Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 10.5

Flash (Alert)


Abstract

This document contains a list of fixes for Security and HIPER APARs in DB2 Version 10.5.

IBM® recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations.

Content

A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues.
The affected DB2 UDB for Linux, UNIX, and Windows products are:

DB2 Connect Server (all Editions)
DB2 Developer Edition
DB2 Enterprise Server (all Editions)
DB2 Express Server (all Editions)
DB2 Workgroup Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 10.5 fix packs.

Select a Fix Pack: 5 4 3a 3 1

DB2 Version 10.5 Fix Pack 5
Security APARs
IT04138 SECURITY: Multiple ALTER TABLE statements can cause DB2 to terminate (CVE-2014-6210).
IT04730 SECURITY: DB2 may terminate abnormally when issuing an ALTER TABLE statement with AUTO_REVAL set to IMMEDIATE (CVE-2014-6159).
IT04786 SECURITY: ALTER TABLE on an identity column may cause DB2 to terminate (CVE-2014-6209).
IT05933 SECURITY: XML QUERY WILL CAUSE DB2 TO INCREASE CPU USAGE (CVE-2014-8901).
HIPER APARs
IT03298 INSERT MIGHT NOT RESPOND OR BE VERY SLOW OR HANG ON PURESCALE SYSTEMS
IT03970 PERFORMING MEMBER CRASH RECOVERY IN PURESCALE WITH EHL ENABLED MIGHT CORRUPT THE TABLE IN CERTAIN SITUATIONS
IT04173 SQL STATEMENT WITH MULTIPLE SIMILAR CORRELATED SUBEXPRESSIONS MIGHT RETURN INCORRECT RESULTS
IT04307 INCORRECT RESULTS FROM A COLUMN-ORGANIZED TABLE WHEN OPERATIONS INCLUDE NEGATIVE FLOAT/DOUBLE VALUES AND A RESULT OF ZERO
IT04326 PACKAGE CACHE MEMORY USE CAN EXCEED CONFIGURED SIZE RESULTING IN MEMORY EXHAUSTION ON DB2 Cancun Release 10.5.0.4.
IT04426 "<TIMESTAMP_COLUMN> + <DECIMAL_COLUMN> SECONDS" MIGHT PRODUCE INCORRECT RESULTS IN COLUMN-ORGANIZED TABLES
IT04660 RESTORE DATABASE MIGHT INTRODUCE CORRUPTION IN OBJECTS THAT RESIDE IN SMS TABLESPACES AND ARE LARGER THAN 2GB (WINDOWS ONLY)
IT04924 WHEN INTRA_PARALLEL ENABLED, SQL STATEMENT WITH IN PREDICATE MIGHT RETURN INCORRECT RESULTS
IT05009 SEVERE MEMORY LEAK IN DATABASE MEMORY ON DB2 10.5 FIX PACK 4 IN DPF ENVIRONMENTS WITH INTRAPARTITION PARALLELISM ENABLED
IT05044 INCORRECT RESULTS MIGHT BE RETURNED FOR A QUERY INVOLVING AN AGGREGATION FUNCTION AND AN OUTER JOIN OPERATOR
IT05068 POTENTIAL CORRUPTION DURING READAHEAD DATA PREFETCHING WHEN A DECIMAL KEY PART IS USED WITH INDEX COMPRESSION
IT05185 SQL STATEMENT WITH REPARTITIONED JOINS MIGHT RETURN INCORRECT RESULTS IN A DPF SYSTEM
IT05194 TABLE MAY BE INCONSISTENT AFTER INPLACE TABLE REORG IN PURESCALE WITH EXPLICIT HIERARCHICAL LOCKING ENABLED
IT05812 INCORRECT RESULTS MIGHT BE RETURNED FOR COLUMN-ORGANIZED TABLES WITH AN ENFORCED PRIMARY KEY OR UNIQUE CONSTRAINTS
IT05898 WRONG RESULTS RECEIVED FOR A QUERY DUE TO INCORRECT INTERNAL COLUMN STRUCTURES
IT05904 INCORRECT RESULTS MIGHT BE PRODUCED IF HSJOIN HAS 2 NLJNs ON THE PROBE SIDE AND HSJN PROBE PUSH DOWN INTO THE SECOND NLJN DONE

