Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1490
IBM DB2 Multiple Vulnerabilities
2 September 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM DB2
Publisher: IBM
Operating System: AIX
Linux variants
HP-UX
Solaris
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3094 CVE-2014-4805 CVE-2014-3095
CVE-2013-6371
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21681631
http://www.ibm.com/support/docview.wss?uid=swg21681723
http://www.ibm.com/support/docview.wss?uid=swg21681623
http://www.ibm.com/support/docview.wss?uid=swg21682215
Comment: This bulletin contains four (4) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM DB2 LUW contains a denial of service vulnerability in
ALTER MODULE statement handling. (CVE-2014-3094)
Document information
More support for:
DB2 for Linux, UNIX and Windows
Software version:
9.7, 9.8, 10.1, 10.5
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Software edition:
Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server
Reference #:
1681631
Modified date:
2014-08-29
Security Bulletin
Summary
IBM DB2 is vulnerable to a stack buffer overflow, caused by improper bounds
checking in the handling of the ALTER MODULE statement.
Vulnerability Details
CVE ID: CVE-2014-3094
DESCRIPTION:
DB2 is vulnerable to a stack buffer overflow attack, caused by improper bounds
checking in the handling of ALTER MODULE statements. A remote, authenticated
user could overflow a buffer and execute arbitrary code with DB2 instance
owner privileges or cause the server to crash.
CVSS:
CVSS Base Score: 8.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94260 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Affected Products and Versions
All fix pack levels for IBM DB2 V9.7, V10.1 and V10.5 editions listed below
and running on AIX, Linux, HP, Solaris or Windows are affected.
IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Advanced Enterprise Server Edition
IBM DB2 Advanced Workgroup Server Edition
IBM DB2 Connect(TM) Application Server Edition
IBM DB2 Connect(TM) Enterprise Edition
IBM DB2 Connect(TM) Unlimited Edition for System i
IBM DB2 Connect(TM) Unlimited Edition for System z
The DB2 Connect products mentioned are affected only if a local database has
been created.
IBM DB2 pureScale(TM) Feature for Enterprise Server Edition, V9.8, running on
AIX or Linux is affected.
Note: DB2 V9.5 is not affected.
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this
vulnerability.
FIX:
The fix for DB2 and DB2 Connect V10.5 is in V10.5 FP4, available for download
from Fix Central.
Customers running any vulnerable fixpack level of an affected Program, V9.7,
V9.8, or V10.1 can contact support to obtain a special build containing an
interim fix for this issue. These special builds are available based on the
most recent fixpack level for each impacted release: DB2 V9.7 FP9a, DB2 V9.8
FP5 or DB2 v10.1 FP4. They can be applied to any affected fixpack level of the
appropriate release to remediate this vulnerability. Additionally fixes based
on DB2 V9.7 FP9 or DB2 V10.1 FP3a will be made available on request.
Refer to the folowing chart to determine how to proceed to obtain a needed
fixpack or special build.
Release Fixed in fix pack APAR Download URL
V9.7 TBD IT02592 Please contact technical support.
V9.8 TBD IT02594 Please contact technical support.
V10.1 TBD IT02593 Please contact technical support.
V10.5 FP4 IT02291 http://www.ibm.com/support/docview.wss?uid=swg24038261
Contact Technical Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.
Note: IBM's statements regarding its plans, directions, and intent are subject
to change or withdrawal without notice at IBMs sole discretion. Information
regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision. The
information mentioned regarding potential future products is not a commitment,
promise, or legal obligation to deliver any material, code or functionality.
Information about potential future products may not be incorporated into any
contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
August 28, 2014: Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ------------------------------------------------------------------------------
Security Bulletin: Unauthorized Access to user data vulnerability in DB2
during certain LOAD operations (CVE-2014-4805)
Document information
More support for:
DB2 for Linux, UNIX and Windows
Software version:
10.5
Operating system(s):
AIX, Linux
Software edition:
Advanced Enterprise Server, Enterprise Server
Reference #:
1681723
Modified date:
2014-08-29
Security Bulletin
Summary
During certain LOAD operations into Columnar Data Engine (CDE) tables, a
temporary file containing user data may be created at the DB2 server. As the
file only exists for the duration of the LOAD operation and is automatically
removed on completion (both success and error), the vulnerability exists only
temporarily.
Vulnerability Details
CVE ID: CVE-2014-4805
DESCRIPTION:
While running LOAD into CDE table, depending on the input source of the LOAD
command (more details on this below), DB2 will create a temporary file
containing the user data being loaded. The temporary file only exists for the
duration of LOAD command, and is automatically removed on completion (both
success and error). Thus, the vulnerability exists only temporarily.
