABILITIES IN GPFS
IT16921 SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2016-5995)
HIPER APARs
IT12532 SQL STATEMENT CAN FAIL WITH SQL0901N OR PRODUCE WRONG RESULT WHEN ZZJOIN IS CHOSEN IN THE ACCESS PLAN
IT12568 DB2 INSTANCE MAY ABEND WHEN CREATING COMPOUND STATEMENTS CONTAINING LIKE PREDICATES
IT12741 COMPILED TRIGGERS NOT FIRING AFTER UPGRADE FROM VERSION 9.7 TO 10.1 OR 10.5
IT12997 TRUNCATE OF A DECLARED GLOBAL TEMPORARY TABLE MAY NOT RESULT IN TRUNCATED TABLE IN A PARTITIONED DATABASE
IT13002 VALUE FUNCTION WITH HASH JOIN MIGHT RETURN WRONG RESULT SET
IT13020 DB2 MIGHT PRODUCE INCORRECT RESULT WHEN EXECUTING QUERIES WITH INTERSECT AND DISTINCT
IT13416 QUERY ON CREATED GLOBAL TEMPORARY TABLE MAY RETURN WRONG RESULTS IN DPF WHEN RUNNING THE SAME STATEMENT ON DIFFERENT PARTITIONS
IT13454 COMPLEX XML QUERY GIVES INCORRECT RESULTS IN RARE CIRCUMSTANCES DUE TO INCORRECT PROCESSING OF PARTIALLY MATCHED ELEMENTS.
IT13502 INCORRECT RESULTS FROM SELECT ON INDEX CONTAINING MORE THAN 4,294,967,295 ROWS
IT13607 DB2 ON AIX WITH DB2AUTH OR DB2_ALTERNATE_GROUP_LOOKUP SET MAY GET WRONG USER GROUP MEMBERSHIP RESULTING IN WRONG PRIVILEGES
IT13665 QUERIES CONTAINING BOTH AN IN (SUBQUERY) AND NOT IN (SUBQUERY) MAY EXPERIENCE INCORRECT RESULTS
IT14131 DB2 MIGHT ABEND WHEN EXECUTING QUERIES WITH MULTIPLE PREDICATES ON SUBSUMABLE SCALAR SUBQUERIES
IT14357 SLOW ROLLBACK PERFORMANCE SLOWING OVERALL PERFORMANCE OF THE APPLICATIONS
IT14559 DB2 SHORTCUTS DO NOT APPEAR POST INSTALLATION ON WINDOWS 2012 IF MICROSOFT SECURITY PATCH KB3126593 WAS APPLIED
IT14604 IN FEDERATED SCENARIO, TABLE EXPRESSION AGAINST NICKNAME  WITH BOTH  CORRELATION AND FFNR CLAUSE COULD PRODUCE INCORRECT RESULT
IT14972 10.5 FP7 SQL USING IN/OR/= PREDICATES AGAINST COLUMNS OF VARYING LENGTH STRING TYPES IN COLUMNAR TABLES CAN RETURN WRONG RESULTS
IT15043 ENABLING REOPT_ALWAYS VIA OPTIMIZATION PROFILE MAY LEAD TO INCORRECT RESULTS AS PARAMETER VALUES MAY BE RE-USED INCORRECTLY
IT15051 JSON2BSON() FUNCTION REMOVES BACKSLASH FROM JSON DATA ASSUMING IT IS AN ESCAPE CHARACTER
IT15057 DB2 MIGHT PRODUCE INCORRECT RESULT WHEN EXECUTING QUERY WITH UNION AND MULTIPLE BASE TABLES
IT15311 QUERY WITH UNION ALL AND EXISTENTIAL SUBQUERY COULD PRODUCE INCORRECT RESULT IN DB2 10.5 FP7
IT15313 QUERIES CONTAINING MULTIPLE OUTER JOIN OPERATIONS AND NESTED EXPRESSIONS MAY PRODUCE INCORRECT RESULTS
IT15362 WRONG RESULT IS POSSIBLE IF SQL CONTAINS "NULL IS NULL" IN SUB-BRANCH OF AN OR
IT15621 INCORRECT RESULT SET COULD BE RETURNED WHEN USING JSON SQL ON TABLE CONTAINING NESTED ARRAYS
IT16651 DB2 MAY RETURN INCORRECT RESULTS WHEN USING STRING EQUALITY PREDICATES CONTAINING DIFFERING CODE UNITS
IV80025 MIN_DEC_DIV_3 MIGHT NOT GET PICKED UP IN QUERIES AGAINST COLUMN ORGANIZED TABLES
IV81444 AGAINST COLUMNAR TABLES SCALAR FUNCTIONS WEEK_ISO;TIMESTAMP_ISO; MICROSECOND(NON-TIMESTAMP COLUMN) COULD RETURN INCORRECT RESULT
IV83653 WE COULD LOOSE UPDATED ROWS WHEN DOING INDEX SCAN ON COLUMNAR TABLE WITH CURSOR STABILITY ISOLATION LEVEL