DB2 Version 10.5 Fix Pack 4
Security APARs
IT02201 SECURITY: DB2 IS AFFECTED BY THE JSON-C HASH FUNCTION DENIAL OF SERVICE VULNERABILITY (CVE-2013-6371 )
IT02291 Security: DB2 contains a denial of service vulnerability in ALTER MODULE statement handling. (CVE-2014-3094)
IT02433 SECURITY: DB2 contains a denial of service vulnerability in SQL Compiler (CVE-2014-3095)
IT03761 Security: Unauthorized Access to user data vulnerability in DB2 during certain LOAD operations into CDE tables (CVE-2014-4805)
HIPER APARs
IC99419 CLI-BASED APPLICATIONS RECEIVE SQL0501N AGAINST DB2 Z/OS WHEN STORED PROCEDURE CALL HAS MULTIPLE CURSORS
IC99679 A REORG INPLACE OPERATION ON A TABLE WITH ADAPTIVE COMPRESSION ENABLED MIGHT FAIL OR RESULT IN AN INCORRECTLY COMPRESSED ROW
IT00270 SQL QUERY CONTAINING NODENUMBER PREDICATE MIGHT PRODUCE AN INCORRECT RESULT
IT00421 POTENTIAL INDEX CORRUPTION WHEN USING INDEX COMPRESSION AND UNICODE DATABASES WHICH USE UCA COLLATION WITH S(STRENGTH) = 1 OR 2
IT00510 REPLAY OF REORG-INDEX-RECLAIM-EXTENTS LOG RECORDS MIGHT LEAD TO INDEX CORRUPTION
IT00521 INCORRECT RESULT CAN BE RETURNED FOR COLUMN-ORGANIZED TABLES
IT00649 INCORRECT RESULTS FROM INSERT WITH VALUES, WHEN INSERTING TO A COLUMN-ORGANIZED TABLE
IT00712 INCORRECT RESULT IN COLUMN-ORGANIZED TABLES IN SQL WITH "COL >= RHS1 AND COL <= RHS2", IF BOTH DECIMALS AND DOUBLES ARE INVOLVED
IT00930 COLLATION_KEY_BIT MIGHT GENERATE EMPTY STRINGS IN ORACLE MODE IF INPUT STRING CONSISTS OF BLANKS
IT00933 IN DB2 DPF ENVIRONMENTS ONLY, A SPECIFIC TYPE OF QUERY AND RESULTING ACCESS PLAN MIGHT RETURN WRONG RESULTS
IT01000 CHAR(' ',0) RETURNS EMPTY STRING INSTEAD OF NULL IN VARCHAR2 ENABLED DATABASE.
IT01020 ROWS MISSING WHEN LARGE RESULT SET IS PRODUCED BY NULLS FIRST SORT ON INTEGER OR BIGINT
IT01024 POSSIBLE WRONG RESULTS WHEN INDEX JUMP SCANS ARE USED IN REFERENTIAL INTEGRITY CHECKING
IT01084 SQL STATEMENT WITH UNCORRELATED SUBQUERY PREDICATE MIGHT RETURN INCORRECT RESULTS WHEN INTRA_PARALLEL IS ENABLED
IT01088 SQL STATEMENT WITH ORDERED COLUMN GROUP OR PREDICATES MIGHT RETURN INCORRECT RESULT SET WHEN JUMP SCAN USED
