IBM Support

IZ05496: SECURITY: Buffer overflow and invalid memory access vulnerability in DAS server code.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Buffer overflow and Invalid memory access vulnerability exists
    in DAS server code. If an attacker sends a specifically crafted
    string to DAS server, it may crash.
    DAS server may crash in the middle of an operation; it will
    affect the clients from connecting to the DAS server thereon.
    Jobs which are scheduled using DAS Scheduler will not run after
    the crash.
    If we enabled the Fault monitor daemon to restart the DAS,
    results of the crash can be minimized.
    
    This problem were reported to IBM by an anonymous researcher
    working with the iDefense Vulnerability Contributor Program
    (VCP) and Joshua J. Drake of iDefense Labs."
    
    This APAR addresses the issues described by CVE-2007-3676 at
    cve.mitre.org
    

Local fix

  • There is no local fix.
    To crash the DAS server using the arbitrary code an attacker
    needs the access to the target system. So restricting
    unauthorized users to assess the Server system will not allow
    this breach.
    

Problem summary

  • .
    Users affected: potentially anyone.
    .
    Problem Description: DAS security issue
    .
    

Problem conclusion

  • .
    First fixed in DB2 UDB Version 8, FixPak 16
    .
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ05496

  • Reported component name

    DB2 UDB ESE AIX

  • Reported component ID

    5765F4100

  • Reported release

    820

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-09-27

  • Closed date

    2008-02-14

  • Last modified date

    2008-02-14

  • APAR is sysrouted FROM one or more of the following:

    IZ05478

  • APAR is sysrouted TO one or more of the following:

    IZ37124

Fix information

  • Fixed component name

    DB2 UDB ESE AIX

  • Fixed component ID

    5765F4100

Applicable component levels

  • R820 PSY UP

       IZ05496



Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 820

Reference #: IZ05496

Modified date: 14 February 2008