(UPDATED) Central Processor Unit (CPU) Architectural Design Flaws - additional guidance for Db2 customers

Content

IBM has published overall summaries on the CPU vulnerability recently disclosed by Google (see links below), commonly referred to as Spectre /Meltdown. This note contains additional context for Db2 customers.

At this time, we are not aware of any specific security exposures within Db2 itself on this issue.

Due to the nature of the problem, Db2 and customer information held within system memory could potentially be exposed to a malicious 3rd party application (i.e. one that leveraged this flaw) running on the same platform regardless of the type of environment or Db2 configuration. These malicious applications could include:

• Independent applications running on the same system as Db2
• External stored procedures executing within Db2.

For mitigation of the security risks, refer to the "How to Mitigate Risks Linked With This Flaw?" section in the IBM summary of the issue listed below for guidance.

Db2 customers are reminded of the existing security risks associated with external routines that should always be considered. These risks are outlined in the "Security considerations for routines" section of the Db2 documentation (https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.apdv.routines.doc/doc/c0009189.html).

If an external routine is not trusted, it is highly recommended to define the routine to Db2 with one of these clauses:

• FENCED in order to protect database manager resources
• FENCED NOT THREADSAFE in order to to protect both database manager resources and those of other FENCED routines.

Db2 will be impacted by any performance degradation caused by patches to other system components used by Db2. An assessment of the degree of impact on Db2 performance will be conducted. We will provide further information on this aspect as it becomes available.

IBM summary of the issue: https://securityintelligence.com/cpu-vulnerability-can-allow-attackers-to-read-privileged-kernel-memory-and-leak-data/

IBM Flash bulletin on the issue: http://www-01.ibm.com/support/docview.wss?uid=swg22012320

IBM PSIRT Blog entries:

• Potential CPU Security Issue (February 10, 2018): https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/
• Potential Impact on Processors in the POWER Family (May 21, 2018): https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Specific vulnerability identification:

• Branch Target Injection (CVE-2017-5715, AKA spectre)
• Bounds Check Bypass (CVE-2017-5753, AKA spectre)
• Rogue Data Cache Load (CVE-2017-5754, AKA meltdown)
• Speculative Store Bypass (CVE-2018-3639, AKA variant #4)
• Rogue System Register Read (CVE-2018-3640, AKA variant #3a)