Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2386 Multiple vulnerabilities have been identified in IBM DB2 12 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM DB2 Publisher: IBM Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-6210 CVE-2014-6209 CVE-2014-3470 Reference: ASB-2014.0121 ASB-2014.0092 ASB-2014.0077 ASB-2014.0076 ASB-2014.0071 ESB-2014.0894.2 ESB-2014.0889 ESB-2014.0888 ESB-2014.0887 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21681494 http://www-01.ibm.com/support/docview.wss?uid=swg21690891 http://www-01.ibm.com/support/docview.wss?uid=swg21690787 Comment: This bulletin contains three (3) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM DB2 for LUW is affected by the OpenSSL vulnerability CVE-2014-3470 Security Bulletin Document information More support for: DB2 for Linux, UNIX and Windows Software version: 10.1, 10.5 Operating system(s): AIX, Linux Software edition: Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Personal, Workgroup Server Reference #: 1681494 Modified date: 2014-12-10 Summary Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. Vulnerability Details CVE-ID: CVE-2014-3470 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the implementation of anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93589 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Affected Products and Versions IBM DB2 Advanced Copy Services included in IBM DB2 and DB2 Connect V10.1 and V10.5 editions listed below and running on AIX and Linux are affected. IBM DB2 Express Edition IBM DB2 Workgroup Server Edition IBM DB2 Enterprise Server Edition IBM DB2 Connect Application Server Edition IBM DB2 Connect Application Server Advanced Edition IBM DB2 Connect Enterprise Edition IBM DB2 Connect Unlimited Edition for System i IBM DB2 Connect Unlimited Edition for System z IBM DB2 Connect Unlimited Advanced Edition for System z IBM DB2 10.1 pureScale Feature IBM DB2 10.5 Advanced Enterprise Server Edition IBM DB2 10.5 Advanced Workgroup Server Edition IBM DB2 10.5 Developer Edition for Linux, Unix and Windows NOTE: The DB2 Connect products mentioned are affected only if a local database has been created. Only users of DB2 Advanced Copy Services (snapshot backup) are affected by this vulnerability. IBM DB2 includes a restricted version of IBM Tivoli Flash Copy Manager (FCM v3.2). FCM v 3.2 is affected by this vulnerability. IBM DB2 Advanced Copy Services in conjunction with IBM Tivoli FCM 3.2, on all current fix packs of IBM DB2 V10.1 and V10.5, are affected. AIX installations of DB2 may have this package installed by default, though it may not be in use on the system. Remediation/Fixes The recommended solution is to apply the appropriate fix for this vulnerability. FIX: All DB2 users are recommended to remove the restricted version of IBM Tivoli Flash Copy Manager (FCM) v3.2 located in the ~/sqllib/acs folder to avoid accidental use in the future. If you use DB2 Advanced Copy Services (snapshot backup) with the restricted version of FCM included with DB2, then obtain the updated and remediated restricted version of FCM (v.4 1) from Passport Advantage. Note: The fix is only available for FCM v4.1. The updated package allow users to upgrade their restricted FCM v3.2 to restricted FCM v4.1. This updated FCM package is located with IBM DB2 v10.5 FP4 but is available to all DB2 customers. Package names: Linux: DB2ACS_4102_linuxx86_64.tar.gz AIX: DB2ACS_4102_aixpowerpc.tar.gz These packages can be used with both IBM DB2 v10.1 and IBM DB2 v10.5 on any fix pack. Remove the contents of the ~/sqllib/acs folder before installing the above packages. For installation instructions, please follow the documentation provided within the IBM DB2 information center: http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.1.0/com.ibm.db2.luw.admin.ha.doc/doc/c0053160.html An alternative to applying the restricted FCM v4.1 is to upgrade to a full version of FCM v4.1. Additional information on upgrading to IBM Tivoli Flash Copy Manager v4.1 can be found here. Workarounds and Mitigations None known References Complete CVSS Guide On-line Calculator V2 OpenSSL Project vulnerability website Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History December 8, 2014: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Information Management DB2 Connect Information Management DB2 Connect Unlimited Edition - ------------------------------------------------------------------------------- Security Bulletin: IBM DB2 LUW contains a vulnerability in which multiple ALTER TABLE statements may cause the DB2 server to terminate abnormally. (CVE-2014-6210) Document information More support for: DB2 for Linux, UNIX and Windows Software version: 9.7, 9.8, 10.1, 10.5 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Software edition: Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Personal, Workgroup Server Reference #: 1690891 Modified date: 2014-12-11 Security Bulletin Summary IBM DB2 contains a vulnerability in which multiple ALTER TABLE statements