DB2 LOAD operation creates a temporary file if the input source of LOAD
command into CDE table is one of the following:
- - PIPE
- - remote fetch (LOAD from CURSOR from a remote database)
- - sourceuserexit (LOAD option to start external program to generate and feed
data to LOAD)
- - LOAD CLIENT
The temporary file is not created for the following sources:
- - file
- - LOAD from CURSOR, where CURSOR definition does not include DATABASE clause
(i.e. local database)
CVSS:
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95307 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
All fix pack levels for IBM DB2 V10.5 editions running on AIX and Linux are
affected.
IBM DB2 Enterprise Server Edition
IBM DB2 Advanced Enterprise Server Edition
The vulnerability is not applicable to DB2 releases before V10.5.
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this
vulnerability.
FIX:
The fix for DB2 and DB2 Connect release V10.5 is in V10.5 FP4, available for
download from Fix Central.
Download the fix pack from the following:
Release Fixed in fix pack APAR Download URL
V10.5 FP4 IT03761 http://www.ibm.com/support/docview.wss?uid=swg24038261
Contact Technical Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.
Note: IBM's statements regarding its plans, directions, and intent are subject
to change or withdrawal without notice at IBMs sole discretion. Information
regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision. The
information mentioned regarding potential future products is not a commitment,
promise, or legal obligation to deliver any material, code or functionality.
Information about potential future products may not be incorporated into any
contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Workarounds and Mitigations
The recommended workaround is: do not use the above mentioned input sources
(i.e. PIPE, remote fetch, sourceuserexit , LOAD Client) for LOAD command into
CDE tables.
Alternatively, customers who are performing LOAD into CDE tables via the input
sources mentioned above, ensure that no users share instance owner's group.
That is, the instance owner group should contain only one user ID, the
instance owner ID.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
August 28, 2014: Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
Security Bulletin: IBM DB2 LUW contains a denial of service vulnerability
using a SELECT statement with a subquery containing a UNION (CVE-2014-3095)
Document information
More support for:
DB2 for Linux, UNIX and Windows
Software version:
9.5, 9.7, 9.8, 10.1, 10.5
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Software edition:
Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Personal, Workgroup Server
Reference #:
1681623
Modified date:
2014-08-29
Security Bulletin
Summary
IBM DB2 SQL engine contains a denial of service vulnerability where a
malicious user could exploit and cause a disruption of service.
Vulnerability Details
CVE-ID: CVE-2014-3095
DESCRIPTION:
IBM DB2 contains a denial of service vulnerability. A remote, authenticated
user could use a specially-crafted SELECT statement with a subquery containing
a UNION to crash the DB2 server and cause a disruption of service.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94263 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:N/A:P)
Affected Products and Versions
All fix pack levels for IBM DB2 V9.5, V9.7, V10.1 and V10.5 editions listed
below and running on AIX, Linux, HP, Solaris or Windows are affected :
IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Advanced Enterprise Server Edition
IBM DB2 Advanced Workgroup Server Edition
IBM DB2 Connect(TM) Application Server Edition
IBM DB2 Connect(TM) Enterprise Edition
IBM DB2 Connect(TM) Unlimited Edition for System i
IBM DB2 Connect(TM) Unlimited Edition for System z
The DB2 Connect products mentioned are affected only if a local database has
been created.
IBM DB2 pureScale(TM) Feature for Enterprise Server Edition, V9.8, running on
AIX or Linux is affected.
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this
vulnerability.
FIX:
The fix for DB2 and DB2 Connect V10.5 is in V10.5 FP4, available for download
from Fix Central.
Customers running any vulnerable fixpack level of an affected Program, V9.5,
V9.7, V9.8, or V10.1 can contact support to obtain a special build containing
an interim fix for this issue. These special builds are available based on the
most recent fixpack level for each impacted release: DB2 V9.5 FP10, V9.7 FP9a,
DB2 V9.8 FP5 or DB2 v10.1 FP4. They can be applied to any affected fixpack
level of the appropriate release to remediate this vulnerability. Additionally
fixes based on DB2 V9.5 FP9, V9.7 FP9 or DB2 V10.1 FP3a will be made available
on request.
Refer to the folowing chart to determine how to proceed to obtain a needed
fixpack or special build.
Release Fixed in fix pack APAR Download URL
V9.5 TBD IT02643 Please contact technical support.
V9.7 TBD IT02645 Please contact technical support.
V9.8 TBD IT02644 Please contact technical support.
V10.1 TBD IT02646 Please contact technical support.
