14 September 2012
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0884 Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 10.1 14 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: DB2 Enterprise Server Edition DB2 Workgroup Server (all Editions) DB2 Express Server (all Editions) DB2 Personal Edition DB2 Connect Server (all Editions) Publisher: IBM Operating System: Linux variants UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Unknown/Unspecified Unauthorised Access -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-3324 CVE-2012-2197 CVE-2012-2196 CVE-2012-2194 Reference: ESB-2012.0678 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21610582 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 10.1 Flash (Alert) Document information DB2 for Linux, UNIX and Windows Software version: 10.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1610582 Modified date: 2012-09-13 Abstract This document contains a list of fixes for Security and HIPER APARs in DB2 Version 10.1. IBM recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations. Content A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues. The affected DB2 UDB for Linux, UNIX, and Windows products are: DB2 Enterprise Server Edition DB2 Workgroup Server (all Editions) DB2 Express Server (all Editions) DB2 Personal Edition DB2 Connect Server (all Editions) DB2 Client component and DB2 products or components other than those listed above are not affected. Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 10.1 fix packs. DB2 Version 10.1 Fix Pack 1 Security APARs IC84716 SECURITY: SQLJ.DB2_INSTALL_JAR DIRECTORY ESCAPE VULNERABILITY (CVE-2012-2194). IC84751 SECURITY: GET_WRAP_CFG_C AND GET_WRAP_CFG_C2 ALLOWS UNAUTHORIZED ACCESS XML FILES (CVE-2012-2196). IC84755 SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN JAVA STORED PROCEDURE INFRASTRUCTURE (CVE-2012-2197). IC85513 SECURITY: UTL_FILE could allow unauthorized access to files (CVE-2012-3324). HIPER APARs IC83823 WITH REOPT ENABLED, STATEMENTS CONTAINING ARRAY OR ROW VARIABLES MIGHT PRODUCE INCORRECT OUTPUT Special Attention APARs IC83469 INCORRECT RESULTS AFTER LOAD INTO TABLE WITH CONSTRAINTS FOLLOWED BY ATTACH OR DETACH IC84856 INDEX CORRUPTION MAY BE INTRODUCED DURING A DATABASE UPGRADE FROM DB2 VERSION 9.5 TO DB2 VERSION 10.1 IC84899 DATABASE OPERATIONS MIGHT FAIL WITH "KEY DATA MISMATCH" ERRORS, OR ROWS THAT EXIST IN THE DATABASE CANNOT BE FOUND IC85221 SQL WITH NESTED MATH OPERATIONS ON COLUMNS THAT ARE DEFINED WITH NOT NULL AND USING FUNCTIONS MAY RETURNED DIFFERENT RESULTS. DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053 The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes. My Notifications Sign-up to receive e-mail notification of changes to this document. 1. Sign in to My Notifications 2. select Subscribe tab 3. select "Information Management" from the Software column 4. select the check box for "DB2 for Linux, UNIX and Windows" click the Continue button. 5. select the check box for "Flashes" and all other document types click the Submit button. Cross reference information Segment Information Management Product DB2 Connect Component Platform Version 10.1 Edition Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUFLA4O4yVqjM2NGpAQKtcQ/+JrW5PVvs5Y2sCeNLdNJWImJni/5gd5zj Iw9NpXCBQFfTWXCIGI/KXy5uPh2TwXrNY4KoJqi29kCynFaQOkEm5JoJKq8VBPwZ imErCf9mxB+8/3PcjmioPlK1kJymdMlJq6692BEAQAGDDN28zd5IeiiOO2fW4AJt 6gH8j5OzMbwvAEvK6LWUAKcfkephcidQDTVt/MurOe8J78mjieGhzRyDSwk0eini hdMKVh8x70XhZhB1dvbDjopB7Do/qcSwm2WR9xigf0Qo31cdy4tertQxMO7w6vqI zxoFGAaAp0aFz848LmCUJ9Nnf6RS0JVbMQYYnPkfOmGFdpXRcxaV8Ny4exSUiYBt ekUoL8sKtGNjDeu2nGbgfq5XHsYcXGgNZHimw7vzSkVdMZO9Zh2wohDwMdd63t8Z qTfu2o0uWnToxbPMuyhZuVJ6r87gO/jAIagIeJfDTUItneMbBzAFHUai9tnNUouB VJjnpMIOo5ECSS0sFPU1jzFdeuENtjxtUiwwJzjmKVofv7jlVfHA2gQQvprOajXY Zlx0WpVMhBNGTMwjZ9FFF9Iay71IJ+TkyzrjXCytg0Qc2MHjTCzi4XtJPTAtWo5p dbwMrmq6w8OhM1FwjTn4Clc5ixkpSb9tNxo1TgYdB2+4o2DBlgQR/+XCW9ZOQXIV a1hdDwbyGYg= =fJOv -----END PGP SIGNATURE-----