may cause the DB2 server to terminate abnormally. Vulnerability Details CVE ID: CVE-2014-6210 DESCRIPTION: IBM DB2 contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing multiple ALTER TABLE statements on the same column. This may cause DB2 server to terminate abnormally. To exploit the vulnerability, the malicious user needs to have valid security credentials to connect to DB2 and the authorization associated with the authorization ID of the connection would need to match one of the authorization scenarios listed below. Note that these authorities or privileges could be obtained by membership in a group or by assignment of certain role. 1) CONTROL or ALTER privilege on a table The user would need either CONTROL or ALTER privilege on a table to execute the ALTER TABLE statement. Customer could consult the SYSCAT.TABAUTH table to determine the users, roles, and groups that have CONTROL privilege or ALTER privilege on a table. Furthermore, the owner of a table has implicit control privilege and the DBADM authority has implicit control privilege on all tables. Customer could look up owner of a table from the SYSCAT.TABLES table. 2) ALTERIN privilege on any schema that contains a table User with this privilege could execute ALTER TABLE statement on any table in the schema. Customer could consult the SYSCAT.SCHEMAAUTH table to check for users, roles, and groups with this privilege. Also, customer could check the SYSCAT.TABLES for existence of tables in the schema. 3) CREATETAB authority on a database and USAGE privilege on at least one table space With this authority, the user could create a table and then execute ALTER TABLE statement on that table. Customer could lookup the SYSCAT.DBAUTH table to find out users, roles, and groups with CREATETAB authority and check the SYSCAT.TBSPACEAUTH table for users, roles, and groups with USAGE privileges on table spaces. CVSS: CVSS Base Score: 6.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98685 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:N/A:C) Affected Products and Versions All fix pack levels of IBM DB2 V9.7, V10.1 and V10.5 editions listed below and running on AIX, Linux, HP, Solaris or Windows are affected. IBM DB2 Express Edition IBM DB2 Workgroup Server Edition IBM DB2 Enterprise Server Edition IBM DB2 Advanced Enterprise Server Edition IBM DB2 Advanced Workgroup Server Edition IBM DB2 Connect Application Server Edition IBM DB2 Connect Enterprise Edition IBM DB2 Connect Unlimited Edition for System i IBM DB2 Connect Unlimited Edition for System z The DB2 Connect products mentioned are affected only if a local database has been created. IBM DB2 pureScale Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected. Remediation/Fixes The recommended solution is to apply the appropriate fix for this vulnerability. FIX: The fix for DB2 and DB2 Connect V10.5 is in V10.5 FP5, available for download from Fix Central. Customers running any vulnerable fixpack level of an affected Program, V9.7, V9.8, or V10.1 can contact support to obtain a special build containing an interim fix for this issue. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.7 FP10, DB2 V9.8 FP5 or DB2 v10.1 FP4. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. Additionally fixes based on DB2 V9.7 FP9a or DB2 V10.1 FP3a will be made available on request. Refer to the folowing chart to determine how to proceed to obtain a needed fixpack or special build. Release Fixed in APAR Download URL fix pack V9.7 TBD IC96934 Please contact technical support. V9.8 TBD IT05651 Please contact technical support. V10.1 TBD IT05652 Please contact technical support. V10.5 FP5 IT04138 http://www-01.ibm.com/support/docview.wss?uid=swg24038828 Contact Technical Support: In the United States and Canada dial 1-800-IBM-SERV View the support contacts for other countries outside of the United States. Electronically open a Service Request with DB2 Technical Support. Note: IBM's statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM's sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Workarounds and Mitigations Execute REORG command after every ALTER TABLE statement. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History December 11, 2014: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - ------------------------------------------------------------------------------- Security Bulletin: IBM DB2 LUW contains a vulnerability in which an ALTER TABLE statement on identity column may cause the DB2 server to terminate abnormally. (CVE-2014-6209) Document information More support for: DB2 for Linux, UNIX and Windows Software version: 9.5, 9.7, 9.8, 10.1, 10.5 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Software edition: Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Personal, Workgroup Server Reference #: 1690787 Modified date: 2014-12-11 Security Bulletin Summary IBM DB2 contains a denial of service vulnerability in which an ALTER TABLE statement on identity column may cause the DB2 server to terminate abnormally. Vulnerability