-->

DB2 Version 10.5 Fix Pack 7
Security APARs
IT07394 SECURITY: DB2 ACS IS AFFECTED BY OPENSSL VULNERABILITY (CVE-2015-0204)
IT08753 SECURITY: LOCAL ESCALATION OF PRIVILEGE VULNERABILITY IN DB2 (CVE-2015-1947)
IT09900 SECURITY: GSKIT IS AFFECTED BY SECURITY VULNERABILITIES (CVE-2015-1788)
IT09964 SECURITY:Vulnerability in FCM affects DB2 (CVE-2015-4000)
IT09969 SECURITY: Multiple vulnerabilities in FCM affects DB2 LUW (CVE-2015-1788 & CVE-2015-2808)
HIPER APARs
IT05825 WRONG RESULT FROM STATEMENT WITH TWO OR MORE OLAP FUNCTIONS WITH COMPATIBLE PARTITION-BY CLAUSES WITH ONE EQUATING TO CONSTANTS
IT06542 EMPTY RESULT OR A HANG MAY HAPPEN FOR CDE TABLE QUERY IF TABLESPACE HAS ENOUGH TABLES TO GENERATE NEGATIVE TABLE_ID
IT06951 POSSIBLE WRONG RESULT FROM SQL STATEMENT JOINING 4 OR MORE COLUMN-ORGANIZED TABLES
IT08456 INCORRECT QUERY RESULTS OR SQL0901N REASON "BAD OUTER COMPARE" POSSIBLE IN DPF WHEN SQL PLAN HAS MDTQ AND MERGE JOIN LOLEPOPS
IT09073 INCORRECT RESULTS FROM SORT OPERATIONS ON DB2 VERSION 10.5.0.5
IT09085 INDEX SCAN ON A DATA PARTITIONED TABLE MAY TRAP OR RETURN INCORRECT RESULTS IF PARTITIONS BECOME AVAILABLE DURING THE SCAN
IT09332 WRONG RESULTS MAY HAPPEN WHEN ACCESS PLAN CONTAINS INDEX SCAN ON THE OUTER LEG OF THE HASH JOIN
IT09336 IN A RARE CONDITION, A QUERY OF A CHAIN OF EQUALITY JOIN PREDICATES BETWEEN 4 OR MORE TABLES COULD PRODUCE EXTRA ROWS
IT09392 DB2 MAY CRASH WHEN REPLAYING FEDERATED XA LOG RECORDS IF FEDERATED TWO_PHASE COMMIT IS USED
IT09394 INGEST: SQL0804N OR INCORRECT DECIMAL DATA LOADED WHEN DECIMAL IS IN ASCII  AND PRECISIONS DO NOT MATCH
IT09419 INCORRECT RESULT WHEN QUERY HAS LEFT OUTER JOIN AND UNION ALL
IT09541 DB2 PURESCALE: RSCT APAR IV68484 TB_BREAK ROUTINE CAN REPORT FALSE FAILURE ON LINUX
IT09596 SYSIBM.POWER ( EXPRESSION1, EXPRESSION2 ) WILL RETURN INCORRECT RESULTS FOR SOME VALUES WHEN THE BIGINT DATA TYPE IS USED
IT10009 WRONG RESULTS ARE POSSIBLE WHEN USING THE SAME COLUMN TWICE IN DIFFERENT AGGREGATION FUNCTIONS
IT10256 DB2 PURESCALE: RSCT APAR IV74148: BACKLEVEL RESOURCE MANAGERS MAY HANG UNDER ERROR CONDITIONS
IT10812 INDEX/DATA MISMATCH MIGHT OCCUR IN AN MDC TABLE AFTER A DEFERRED ROLLOUT IS SUSPENDED
IT11108 RESTORE DB WITH ENCROPTS "SHOW MASTER KEY DETAILS" ON NON-ENCRYPTED IMAGE CAUSES UNEXPECTED RESTORE TO COMPLETE
IV69346 A ':' CHARACTER IN A COLUMN-ORGANIZED TABLE NAME REFERENCED IN A NESTED QUERY CAN RESULT IN AN INCORRECT EMPTY RESULT SET
IV70418 INCORRECT RESULTS POSSIBLE AGAINST COLUMN-ORGANIZED TABLES WHEN A CAST IS USED IN THE LEFT HAND SIDE OF AN IN LIST EXPRESSION
IV72718 QUERY ON A COLUMNAR TABLE CAN RETURN INCORRECT RESULTS IF IT HAS VARIABLE LENGTH STRINGS WITH SPECIAL CHARS LIKE TABS OR BLANKS
IV78737 WRONG RESULT IS POSSIBLE WITH QUERIES AGAINST COLUMNAR TABLES WHEN PLAN HAS SHARED COMMON SUBEXPRESSION AND INDEX SCAN
JR54057 INCORRECT RESULT IS POSSIBLE IN FEDERATED ENVIRONMENT WHEN PLAN PUSHES DOWN FETCH FIRST N ROWS CLAUSE TO REMOTE SERVER


