===================================================================== CERT-Renater Note d'Information No. 2012/VULN103 _____________________________________________________________________ DATE : 08/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : AIX, HP-UX, Linux, Solaris, Windows running IBM DB2 version 9.5. ====================================================================== http://www-01.ibm.com/support/docview.wss?uid=swg21586193 _______________________________________________________________________ Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.5 Fix Pack 9 Flash (Alert) Abstract This document contains a list of fixes for HIPER APARs in DB2 Version 9.5 Fix Pack 9 IBM® recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations. Content A set of HIPER APARs were discovered in some DB2 database products. These APARs were analysed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues. The affected DB2 UDB for Linux, UNIX, and Windows products are: * DB2 Enterprise Server Edition * DB2 Workgroup Server (all Editions) * DB2 Express Server (all Editions) * DB2 Personal Edition * DB2 Connect Server (all Editions) DB2 Client component and DB2 products or components other than those listed above are not affected. Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 9.5 fix packs. The specifics of the Security APARs incorporated into the above DB2 fix packs can be found in the following table: Security APARs FP9 ABSTRACT IC76899 SECURITY: REMOTE DENIAL OF SERVICE OF DB2 SERVER. IC79970 SECURITY: DB2 ESCALATION OF PRIVILEGE VULNERABILITY. IC80728 SECURITY: Remote Escalation of Privilege Vulnerability in DAS. IC81379 Security: Denial of Service Security Vulnerability in DB2's XML Feature. IC81387 SECURITY: UNAUTHORIZED ACCESS TO TABLES. In addition to the Security APARs, here is a list of HIPER APARs included in these fix packs of which you should be aware. HIPER APARs FP9 ABSTRACT IC77340 INCORRECT OUTPUT MIGHT BE RETURNED BY A QUERY WITH PARTITION ELIMINATION INVOLVING MULTIPLE COLUMNS AND NON-CONSTANT KEYS IC77489 POSSIBLE INCORRECT RESULTS FROM A GROUP OF LEFT JOIN, INNER JOIN, AND COALESCE EXPRESSION IN AN ON PREDICATE IC77565 CLI FUNCTIONS RETURN SQL_SUCCESS EVEN WHEN SQL_ATTR_INSERT_BUFFERING=SQL_ATTR_INSERT_BUFFERING_IGD and INSERT COMMAND FAILS IC81062 With file system caching enabled, system outage might result in corruption during LOB, REORG, or LOAD processing IZ19001 INSERT, UPDATE, or DELETE might not be fully processed (data loss) when following a CALL statement Special Attention APARs FP9 ABSTRACT IC81458 WITH FILE SYSTEM CACHING ENABLED, SYSTEM OUTAGE DURING LOAD PROCESSING MIGHT RESULT IN CORRUPTION IC81495 QUERIES WITH LIKE OPERATORS MIGHT RETURN INCORRECT RESULTS DUE TO AN INVALID HIGHEST PADDING CHARACTER DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053 The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes. My Notifications Sign-up to receive e-mail notification of changes to this document. 1. Sign in to My Notifications 2. select Subscribe tab 3. select "Information Management" from the Software column 4. select the check box for "DB2 9 for Linux, UNIX and Windows" click the Continue button. 5. select the check box for "Flashes" and all other document types click the Submit button. For more information about My Notifications please click on * the Benefits and features or * Read the overview or * take an guided tour of My Notifications. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. Document information DB2 for Linux, UNIX and Windows Software version: 9.5 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1586193 Modified date: 2012-03-06 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================