Details CVE-ID: CVE-2014-6209 DESCRIPTION: IBM DB2 contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by executing a specially-crafted ALTER TABLE statement on an identity column . This may cause DB2 server to terminate abnormally. To exploit the vulnerability, the malicious user needs to have valid security credentials to connect to DB2 and the authorization associated with the authorization ID of the connection would need to match one of the authorization scenarios listed below. Note that these authorities or privileges could be obtained by membership in a group or by assignment of certain role. 1) CONTROL or ALTER privilege on a table The user would need either CONTROL or ALTER privilege on a table to execute the ALTER TABLE statement. Customer could consult the SYSCAT.TABAUTH table to determine the users, roles, and groups that have CONTROL privilege or ALTER privilege on a table. Furthermore, the owner of a table has implicit control privilege and the DBADM authority has implicit control privilege on all tables. Customer could look up owner of a table from the SYSCAT.TABLES table. 2) ALTERIN privilege on any schema that contains a table User with this privilege could execute ALTER TABLE statement on any table in the schema. Customer could consult the SYSCAT.SCHEMAAUTH table to check for users, roles, and groups with this privilege. Also, customer could check the SYSCAT.TABLES for existence of tables in the schema. 3) CREATETAB authority on a database and USAGE privilege on at least one table space With this authority, the user could create a table and then execute ALTER TABLE statement on that table. Customer could lookup the SYSCAT.DBAUTH table to find out users, roles, and groups with CREATETAB authority and check the SYSCAT.TBSPACEAUTH table for users, roles, and groups with USAGE privileges on table spaces. CVSS: CVSS Base Score: 6.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98684 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:N/A:C) Affected Products and Versions All fix pack levels of IBM DB2 V9.5, V9.7, V10.1 and V10.5 editions listed below and running on AIX, Linux, HP, Solaris or Windows are affected. IBM DB2 Express Edition IBM DB2 Workgroup Server Edition IBM DB2 Enterprise Server Edition IBM DB2 Advanced Enterprise Server Edition IBM DB2 Advanced Workgroup Server Edition IBM DB2 Connect Application Server Edition IBM DB2 Connect Enterprise Edition IBM DB2 Connect Unlimited Edition for System i IBM DB2 Connect Unlimited Edition for System z The DB2 Connect products mentioned are affected only if a local database has been created. IBM DB2 pureScale Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected. Remediation/Fixes The recommended solution is to apply the appropriate fix for this vulnerability. FIX: The fix for DB2 and DB2 Connect V10.5 is in V10.5 FP5, available for download from Fix Central. Customers running any vulnerable fixpack level of an affected Program, V9.5, V9.7, V9.8, or V10.1 can contact support to obtain a special build containing an interim fix for this issue. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.5 FP10, V9.7 FP10, DB2 V9.8 FP5 or DB2 v10.1 FP4. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. Additionally fixes based on DB2 V9.5 FP9, V9.7 FP9a or DB2 V10.1 FP3a will be made available on request. Refer to the folowing chart to determine how to proceed to obtain a needed fixpack or special build. Release Fixed in fix pack APAR Download URL V9.5 TBD IT05644 Please contact technical support. V9.7 TBD IT05645 Please contact technical support. V9.8 TBD IT05646 Please contact technical support. V10.1 TBD IT05647 Please contact technical support. V10.5 FP5 IT04786 http://www-01.ibm.com/support/docview.wss?uid=swg24038828 Contact Technical Support: In the United States and Canada dial 1-800-IBM-SERV View the support contacts for other countries outside of the United States. Electronically open a Service Request with DB2 Technical Support. Note: IBM's statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM's sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Workarounds and Mitigations None References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History December 11, 2014: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVIpsIxLndAQH1ShLAQJOqg//eBxULIeMjAa/TCC23U5D6pb2S2I2aZQ7 eDKBAQ6qztnD96yYFltEig68sKiILOp3G6gb8qSqduT8exnaCb0NSVEW6arj3Gdq NOutf4R45zZp4w5pyGRSUJNboXHT/+pTB0sLqspiOLIoYR+xeTvPV4QOBYnYGNb6 lUemiHgcIxVIg++w25zHFubFj4lTSPnkuGHEgVVgd7bEXO3F3z8GMXVu87IgMjym RgsjkX8O2kA12EGnFLS3vlj5btBKA+MrL45kGHYE3CC0ZJ8zoKwRgFMgX+5doUCy 7QaFuadw3J6fDbxVn7WO6WIKqyP6y885rubhVnIqFsHQ/PL9/P6ECL+lkgaSqvv1 67LKAajcZjtUoWquJCI6dXuL4QzYnImcSno7pL4pPlgAncQukaK4hqmMl9wVMr8S 9qIldOo+NMQ03cIeDnFhD6ZNcCDlbcN579FbG7mr3SJ8GSVPwbfljxvA2Dypy/pe FfxL+YOZh5rnCArbJY4/RCoY6j6DZYZKng88VLz4BOAI275MK4ITF4/5dycLV61I bQujZpsmJXV0zQZ2BzT0t3/NBf3+gRyZOltUPzEYIIBksrJpkReY8Y/uxdaIBsqE 0c6qcgTQdZI3uYbJpyp/cK/qwI04CdVJpcDJ/qwTlkT9Wn0B92i/WkZyL7W5ovN4 uzuX9WHVIZI= =jrm3 -----END PGP SIGNATURE-----