Security Bulletin: Escalation of Privilege Vulnerability in IBM® DB2® Stored Procedure Infrastructure on Windows (CVE-2013-6744)
Vulnerability in IBM DB2 for Linux, Unix and Windows could allow an authenticated user to obtain elevated privilege on Windows.
CVE ID: CVE-2013-6744
The IBM DB2 products listed below contain a security vulnerability that could
allow an authenticated user to exploit a vulnerability in DB2's Stored Procedure infrastructure to obtain elevated privilege on Windows.
To exploit the vulnerability the malicious user would need:
1. Valid credential to connect to database
2. CONNECT privilege on database
3. CREATE_EXTERNAL_ROUTINE authority to create an external routine. This privilege is not granted to PUBLIC by default.
CVSS Base Score: 8.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89860 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Affected Products and Versions
The following IBM DB2 and DB2 Connect V9.1, V9.5, V9.7, V10.1 and V10.5 editions running on Windows are vulnerable. DB2 on AIX, Linux, HP and Solaris are not vulnerable.
IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Connect™ Application Server Edition
IBM DB2 Connect Application Server Advanced Edition
IBM DB2 Connect Enterprise Edition
IBM DB2 Connect Unlimited Edition for System i®
IBM DB2 Connect Unlimited Edition for System z®
IBM DB2 Connect Unlimited Advanced Edition for System z
IBM DB2 10.1 pureScale Feature
IBM DB2 10.5 Advanced Enterprise Server Edition
IBM DB2 10.5 Advanced Workgroup Server Edition
IBM DB2 10.5 Developer Edition for Linux, Unix and Windows
NOTE: The DB2 Connect products mentioned are affected only if a local database has been created.
The recommended solution is to apply the appropriate fix for this vulnerability.
The fix for this vulnerability is available for download for DB2 and DB2 Connect release V10.1 FP4 from Fix Central. Releases V9.7 FP9, V10.1 FP3, and V10.5 FP3 were updated with the fix and is available from Fix Central as V9.7 FP9a, V10.1 FP3a, and V10.5 FP3a, respectively.
A special build with an interim patch for this issue may be requested for DB2 and DB2 Connect V9.5 FP9 & FP10, V9.7 FP8 and V10.5 FP2. Please contact your service representative to request the special build and reference the APAR number for the release you want. Customers on fixpack levels lower than those listed above should update to a fixed fix pack level.
DB2 and DB2 Connect V9.1 are no longer supported and therefore no patch will be made available. Please upgrade to a supported version of DB2 or DB2 Connect, as applicable, and apply the fix. Customers who have an extended support contract for this version may contact support to request a fix under the terms of their contract.
|V9.5||IC98849||Please contact technical support.|
Enabling the fix:
The fix is not enabled by default to prevent potential application failures. Enabling the fix will cause stored procedures to run with restricted privileges and the restrictions could potentially cause some user written stored procedures to fail.
There are two parts to enabling the fix. For the first part, follow the instructions in Restricting operating system privileges of the db2fmp process (Windows) which is applicable to all DB2 releases. With this fix, the stated restriction is removed and LocalSystem can now be used as the DB2 service account.
For the second part, the following command needs to be run from a Windows command prompt by a Windows administrator:
SC SIDTYPE <DB2-service-name> UNRESTRICTED
Where <DB2-service-name> is the name of the Windows service given to the DB2 server. You can view the list of installed services on your machine by using the Windows Services console. After the changes are made, the DB2 server needs to be stopped and restarted for the changes to take effect.
Contact Technical Support:
Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Workarounds and Mitigations
Get Notified about Future Security Bulletins
On-line Calculator v2
IBM Product Security Incident Response Blog
Danny Tsechansky at McAfee.com
May 26, 2014: Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
|Information Management||DB2 Connect||Windows||9.7, 9.5, 10.1, 10.5||Application Server, Enterprise Server, Personal, Unlimited for System i, Unlimited for System z|
More support for:
DB2 for Linux, UNIX and Windows
Security / Plug-Ins - Security Vulnerability
Software version: 9.1, 9.5, 9.7, 10.1, 10.5
Operating system(s): Windows
Software edition: Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Personal, Workgroup Server
Reference #: 1673947
Modified date: 03 September 2014
Translate this page: