IBM Support

Central Processor Unit (CPU) Architectural Design Flaws - additional guidance for Db2 customers

Flash (Alert)


Abstract

Additional information for Db2 customers on the CPU vulnerability recently disclosed by Google

Content


IBM has published overall summaries on the CPU vulnerability recently disclosed by Google (see links below), commonly referred to as spectre / meltdown. This note contains additional context for Db2 customers.

At this time, we are not aware of any specific security exposures within Db2 itself on this issue.

Due to the nature of the problem, Db2 and customer information held within system memory could potentially be exposed to a malicious 3rd party application (i.e. one that leveraged this flaw) running on the same platform regardless of the type of environment or Db2 configuration. These malicious applications could include:

  • Independent applications running on the same system as Db2
  • External stored procedures executing within Db2.
For mitigation of the security risks, refer to the "How to Mitigate Risks Linked With This Flaw?" section in the IBM summary of the issue listed below for guidance.

Db2 will be impacted by any performance degradation caused by patches to other system components used by Db2. An assessment of the degree of impact on Db2 performance will be conducted. We will provide further information on this aspect as it becomes available.

IBM summary of the issue: https://securityintelligence.com/cpu-vulnerability-can-allow-attackers-to-read-privileged-kernel-memory-and-leak-data/

IBM Flash bulletin on the issue: http://www-01.ibm.com/support/docview.wss?uid=swg22012320

Specific vulnerability identification:
  • Branch Target Injection (CVE-2017-5715, AKA spectre)
  • Bounds Check Bypass (CVE-2017-5753, AKA spectre)
  • Rogue Data Cache Load (CVE-2017-5754, AKA meltdown)

Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 9.7, 10.1, 10.5, 11.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 2012554

Modified date: 11 January 2018


Translate this page: