Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0884
Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2
for Linux, UNIX, and Windows Version 10.1
14 September 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: DB2 Enterprise Server Edition
DB2 Workgroup Server (all Editions)
DB2 Express Server (all Editions)
DB2 Personal Edition
DB2 Connect Server (all Editions)
Publisher: IBM
Operating System: Linux variants
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Unknown/Unspecified
Unauthorised Access -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3324 CVE-2012-2197 CVE-2012-2196
CVE-2012-2194
Reference: ESB-2012.0678
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21610582
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for
Linux, UNIX, and Windows Version 10.1
Flash (Alert)
Document information
DB2 for Linux, UNIX and Windows
Software version:
10.1
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1610582
Modified date:
2012-09-13
Abstract
This document contains a list of fixes for Security and HIPER APARs in DB2
Version 10.1.
IBM recommends that you review the APAR descriptions and deploy one of the
above fix packs to correct them on your affected DB2 installations.
Content
A set of security vulnerabilities was discovered in some DB2 database products.
These vulnerabilities were analyzed by the DB2 development organization and a
set of corresponding fixes was created to address the reported issues. IBM is
not currently aware of any externally reported incidents where production DB2
installations have been compromised due to these issues.
The affected DB2 UDB for Linux, UNIX, and Windows products are:
DB2 Enterprise Server Edition
DB2 Workgroup Server (all Editions)
DB2 Express Server (all Editions)
DB2 Personal Edition
DB2 Connect Server (all Editions)
DB2 Client component and DB2 products or components other than those listed
above are not affected.
Due to the complexity of the fixes required to eliminate the reported service
issues, it is not feasible to retrofit the same fixes into earlier DB2 Version
10.1 fix packs.
DB2 Version 10.1 Fix Pack 1
Security APARs
IC84716 SECURITY: SQLJ.DB2_INSTALL_JAR DIRECTORY ESCAPE VULNERABILITY
(CVE-2012-2194).
IC84751 SECURITY: GET_WRAP_CFG_C AND GET_WRAP_CFG_C2 ALLOWS
UNAUTHORIZED ACCESS XML FILES (CVE-2012-2196).
IC84755 SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN JAVA STORED
PROCEDURE INFRASTRUCTURE (CVE-2012-2197).
IC85513 SECURITY: UTL_FILE could allow unauthorized access to files
(CVE-2012-3324).
HIPER APARs
IC83823 WITH REOPT ENABLED, STATEMENTS CONTAINING ARRAY OR ROW
VARIABLES MIGHT PRODUCE INCORRECT OUTPUT
Special Attention APARs
IC83469 INCORRECT RESULTS AFTER LOAD INTO TABLE WITH CONSTRAINTS
FOLLOWED BY ATTACH OR DETACH
IC84856 INDEX CORRUPTION MAY BE INTRODUCED DURING A DATABASE UPGRADE
FROM DB2 VERSION 9.5 TO DB2 VERSION 10.1
IC84899 DATABASE OPERATIONS MIGHT FAIL WITH "KEY DATA MISMATCH" ERRORS,
OR ROWS THAT EXIST IN THE DATABASE CANNOT BE FOUND
IC85221 SQL WITH NESTED MATH OPERATIONS ON COLUMNS THAT ARE DEFINED
WITH NOT NULL AND USING FUNCTIONS MAY RETURNED DIFFERENT RESULTS.
DB2 fix packs for all supported versions can be downloaded at the following
site: http://www.ibm.com/support/docview.wss?uid=swg27007053
The DB2 team will continue to have a strong focus on delivering timely fixes
for newly discovered issues along with information that helps our customers to
decide on an appropriate course of action. The DB2 team regrets the
inconvenience that these issues are causing to you, our customers. We believe
that our actions are the most prudent steps to address your concerns and
remain open to suggestions on how to further improve our processes.
My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select "Information Management" from the Software column
4. select the check box for "DB2 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for "Flashes" and all other document types
click the Submit button.
Cross reference information
Segment Information Management
Product DB2 Connect
Component
Platform
Version 10.1
Edition
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of
IBM trademarks is available on the Web at "Copyright and trademark information"
at www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUFLA4O4yVqjM2NGpAQKtcQ/+JrW5PVvs5Y2sCeNLdNJWImJni/5gd5zj
Iw9NpXCBQFfTWXCIGI/KXy5uPh2TwXrNY4KoJqi29kCynFaQOkEm5JoJKq8VBPwZ
imErCf9mxB+8/3PcjmioPlK1kJymdMlJq6692BEAQAGDDN28zd5IeiiOO2fW4AJt
6gH8j5OzMbwvAEvK6LWUAKcfkephcidQDTVt/MurOe8J78mjieGhzRyDSwk0eini
hdMKVh8x70XhZhB1dvbDjopB7Do/qcSwm2WR9xigf0Qo31cdy4tertQxMO7w6vqI
zxoFGAaAp0aFz848LmCUJ9Nnf6RS0JVbMQYYnPkfOmGFdpXRcxaV8Ny4exSUiYBt
ekUoL8sKtGNjDeu2nGbgfq5XHsYcXGgNZHimw7vzSkVdMZO9Zh2wohDwMdd63t8Z
qTfu2o0uWnToxbPMuyhZuVJ6r87gO/jAIagIeJfDTUItneMbBzAFHUai9tnNUouB
VJjnpMIOo5ECSS0sFPU1jzFdeuENtjxtUiwwJzjmKVofv7jlVfHA2gQQvprOajXY
Zlx0WpVMhBNGTMwjZ9FFF9Iay71IJ+TkyzrjXCytg0Qc2MHjTCzi4XtJPTAtWo5p
dbwMrmq6w8OhM1FwjTn4Clc5ixkpSb9tNxo1TgYdB2+4o2DBlgQR/+XCW9ZOQXIV
a1hdDwbyGYg=
=fJOv
-----END PGP SIGNATURE-----