IT01236 CONCURRENT DELETE CAUSED INCORRECT RESULTS IN UPDATE OF COLUMN-ORGANIZED TABLE
IT01256 QUERY MIGHT HAVE OR PREDICATE WRONGLY REMOVED RESULTING IN EXTRA ROWS IN THE RESULTS
IT01340 INCORRECT RESULTS MIGHT BE RETURNED WHEN QUERYING A COLUMN-ORGANIZED TABLE WHEN USING "GROUP BY "
IT01617 QUERIES WITH XMLTABLE FUNCTIONS MIGHT RETURN INCORRECT RESULTS WHEN MORE THAN ONE EQUAL PREDICATE IS USED IN WHERE CLAUSE
IT01656 TABLE SPACE ROLLFORWARD MIGHT NOT UNDO TRANSACTION CORRECTLY, LEAVING INCONSISTENT DATA
IT01662 INCORRECT RESULTS MIGHT BE PRODUCED WITH PREDICATES INVOLVING NULL CONSTANTS
IT01742 INCORRECT VALUES MIGHT BE INSERTED INTO A TABLE WHEN AN INCORRECT PLAN IS CHOSEN FOR INSERT FROM SELECT
IT01899 DB2 MIGHT PRODUCE INCORRECT RESULT WHEN REFERENCING EMPTY TABLE WITH AGGREGATE FUNCTIONS IN SUBSELECT
IT02004 INCORRECT RESULTS FROM COLUMN ORGANIZED TABLE WHEN WHERE CLAUSE HAS "OR ( IS NOT NULL AND IS NOT NULL)"
IT02047 ACCESS PLANS CONTAINING INDEX ORING BETWEEN MDC AND NON MDC INDEX MAY NOT FETCH ALL ROWS FROM SECOND EXECUTION ONWARDS
IT02214 INCORRECT RESULTS WHEN SELECTING "DISTINCT LENGTH( )" FROM A COLUMN-ORGANIZED TABLE
IT02215 INCORRECT RESULTS FROM COLUMN-ORGANIZED TABLE WHEN PREDICATE COMPARES NULL VS CAST(NULL AS )
IT02761 MISSING INDEX KEY OR WRONG RESULT WHEN USING EXCLUDE NULL KEYS RANDOM INDEXES AFTER SOME DATA PARTITION ATTACH OPERATION
IT02843 PERFORMING MEMBER CRASH RECOVERY IN PURESCALE WITH EHL ENABLED MIGHT CORRUPT THE TABLE IN CERTAIN SITUATIONS
IT03045 WRONG RESULTS WITH CONCURRENT UPDATES AND DELETES ON A COLUMN-ORGANIZED TABLE
IT03076 DATA CORRUPTION POSSIBLE AFTER RECREATING PAGE DICTIONARY
IT03203 INCORRECT RESULTS MIGHT BE RETURNED WHEN USING THE UNION SET OPERATOR TO SELECT FROM COLUMN-ORGANIZED TABLES
IT03642 INCORRECT RESULTS POSSIBLE IN CASES WHERE A COLUMN ORGANIZED TABLE IS MODIFIED BY TWO TRANSACTIONS AT THE SAME TIME
IV64020 EXPANDING (NOT EARLY OUT) JOIN OF MORE THAN 2 COLUMN-ORGANIZED TABLES MIGHT CAUSE INCORRECT RESULTS