-->

DB2 Version 10.5 Fix Pack 6
Security APARs
IT06351 SECURITY: TLS padding vulnerability affects IBM® DB2® LUW (CVE-2014-8730)
IT06353 SECURITY: IBM DB2 contains a file disclosure vulnerability using a SELECT statement with XML/XSLT function  (CVE-2014-8910)
IT07109 SECURITY: DB2 TRAPS WHEN EXECUTING A SPECIALLY-CRAFTED SQL STATEMENT WITH SCALAR FUNCTIONS (CVE-2015-0157)
IT07554 SECURITY: DB2 contains a sensitive information exposure vulnerability in the monitoring and audit feature (CVE-2014-0919)
IT07635 SECURITY: VULNERABILITIES IN GSKIT AFFECT IBM DB2 LUW (CVE-2015-0138)
IT08075 SECURITY: DB2 CONTAINS A FILE DISCLOSURE VULNERABILITY IN THE DATABASE AUTOMATED MAINTENANCE FEATURE (CVE-2015-1883)
IT08113 SECURITY: DB2 IS AFFECTED BY MULTIPLE SECURITY VULNERABILITIES IN GPFS (CVE-2015-0197, CVE-2015-0198, CVE-2015-0199)
IT08526 SECURITY: DB2 USER CAN DELETE TABLE DATA WITHOUT APPROPRIATE PRIVILEGES  (CVE-2015-1922)
IT08537 SECURITY: VULNERABILITY IN RC4 STREAM CIPHER AFFECTS IBM® DB2® LUW (CVE-2015-2808)
IT08656 SECURITY: DB2 LUW CONTAINS A VULNERABILITY IN SCALAR FUNCTION THAT MAY CAUSE DB2 SERVER TO TERMINATE ABNORMALLY (CVE-2015-1935)
HIPER APARs
IT06433 PERFROMANCE DEGRADATION DURING INPLACE REORG IN A HADR ENVIRONMENT ON A STANDBY DATABASE
IT07392 IN RARE SCENARIOS COMPLEX QUERY WITH AN OLAP SPECIFICATION AND A SUBQUERY MIGHT RETURN EXTRA ROWS
IT07403 SELECT ON XML USING FN:UPPER-CASE & TABLE HAS AN INDEX CAN RETURN INCORRECT RESULTS
IT09018 HADR STANDBY LOG REPLAY OR ROLLFORWARD RECOVERY CAN FAIL DUE TO SQLB_BAD_PAGE
IT09073 INCORRECT RESULTS FROM SORT OPERATIONS ON DB2 VERSION 10.5.0.5