V10.5 FP4 IT02433 http://www.ibm.com/support/docview.wss?uid=swg24038261
Contact Technical Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.
Note: IBM's statements regarding its plans, directions, and intent are subject
to change or withdrawal without notice at IBMs sole discretion. Information
regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision. The
information mentioned regarding potential future products is not a commitment,
promise, or legal obligation to deliver any material, code or functionality.
Information about potential future products may not be incorporated into any
contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
August 28, 2014: Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- -----------------------------------------------------------------------------------
Security Bulletin: IBM DB2 LUW is affected by the JSON-C vulnerability
(CVE-2013-6371)
Document information
More support for:
DB2 for Linux, UNIX and Windows
Software version:
10.5
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Software edition:
Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Personal, Workgroup Server
Reference #:
1682215
Modified date:
2014-08-29
Security Bulletin
Summary
IBM DB2 LUW is affected by a denial of service vulnerability in JavaScript
Object Notation (JSON-C), caused by an error in the hash function during
string parsing. A remote, unauthorized user could exploit this vulnerability
to consume all available CPU resources.
Vulnerability Details
CVE ID: CVE-2013-6371
DESCRIPTION:
DB2 is affected by a denial of service vulnerability in JSON-C, caused by an
error in the hash function during string parsing. A remote, unauthorized user
could exploit this vulnerability to consume all available CPU resources.
JSON support is disabled by default at the DB2 server. If you do not use JSON
in DB2, you are not affected.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92541 for more
information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM DB2 V10.5 editions listed below and running on AIX, Linux, HP, Solaris or
Windows are affected.
IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Advanced Enterprise Server Edition
IBM DB2 Advanced Workgroup Server Edition
IBM DB2 Connect(TM) Application Server Edition
IBM DB2 Connect(TM) Enterprise Edition
IBM DB2 Connect(TM) Unlimited Edition for System i
IBM DB2 Connect(TM) Unlimited Edition for System z
The DB2 Connect products mentioned are affected only if a local database has
been created.
Note: JSON support was first introduced in DB2 V10.5 FP1 and hence DB2 V9.5,
V9.7, V9.8 and V10.1 are not affected.
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this
vulnerability.
The fix for DB2 and DB2 Connect release V10.5 is in V10.5 FP4, available for
download from Fix Central.
Download the fix pack from the following:
Release Fixed in fix pack APAR Download URL
V10.5 FP4 IT02201 http://www.ibm.com/support/docview.wss?uid=swg24038261
Contact Technical Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.
Note: IBM's statements regarding its plans, directions, and intent are subject
to change or withdrawal without notice at IBMs sole discretion. Information
regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision. The
information mentioned regarding potential future products is not a commitment,
promise, or legal obligation to deliver any material, code or functionality.
Information about potential future products may not be incorporated into any
contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
August 28, 2014: Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVAVc0hLndAQH1ShLAQL8zRAAuli3S+J0QCWkEyESGEbJZ9RRDBjSXS8S
JgIn6+Z90pIlR4r8KFiA2QWdeKnfxzT85MExNeUC+qexM4H9q6V4Kqi1Uf4JLu/O
XGl8OFqJurxpmfgK0usJnyEsXccaWA+Jg+3fYzxa2mbQL4RGBIbwB2yNgq0tLLt3
WmSycXp29AbAnoBoEU0x4yybzRJEP0c2xjbYEdxqqin6VZQolqcvhaWrPofnbp+M
+2xKEKYZmr3kwKmtFbvl4WMpO+IwnXr6qVLR9eu1b5lSCRvUzxnYOPeLrNT7XUQf
HbbJJONw5YBpCXgUPqPDt8LhP88x75BS1Be7v4kn3YWoZL4x9DyHdpaocv8d+xo0
kSZs4e+2GpvsIEpaRJjZi78mQq+Um7GFNDlCUu8+pzWCYR2sutEkDpz686r6OCCK
+Pf3jkIoAMuJ3rZ9pYwnDxDVXZv0j5pvaU+lMZuUjsWh4yNkUhHYUel4CNtqhURA
2JajLU4rk6/2We6/Uhbp8GSH6jA82aDAExjpBwE8cCValElNeTxrgmFJQOXGHRWu
0HJOlmq3K3ZTFtoPdlv9Jt8N4x9PF3672/YHl6Pkt+DHxleInbcWxUr3nAQ55gnx
QEJR0o/7WfhYHmjUXVyJVbPeaETXnAe1FkemRe3WKatjs6AkvDm/OhjwVnOpoGWu
D14FZzfPHYk=
=pym4
-----END PGP SIGNATURE-----