DB2 Version 10.5 Fix Pack 3a
Security APARs
IC99477 Security: IBM DB2 is impacted by multiple TLS/SSL security vulnerabilities (CVE-2013-6747, CVE-2014-0963)
IC99481 SECURITY: VULNERABILITY IN STORED PROCEDURE INFRASTRUCTURE CAN ALLOW ESCALATION OF PRIVILEGE TO ADMINISTRATOR (CVE-2013-6744).
IT00687 SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2014-0907)

DB2 Version 10.5 Fix Pack 3
Security APARs
IC94939 SECURITY: DENIAL OF SERVICE VULNERABILITY IN DB2's FAST COMMUNICATIONS MANAGER. (CVE-2013-4032)
IC97472 SECURITY: NULL POINTER DEREFERENCE IN DB2'S XSLT PARSING ENGINE (CVE-2013-5466).
IC97738 SECURITY: QUERY WITH OLAP SPECIFICATION CAUSES DB2 SERVER TO SHUTDOWN DATABASE. (CVE-2013-6717)
HIPER APARs
IC94890 THERE MIGHT BE A DOUBLE FREE OR LIST CORRUPTION IN THE SQLRLC_CSM_DEFUNCT() FUNCTION
IC95146 THE LOAD COMMAND WITH THE REMOTE FETCH OR SOURCEUSEREXIT OPTIONS MIGHT FAIL TO INSERT SOME ROWS INTO A TABLE
IC95522 THE QUERY STATEMENT WITH A SUBQUERY PREDICATE MIGHT NOT RETURN ROWS AFTER ENABLING DB2_COMPATIBILITY_VECTOR=ORA
IC95669 TCP CONNECTIONS FROM NON-HADR DATABASE SOFTWARE TO THE STANDBY MIGHT ALTER THE HADR STATE AND STALL LOG SHIPPING ON THE PRIMARY
IC95689 THE ROUND FUNCTION WITH A MINIMUM VALUE FOR INTEGER AND BIGINT VALUES IS NOT RETURNING THE CORRECT RESULTS
IC96922 USER-DEFINED FUNCTION WITH INDEX EXTENSION EXPLOITATION MIGHT RETURN INCORRECT RESULTS IF INDEX IS NOT PRESENT
IC97269 THE DBMS_LOB.COMPARE FUNCTION AND DBMS_LOB.READ PROCEDURE DO NOT PROCESS CLOBS CORRECTLY IF MULTI-BYTE CHARACTERS ARE PRESENT
IC97290 INSTANCE MIGHT ABEND OR RETURN INCORRECT RESULTS DUE TO AN INCORRECT EXECUTION SECTION FOR STAR JOIN
IC97340 QUERIES WITH THE XMLTABLE FUNCTION MIGHT RETURN INCORRECT RESULTS
IC97805 UNEXPECTED LOCK ESCALATIONS ON DB2 PURESCALE SYSTEMS USING STMM LOCKLIST TUNING OR MANUAL DYNAMIC UPDATE OF LOCKLIST SETTING
IC97851 INCORRECT RESULT IN UNICODE DB WITH LIKE PREDICATE AND FULLWIDTH UNDERSCORE WILD CHARACTER ON A CLOB COLUMN
IC97928 ALTER TABLE DROP COLUMN ON A TABLE WITH AN INDEX WITH RANDOM ORDERING MIGHT LEAD TO INDEX CORRUPTION
IC98160 POSSIBLE INCORRECT RESULT ON MULTIPLE OUTER JOINS AND A COMBINATION OF EQUALITY JOIN PREDICATES AND LOCAL PREDICATES
IC98350 A QUERY WITH AN OR PREDICATE MIGHT RETURN INCORRECT RESULTS
IT00671 INCORRECT RESULTS FROM COLUMN-ORGANIZED TABLE WHEN LIKE IS DONE AGAINST A COLUMN WHICH IS ENCODED WITH FORCED PREFIX COMPRESSION
IV53366 WRONG RESULTS POSSIBLE FOR CHAR AND GRAPHIC COLUMNS IN COLUMN-ORGANIZED TABLES DURING PREDICATE PROCESSING

DB2 Version 10.5 Fix Pack 1
Security APARs
IC94758 SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033)
HIPER APARs
IC93971 INDEX / DATA MISMATCH MIGHT OCCUR IN AN MDC TABLE AFTER A DEFERRED ROLLOUT
IC94095 EXCESSIVELY LARGE MEMORY ALLOCATION ATTEMPTS FROM FAST INTEGER SORT DUE TO WRONG MEMORY SIZE CALCULATION
IC94298 RANGE PARTITIONED TABLES DEFINED WITH A NULLS FIRST PARTITIONING COLUMN MIGHT RETURN INCORRECT RESULTS
IC94991 BITWISE SCALAR FUNCTIONS MIGHT RETURN INCORRECT RESULTS WHEN USED WITH DECFLOAT DATATYPE ON AIX POWER7
IC98875 QUERY ON PARTITIONED TABLE MIGHT FAIL WITH SQLD_BADPAGE AND SQLDFETCHDIRECT PROBE: 5395 ERRORS WHEN RUNNING EHL
IV46859 LOAD INTO COLUMN-ORGANIZED TABLE MAY CORRUPT DATA RESULTING IN INCORRECT RESULTS
IV46889 ERRORS AFTER RESTORING AN ONLINE BACKUP TAKEN WHILE LOADING INTO A COLUMN-ORGANIZED TABLE





DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.


My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select "Information Management" from the Software column
4. select the check box for "DB2 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for "Flashes" and all other document types
click the Submit button.


Cross reference information
Segment Product Component Platform Version Edition
Information Management DB2 Connect 10.5

Rate this page:

(0 users)Average rating

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

10.5

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1647054

Modified date:

2014-12-11

Translate my page

Machine Translation

Content navigation