-->

DB2 Version 10.5 Fix Pack 5
Security APARs
IT04138 SECURITY: Multiple ALTER TABLE statements can cause DB2 to terminate (CVE-2014-6210).
IT04730 SECURITY: DB2 may terminate abnormally when issuing an ALTER TABLE statement with AUTO_REVAL set to IMMEDIATE (CVE-2014-6159).
IT04786 SECURITY: ALTER TABLE on an identity column may cause DB2 to terminate (CVE-2014-6209).
IT05933 SECURITY: XML QUERY WILL CAUSE DB2 TO INCREASE CPU USAGE (CVE-2014-8901).
HIPER APARs
IT03298 INSERT MIGHT NOT RESPOND OR BE VERY SLOW OR HANG ON PURESCALE SYSTEMS
IT03970 PERFORMING MEMBER CRASH RECOVERY IN PURESCALE WITH EHL ENABLED MIGHT CORRUPT THE TABLE IN CERTAIN SITUATIONS
IT04173 SQL STATEMENT WITH MULTIPLE SIMILAR CORRELATED SUBEXPRESSIONS MIGHT RETURN INCORRECT RESULTS
IT04307 INCORRECT RESULTS FROM A COLUMN-ORGANIZED TABLE WHEN OPERATIONS INCLUDE NEGATIVE FLOAT/DOUBLE VALUES AND A RESULT OF ZERO
IT04326 PACKAGE CACHE MEMORY USE CAN EXCEED CONFIGURED SIZE RESULTING IN MEMORY EXHAUSTION ON DB2 Cancun Release 10.5.0.4.
IT04426 "<TIMESTAMP_COLUMN> + <DECIMAL_COLUMN> SECONDS" MIGHT PRODUCE INCORRECT RESULTS IN COLUMN-ORGANIZED TABLES
IT04660 RESTORE DATABASE MIGHT INTRODUCE CORRUPTION IN OBJECTS THAT RESIDE IN SMS TABLESPACES AND ARE LARGER THAN 2GB (WINDOWS ONLY)
IT04924 WHEN INTRA_PARALLEL ENABLED, SQL STATEMENT WITH IN PREDICATE MIGHT RETURN INCORRECT RESULTS
IT05009 SEVERE MEMORY LEAK IN DATABASE MEMORY ON DB2 10.5 FIX PACK 4 IN DPF ENVIRONMENTS WITH INTRAPARTITION PARALLELISM ENABLED
IT05044 INCORRECT RESULTS MIGHT BE RETURNED FOR A QUERY INVOLVING AN AGGREGATION FUNCTION AND AN OUTER JOIN OPERATOR
IT05068 POTENTIAL CORRUPTION DURING READAHEAD DATA PREFETCHING WHEN A DECIMAL KEY PART IS USED WITH INDEX COMPRESSION
IT05185 SQL STATEMENT WITH REPARTITIONED JOINS MIGHT RETURN INCORRECT RESULTS IN A DPF SYSTEM
IT05194 TABLE MAY BE INCONSISTENT AFTER INPLACE TABLE REORG IN PURESCALE WITH EXPLICIT HIERARCHICAL LOCKING ENABLED
IT05544 PERFORMANCE DEGRADATION AND DROPPED DATABASE CONNECTIONS DUE TO INCORRECTLY REPORTED LICENSE ERRORS ON DB2 VERSION 10.5.0.4
IT05812 INCORRECT RESULTS MIGHT BE RETURNED FOR COLUMN-ORGANIZED TABLES WITH AN ENFORCED PRIMARY KEY OR UNIQUE CONSTRAINTS
IT05898 WRONG RESULTS RECEIVED FOR A QUERY DUE TO INCORRECT INTERNAL COLUMN STRUCTURES
IT05904 INCORRECT RESULTS MIGHT BE PRODUCED IF HSJOIN HAS 2 NLJNs ON THE PROBE SIDE AND HSJN PROBE PUSH DOWN INTO THE SECOND NLJN DONE
IT09336 IN A RARE CONDITION, A QUERY OF A CHAIN OF EQUALITY JOIN PREDICATES BETWEEN 4 OR MORE TABLES COULD PRODUCE EXTRA ROWS


