Central Processor Unit (CPU) Architectural Design Flaws - additional guidance for Db2 customers
Additional information for Db2 customers on the CPU vulnerability recently disclosed by Google
IBM has published overall summaries on the CPU vulnerability recently disclosed by Google (see links below), commonly referred to as spectre / meltdown. This note contains additional context for Db2 customers.
At this time, we are not aware of any specific security exposures within Db2 itself on this issue.
Due to the nature of the problem, Db2 and customer information held within system memory could potentially be exposed to a malicious 3rd party application (i.e. one that leveraged this flaw) running on the same platform regardless of the type of environment or Db2 configuration. These malicious applications could include:
- Independent applications running on the same system as Db2
- External stored procedures executing within Db2.
Db2 will be impacted by any performance degradation caused by patches to other system components used by Db2. An assessment of the degree of impact on Db2 performance will be conducted. We will provide further information on this aspect as it becomes available.
IBM summary of the issue: https://securityintelligence.com/cpu-vulnerability-can-allow-attackers-to-read-privileged-kernel-memory-and-leak-data/
IBM Flash bulletin on the issue: http://www-01.ibm.com/support/docview.wss?uid=swg22012320
Specific vulnerability identification:
- Branch Target Injection (CVE-2017-5715, AKA spectre)
- Bounds Check Bypass (CVE-2017-5753, AKA spectre)
- Rogue Data Cache Load (CVE-2017-5754, AKA meltdown)
More support for:
DB2 for Linux, UNIX and Windows
Software version: 9.7, 10.1, 10.5, 11.1
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Reference #: 2012554
Modified date: 11 January 2018
Translate this page: