Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1005 Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.7 19 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: DB2 Enterprise Server Edition DB2 Workgroup Server (all Editions) DB2 Express Server (all Editions) DB2 Personal Edition DB2 Connect Server (all Editions) Publisher: IBM Operating System: Windows Linux variants AIX HP-UX Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-4826 CVE-2012-2197 CVE-2012-2196 CVE-2012-2194 CVE-2010-0472 CVE-2010-0462 CVE-2009-3555 Reference: ESB-2012.0884 ESB-2012.0678 ASB-2011.0031 ASB-2010.0132 ASB-2010.0112 ASB-2009.1143 ASB-2010.0033.2 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21450666 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.7 Flash (Alert) Document information DB2 for Linux, UNIX and Windows Software version: 9.7 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1450666 Modified date: 2012-10-18 Abstract This document contains a list of fixes for Security and HIPER APARs in DB2 Version 9.7 IBM® recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations. Content A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues. The affected DB2 for Linux, UNIX, and Windows products are: DB2 Enterprise Server Edition DB2 Workgroup Server (all Editions) DB2 Express Server (all Editions) DB2 Personal Edition DB2 Connect Server (all Editions) DB2 Client component and DB2 products or components other than those listed above are not affected. Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 9.7 fix packs. DB2 Version 9.7 Fix Pack 7 Security APARs IC84714 SECURITY: SQLJ.DB2_INSTALL_JAR DIRECTORY ESCAPE VULNERABILITY (CVE-2012-2194). IC84748​​ SECURITY: GET_WRAP_CFG_C AND GET_WRAP_CFG_C2 ALLOWS UNAUTHORIZED ACCESS XML FILES (CVE-2012-2196). IC84753​​ SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN JAVA STORED PROCEDURE INFRASTRUCTURE (CVE-2012-2197). IC86781​​ SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN SQL/PERSISTENT STORED MODULES DEBUGGING INFRASTRUCTURE (CVE-2012-4826). HIPER APARs IC83578 XQUERY MIGHT RETURN INCORRECT RESULTS WHEN BOTH 'AND' AND 'OR' PREDICATES EXIST AND ALL PREDICATES CAN BE APPLIED TO XML INDEXES IC83976 WITH REOPT ENABLED, STATEMENTS CONTAINING ARRAY OR ROW VARIABLES MIGHT PRODUCE INCORRECT OUTPUT Special Attention APARs IC83608 SQL WITH NESTED MATH OPERATIONS ON COLUMNS THAT ARE DEFINED WITH NOT NULL AND USING FUNCTIONS MAY RETURNED DIFFERENT RESULTS. IC84764 INDEX CORRUPTION MAY BE INTRODUCED DURING A DATABASE UPGRADE TO DB2 VERSION 9.7 IC85196 CREATING A UNIQUE GLOBAL INDEX ON A TABLE WITH DETACHED PARTITION AND DEPENDANT MQT MIGHT LEAD TO INCORRECT RESULT AFTER REFRESH IC85422 QUERY WITH A UNION AND TWO CORRELATED BRANCHES MIGHT RETURN INCORRECT RESULTS IN PARTITIONED DATABASE ENVIRONMENTS IC85433 BATCH INSERTS CAUSING DUPLICATE ROWS WHEN USING NULLIDRA (REOPT=ALWAYS) VS. NULLIDR1 (REOPT=ONCE) DB2 Version 9.7 Fix Pack 6 Security APARs IC79274​​ SECURITY: DB2 ESCALATION OF PRIVILEGE VULNERABILITY​ IC80729​​ SECURITY: REMOTE ESCALATION OF PRIVILEGE VULNERABILITY IN DAS. IC81380​​ SECURITY: DENIAL OF SERVICE SECURITY VULNERABILITY IN DB2'S XML FEATURE. IC81390​​ SECURITY: UNAUTHORIZED ACCESS TO TABLES​ IC81462​​ SECURITY: UNAUTHORIZED ACCESS TO XML FILES IN DB2'S XML FEATURE IC82234​​ SECURITY: DB2 DENIAL OF SERVICE VULNERABILITY IN THE DRDA COMPONENT.​ HIPER APARs IC81066 WITH FILE SYSTEM CACHING ENABLED, SYSTEM OUTAGE MIGHT RESULT IN CORRUPTION DURING LOB OR REORG PROCESSING IC82403 CRASH RECOVERY OR ROLL FORWARD OPERATION MIGHT FAIL WHEN CERTAIN LOG RECORDS ARE REPLAYED ON A TABLE WITH COMPRESSION ENABLED Special Attention APARs IC79727 QUERIES WITH LIKE OPERATORS MIGHT RETURN INCORRECT RESULTS DUE TO AN INVALID HIGHEST PADDING CHARACTER IC80394 CHANCES OF MEMORY LEAK INTRODUCED IN VERSION 9.7 FIX PACK 5 IC80456 LIKE CLAUSES MIGHT RETURN INCORRECT RESULTS FOR COLUMNS WITH VARCHAR DATA TYPE IN UNICODE DATABASES IC81388 FAILED ONLINE LOAD WITH INDEX REBUILD CAN LEAD TO MISMATCH BETWEEN TABLE AND INDEX IC81466 WITH FILE SYSTEM CACHING ENABLED, SYSTEM OUTAGE DURING LOAD PROCESSING MIGHT RESULT IN CORRUPTION IC82348 DATABASE CAN BE MARKED BAD DURING RECOVERY OR HADR REPLAY WHEN XML DATA IS IN THE TABLE IC82921 INCORRECT RESULTS AFTER LOADING A TABLE WITH CONSTRAINTS FOLLOWED BY RUNNING ALTER TABLE STATEMENT WITH ATTACH OR DETACH OPTIONS Back to top DB2 Version 9.7 Fix Pack 5 Security APARs IC70473​​ SECURITY: POTENTIAL TRAP WITH STMM ENABLED AND DATABASE_MEMORY SET TO AUTOMATIC​ IC76901 SECURITY: REMOTE DENIAL OF SERVICE OF DB2 SERVER. HIPER APARs IC78251 ADMIN_MOVE_TABLE PROCEDURE RETURNS SQL0969N, SQL1188N or SQL0408N ERROR CODE IC77502 TRANSACTION LOG CORRUPTION DUE TO ENTERING A TIMING HOLE UPON RECEIVING AN INTERRUPT DURING CRASH RECOVERY IC77510 CLI FUNCTIONS RETURN SQL_SUCCESS EVEN WHEN SQL_ATTR_INSERT_BUFFERING = SQL_ATTR_INSERT_BUFFERING_IGD and INSERT COMMAND FAILS IC77439 POSSIBLE INCORRECT RESULTS FROM A GROUP OF LEFT JOIN, INNER JOIN, AND COALESCE EXPRESSION IN AN ON PREDICATE IC77337 INCORRECT OUTPUT MIGHT BE RETURNED BY A QUERY WITH PARTITION ELIMINATION INVOLVING MULTIPLE COLUMNS AND NON-CONSTANT KEYS IC76792 BAD PAGE HEADER ENCOUNTERED BY PREFETCHER DURING ONLINE BACKUP ON LINUX PLATFORM. BACKUP IMAGE MAY BE CORRUPTED. IC76679 INCORRECT RESULTS ARE RETURNED IF AN SQL QUERY CONTAINS RID(), RID_BIT() or ROWID IC76116 INCORRECT RESULTS OBTAINED WHEN USING VARCHAR_FORMAT (TO_CHAR) TO CONVERT NUMERIC VALUES TO FORMATTED STRINGS Special Attention APARs IC76415 SQL30021 MESSAGE STATING 'MANAGER "0X1440" AT LEVEL "9" NOT SUPPORTED' IS RETURNED WHILE CONNECTING TO HOST VIA SEPARATE GATEWAY DB2 Version 9.7 Fix Pack 4 Security APARs IC72119 Users able to update statistics for tables without appropriate privileges IC71375 SECURITY: User continues to have privilege to execute a non-DDL statement after role membership has been revoked from its group HIPER APARs IC75037 AFTER LOAD INSERT INTO MDC+RP (RANGE PARTITIONED) TABLE, SET INTEGRITY MAY SILENTLY FAIL TO VALIDATE ROWS AGAINST CONSTRAINTS IC74244 NESTED-LOOP JOIN WITH EARLYOUT FOR GROUPBY CLAUSES, YIELDS INCORRECT RESULTS WHEN JOIN COLUMNS ARE OF DIFFERENT DATA TYPES IC72698 INCORRECT RESULTS OR "SQL204N TABLE NOT FOUND" ERROR RETURNED WHEN SELECTING FROM VIEW. Special Attention APARs IC73163 HIGH MEMORY ALLOCATION WHILE PROCESSING TABLE QUEUE ( TQ ) SPILLS ON DPF SYSTEMS DB2 Version 9.7 Fix Pack 3a HIPER APARs IC70959 INSERT OR UPDATE WITH INDEX COMPRESSION MAY CAUSE MEMORY CORRUPTION AND CRASH IC69772 POTENTIAL CORRUPTION WHEN REPLAYING LOG RECORDS THAT INSERT KEYS INTO AN INDEX AND TRIGGER PAGE SPLITS DB2 Version 9.7 Fix Pack 3 Security APARs IC68015 SECURITY: FUNCTIONS ARE NOT INVALIDATED NOR DROPPED EVEN WHEN THE OWNER LOSES SUFFICIENT PRIVILEGE TO ACCESS UNDERLYING OBJECTS. IC70406 SECURITY: UPDATE AGAINST A TABLE VIA A COMPOUND SQL (COMPILED) STATEMENT MAY BE EXECUTED BY USER WTHOUT REQUIRED PRIVILEGE IC70539 SECURITY: REMOTE BUFFER OVERFLOW VULNERABILITY IN DB2 ADMINISTRATIVE SERVER IC72029 SECURITY: DB2 DAS REMOTE CODE EXECUTION VULNERABILITY HIPER APARs IC71241 Possible incorrect result on recursive views which joins to a table on a unique column Special Attention APARs IC70482 OCCURRENCE OF INSTANCE CRASH WITH SIGNAL 11 DB2 Version 9.7 Fix Pack 2 Security APARs IC67008 SECURITY: SYSTEM GRANTED PRIVILEGES NOT REGENERATED ON VIEWS WHEN AUTO_REVAL IS SET TO IMMEDIATE IC67819 SECURITY: MONITOR ADMINISTRATIVE VIEWS IN SYSIBMADM SCHEMA ARE VIEWABLE BY PUBLIC. IC63548 SECURITY APAR: MODIFIED SQL DATA table function is not dropped when definer loses required privileges to maintain the objects. IC65742 SECURITY: VULNERABILITY IN DB2STST. IC65762 Security: DB2DART CAN OVERWRITE FILES OWNED BY THE NSTANCE OWNER. IC65935 SECURITY: BUFFER OVERRUN IN REPEAT UDF (CVE-2010-0462) IC68762 SECURITY: THE TIVOLI MONITORING AGENT (KUDDB2) FOR DB2 HAS DOS VULNERABILITY. (CVE-2010-0472) IC66643 Security: Special group and user enumeration on Windows 2008 could trap the server. IC68055 SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555 IC66815 SECURITY: User continues to have privilege to execute a non-DDL statement after their DBADM authority has been revoked. HIPER APARs IC66358 DELETE NOT REMOVING DATA FROM MDC TABLE. IC65446 LOAD FROM CURSOR FROM A TABLE WITH LOB COLUMN IN DPF ENVIRONMENT MIGHT LOAD WRONG RESULTS IN THE TARGET TABLE LOB COLUMN IC65328 In DB2 V9.7 FP1 ONLINE BACKUP MAY FAIL WITH SQL2048 RC = 5, ERROR RAISED IN SQLUBRESIZEBUFSPACE PROBE 472 or it may hang. IC64864 DELETING DATA FROM MULTIDIMENSIONAL CLUSTERED (MDC) TABLES RETURNS INACCURATE RESULTS DUE TO DEFERRED ROLLOUT PROCESSING IC62126 Multi-threaded non-Java application either crashes or has code page conversion issues such as truncation of data IC64092 THE ROUND SQL FUNCTION CAN RETURN THE WRONG RESULT ON A DECFLOAT INPUT VALUES OF Infinity/-Infinity DB2 Version 9.7 Fix Pack 1 Security APARs IC64759 DASAUTO COMMAND CAN BE RUN BY NON-PRIVILEGED USERS IC62502 Security: db2licm utility vulnerability IC63525 SECURITY: Remote exploits of DB2 provided routines. IC63302 Security: Manipulation of db2ra data stream of Load utility request can cause seg fault. IC64852 SECURITY: SEQUENCE OR GLOBAL VARIABLE CAN BE USED WITHOUT THE APPROPRIATE PRIVILEGE IC63959 INCORRECT FILE PERMISSION AND AUTHORIZATION FOR HA SCRIPTS WHEN INSTALLED VIA V9.5. IC64325 In a rare case, calling a SQL stored procedure could cause the DB2 server to trap IC64853 VISIBILITY OF PASSWORDS IN SET ENCRYPTION PASSWORD STATEMENT AS SEEN VIA GET SNAPSHOT DYNAMIC SQL IC68055 SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555 Security: DB2 instance terminates abnormally while compiling a SQL query HIPER APARs IC61886 VERSION 9.7 DATABASE UPGRADE MAY CREATE A CORRUPTED LOG CONTROL FILE IC62219 DYNAMIC SQL STATEMENTS WITH HOST VARIABLES, USING A REOPT ALWAYS OPTIMIZER GUIDELINE, MAY RETURN WRONG RESULTS IC62771 INDEX COMPRESSION CAN RESULT IN A CORRUPTED INDEX IC64066 Incorrect result with multiple IN list to join (GENROW) plans via transivity on SMP and MPP environment IC62088 LOAD UTILITY MAY MARK A ROW BIT INCORRECTLY CAUSING INDEX SCAN TO RETURN INCORRECT RESULTS IC63415 OUTER JOIN OPERATION MAY RETURN INCORRECT RESULTS WITH A PREDICATE WITH A SUBQUERY RETURNING NOT MORE THAN ONE ROW IC63668 INCORRECT RESULTS WHEN ORDERED COLUMN GROUP OR PREDICATE CAN BE USED AS INDEX KEYS IC64767 ALTER BUFFERPOOL REDUCE OR STMM MAY HANG IF SET WRITE SUSPEND HAD BEEN ISSUED IC64541 SQLSETSTMTATTRW(SQL_ATTR_CHAINING_END) RETURNS 0, EVEN WHEN ONE OF THE PREVIOUS CHAINED STATEMENTS FAILED IC64462 UPDATE/DELETE OPERATION FROM A TABLE AFTER ONLINE TABLE MOVE CAUSES DB2 TO CRASH DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053 The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes. My Notifications Sign-up to receive e-mail notification of changes to this document. 1. Sign in to My Notifications 2. select Subscribe tab 3. select "Information Management" from the Software column 4. select the check box for "DB2 for Linux, UNIX and Windows" click the Continue button. 5. select the check box for "Flashes" and all other document types click the Submit button. For more information about My Notifications please click on the Benefits and features or take an guided tour of My Notifications. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUIDPle4yVqjM2NGpAQJgSw//Vosi7xCSg3YmdGuWb6znd2TWn12gQWn6 /Jsxd39ThBTF+ip1RA5RLgwBWLp8UHkChV9f/Lqv4blSEYQjYn8lYjIlANuYR4hW 0PvQjU6FsjrviBSFEXB4PkTg9EIwDQTjtyQ5KLFfDzhrginvYHOoHVoQQoOPw2zg KLA5JszHvnTE4DB2SDn7OC4zGvWyGUYAvwou/SMZuzkJp5GgoiIVL2XHJ7j2tHrh YZ6wMqQAZ+gymJy/NUH2kDdNucCTi8FjHdYgOcmMAzghRNHOlKho+DvDOmjUTCTg Uw7SeBCjqLFhjDpSHfxW9pDOGndkumHQuB9dTYExI39te58AHwnk4AOftp0vIYEA 9I46rpSrjKfBn1JY3nmdu0wpDwNwRfJIwM88is9+EMwoliT0NhzKDz3+A/e6uhCU xu7rqlLy7O9IToPeJ6UJs4RjE9z0NwK9G+Z3vGMNvzcx2WCoul9oq8UClwRqTtjV 76g8qlbExoV1l0qrcs33P0RyHPSvoldkarMQvzI0hmCYHqiN4BebgYGUB4m0hoCX b3xv849Fagn3PrwjP2PwD9T5KeGnnDb5L5Ji/JQNgC+K6ySgGGj1VTI12c8MOAws mpiXttXkpXg9VVeys23csyQKAIqrTY3OwMJAVAnaNnnRfQpR2T34YUFo8FrdUi5w xKW+T0n5jxA= =7zzE -----END PGP SIGNATURE-----