-->

DB2 Version 10.5 Fix Pack 4
Security APARs
IT02201 SECURITY: DB2 IS AFFECTED BY THE JSON-C HASH FUNCTION DENIAL OF SERVICE VULNERABILITY (CVE-2013-6371 )
IT02291 Security: DB2 contains a denial of service vulnerability in ALTER MODULE statement handling. (CVE-2014-3094)
IT02433 SECURITY: DB2 contains a denial of service vulnerability in SQL Compiler (CVE-2014-3095)
IT03761 Security: Unauthorized Access to user data vulnerability in DB2 during certain LOAD operations into CDE tables (CVE-2014-4805)
HIPER APARs
IC97290 INSTANCE MIGHT ABEND OR RETURN INCORRECT RESULTS DUE TO AN INCORRECT EXECUTION SECTION FOR STAR JOIN
IC99419 CLI-BASED APPLICATIONS RECEIVE SQL0501N AGAINST DB2 Z/OS WHEN STORED PROCEDURE CALL HAS MULTIPLE CURSORS
IC99679 A REORG INPLACE OPERATION ON A TABLE WITH ADAPTIVE COMPRESSION ENABLED MIGHT FAIL OR RESULT IN AN INCORRECTLY COMPRESSED ROW
IT00270 SQL QUERY CONTAINING NODENUMBER PREDICATE MIGHT PRODUCE AN INCORRECT RESULT
IT00421 POTENTIAL INDEX CORRUPTION WHEN USING INDEX COMPRESSION AND UNICODE DATABASES WHICH USE UCA COLLATION WITH S(STRENGTH) = 1 OR 2
IT00510 REPLAY OF REORG-INDEX-RECLAIM-EXTENTS LOG RECORDS MIGHT LEAD TO INDEX CORRUPTION
IT00521 INCORRECT RESULT CAN BE RETURNED FOR COLUMN-ORGANIZED TABLES
IT00649 INCORRECT RESULTS FROM INSERT WITH VALUES, WHEN INSERTING TO A COLUMN-ORGANIZED TABLE
IT00712 INCORRECT RESULT IN COLUMN-ORGANIZED TABLES IN SQL WITH "COL >= RHS1 AND COL <= RHS2", IF BOTH DECIMALS AND DOUBLES ARE INVOLVED
IT00930 COLLATION_KEY_BIT MIGHT GENERATE EMPTY STRINGS IN ORACLE MODE IF INPUT STRING CONSISTS OF BLANKS
IT00933 IN DB2 DPF ENVIRONMENTS ONLY, A SPECIFIC TYPE OF QUERY AND RESULTING ACCESS PLAN MIGHT RETURN WRONG RESULTS
IT01000 CHAR(' ',0) RETURNS EMPTY STRING INSTEAD OF NULL IN VARCHAR2 ENABLED DATABASE.
IT01020 ROWS MISSING WHEN LARGE RESULT SET IS PRODUCED BY NULLS FIRST SORT ON INTEGER OR BIGINT
IT01024 POSSIBLE WRONG RESULTS WHEN INDEX JUMP SCANS ARE USED IN REFERENTIAL INTEGRITY CHECKING
IT01084 SQL STATEMENT WITH UNCORRELATED SUBQUERY PREDICATE MIGHT RETURN INCORRECT RESULTS WHEN INTRA_PARALLEL IS ENABLED
IT01088 SQL STATEMENT WITH ORDERED COLUMN GROUP OR PREDICATES MIGHT RETURN INCORRECT RESULT SET WHEN JUMP SCAN USED
IT01236 CONCURRENT DELETE CAUSED INCORRECT RESULTS IN UPDATE OF COLUMN-ORGANIZED TABLE
IT01256 QUERY MIGHT HAVE OR PREDICATE WRONGLY REMOVED RESULTING IN EXTRA ROWS IN THE RESULTS
IT01340 INCORRECT RESULTS MIGHT BE RETURNED WHEN QUERYING A COLUMN-ORGANIZED TABLE WHEN USING "GROUP BY "
IT01617 QUERIES WITH XMLTABLE FUNCTIONS MIGHT RETURN INCORRECT RESULTS WHEN MORE THAN ONE EQUAL PREDICATE IS USED IN WHERE CLAUSE
IT01656 TABLE SPACE ROLLFORWARD MIGHT NOT UNDO TRANSACTION CORRECTLY, LEAVING INCONSISTENT DATA
IT01662 INCORRECT RESULTS MIGHT BE PRODUCED WITH PREDICATES INVOLVING NULL CONSTANTS
IT01742 INCORRECT VALUES MIGHT BE INSERTED INTO A TABLE WHEN AN INCORRECT PLAN IS CHOSEN FOR INSERT FROM SELECT
IT01899 DB2 MIGHT PRODUCE INCORRECT RESULT WHEN REFERENCING EMPTY TABLE WITH AGGREGATE FUNCTIONS IN SUBSELECT
IT02004 INCORRECT RESULTS FROM COLUMN ORGANIZED TABLE WHEN WHERE CLAUSE HAS "OR ( IS NOT NULL AND IS NOT NULL)"
IT02047 ACCESS PLANS CONTAINING INDEX ORING BETWEEN MDC AND NON MDC INDEX MAY NOT FETCH ALL ROWS FROM SECOND EXECUTION ONWARDS
IT02214 INCORRECT RESULTS WHEN SELECTING "DISTINCT LENGTH( )" FROM A COLUMN-ORGANIZED TABLE
IT02215 INCORRECT RESULTS FROM COLUMN-ORGANIZED TABLE WHEN PREDICATE COMPARES NULL VS CAST(NULL AS )
IT02761 MISSING INDEX KEY OR WRONG RESULT WHEN USING EXCLUDE NULL KEYS RANDOM INDEXES AFTER SOME DATA PARTITION ATTACH OPERATION
IT02843 PERFORMING MEMBER CRASH RECOVERY IN PURESCALE WITH EHL ENABLED MIGHT CORRUPT THE TABLE IN CERTAIN SITUATIONS
IT03045 WRONG RESULTS WITH CONCURRENT UPDATES AND DELETES ON A COLUMN-ORGANIZED TABLE
IT03076 DATA CORRUPTION POSSIBLE AFTER RECREATING PAGE DICTIONARY
IT03203 INCORRECT RESULTS MIGHT BE RETURNED WHEN USING THE UNION SET OPERATOR TO SELECT FROM COLUMN-ORGANIZED TABLES
IT03642 INCORRECT RESULTS POSSIBLE IN CASES WHERE A COLUMN ORGANIZED TABLE IS MODIFIED BY TWO TRANSACTIONS AT THE SAME TIME
IT16779 QUERY USING ZIGZAG IN THE ACCESS PLAN MIGHT PRODUCE WRONG RESULTS WHEN IN2JOIN IS IN THE ACCESS PLAN AS WELL
IV64020 EXPANDING (NOT EARLY OUT) JOIN OF MORE THAN 2 COLUMN-ORGANIZED TABLES MIGHT CAUSE INCORRECT RESULTS


DB2 Version 10.5 Fix Pack 3a
Security APARs
IC99477 Security: IBM DB2 is impacted by multiple TLS/SSL security vulnerabilities (CVE-2013-6747, CVE-2014-0963)
IC99481 SECURITY: VULNERABILITY IN STORED PROCEDURE INFRASTRUCTURE CAN ALLOW ESCALATION OF PRIVILEGE TO ADMINISTRATOR (CVE-2013-6744).
IT00687 SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2014-0907)


-->

DB2 Version 10.5 Fix Pack 3
Security APARs
IC94939 SECURITY: DENIAL OF SERVICE VULNERABILITY IN DB2's FAST COMMUNICATIONS MANAGER. (CVE-2013-4032)
IC97472 SECURITY: NULL POINTER DEREFERENCE IN DB2'S XSLT PARSING ENGINE (CVE-2013-5466).
IC97738 SECURITY: QUERY WITH OLAP SPECIFICATION CAUSES DB2 SERVER TO SHUTDOWN DATABASE. (CVE-2013-6717)
HIPER APARs
IC94890 THERE MIGHT BE A DOUBLE FREE OR LIST CORRUPTION IN THE SQLRLC_CSM_DEFUNCT() FUNCTION
IC95146 THE LOAD COMMAND WITH THE REMOTE FETCH OR SOURCEUSEREXIT OPTIONS MIGHT FAIL TO INSERT SOME ROWS INTO A TABLE
IC95522 THE QUERY STATEMENT WITH A SUBQUERY PREDICATE MIGHT NOT RETURN ROWS AFTER ENABLING DB2_COMPATIBILITY_VECTOR=ORA
IC95669 TCP CONNECTIONS FROM NON-HADR DATABASE SOFTWARE TO THE STANDBY MIGHT ALTER THE HADR STATE AND STALL LOG SHIPPING ON THE PRIMARY
IC95689 THE ROUND FUNCTION WITH A MINIMUM VALUE FOR INTEGER AND BIGINT VALUES IS NOT RETURNING THE CORRECT RESULTS
IC96922 USER-DEFINED FUNCTION WITH INDEX EXTENSION EXPLOITATION MIGHT RETURN INCORRECT RESULTS IF INDEX IS NOT PRESENT
IC97269 THE DBMS_LOB.COMPARE FUNCTION AND DBMS_LOB.READ PROCEDURE DO NOT PROCESS CLOBS CORRECTLY IF MULTI-BYTE CHARACTERS ARE PRESENT
IC97340 QUERIES WITH THE XMLTABLE FUNCTION MIGHT RETURN INCORRECT RESULTS
IC97805 UNEXPECTED LOCK ESCALATIONS ON DB2 PURESCALE SYSTEMS USING STMM LOCKLIST TUNING OR MANUAL DYNAMIC UPDATE OF LOCKLIST SETTING
IC97851 INCORRECT RESULT IN UNICODE DB WITH LIKE PREDICATE AND FULLWIDTH UNDERSCORE WILD CHARACTER ON A CLOB COLUMN
IC97928 ALTER TABLE DROP COLUMN ON A TABLE WITH AN INDEX WITH RANDOM ORDERING MIGHT LEAD TO INDEX CORRUPTION
IC98160 POSSIBLE INCORRECT RESULT ON MULTIPLE OUTER JOINS AND A COMBINATION OF EQUALITY JOIN PREDICATES AND LOCAL PREDICATES
IC98350 A QUERY WITH AN OR PREDICATE MIGHT RETURN INCORRECT RESULTS
IC98875 QUERY ON PARTITIONED TABLE MIGHT FAIL WITH SQLD_BADPAGE AND SQLDFETCHDIRECT PROBE: 5395 ERRORS WHEN RUNNING EHL
IT00671 INCORRECT RESULTS FROM COLUMN-ORGANIZED TABLE WHEN LIKE IS DONE AGAINST A COLUMN WHICH IS ENCODED WITH FORCED PREFIX COMPRESSION
IT03122 RECOVERING A FAILED ONLINE INCREMENTAL LOAD ON AN INDEX CREATED WITH THE "PCTFREE 0" OPTION MIGHT CORRUPT THE INDEX
IV53366 MINOR POSSIBILITY OF WRONG RESULTS DURING INEQUALITY PREDICATE PROCESSING ON CHAR OR GRAPHIC COLUMNS IN COLUMN-ORGANIZED TABLES


-->

DB2 Version 10.5 Fix Pack 1
Security APARs
IC94758 SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033)
HIPER APARs
IC93971 INDEX / DATA MISMATCH MIGHT OCCUR IN AN MDC TABLE AFTER A DEFERRED ROLLOUT
IC94095 EXCESSIVELY LARGE MEMORY ALLOCATION ATTEMPTS FROM FAST INTEGER SORT DUE TO WRONG MEMORY SIZE CALCULATION
IC94298 RANGE PARTITIONED TABLES DEFINED WITH A NULLS FIRST PARTITIONING COLUMN MIGHT RETURN INCORRECT RESULTS
IC94991 BITWISE SCALAR FUNCTIONS MIGHT RETURN INCORRECT RESULTS WHEN USED WITH DECFLOAT DATATYPE ON AIX POWER7
IV46859 LOAD INTO COLUMN-ORGANIZED TABLE MAY CORRUPT DATA RESULTING IN INCORRECT RESULTS
IV46889 ERRORS AFTER RESTORING AN ONLINE BACKUP TAKEN WHILE LOADING INTO A COLUMN-ORGANIZED TABLE






DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.


My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select "Information Management" from the Software column
4. select the check box for "DB2 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for "Flashes" and all other document types
click the Submit button.

For more information about My Notifications please click on



Cross reference information
Product Component Platform Version Edition
DB2 Connect 10.5

Document information

More support for: DB2 for Linux, UNIX and Windows

Component: Security / Plug-Ins - Security Vulnerability

Software version: 10.5

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1647054

Modified date: 28 January 2019