-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2200
     FLASH: Security Bulletin: Multiple vulnerabilities affect IBM DB2
                             19 September 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM DB2
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
Impact/Access:     Root Compromise   -- Existing Account      
                   Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5995 CVE-2016-4463 CVE-2016-2985
                   CVE-2016-2984 CVE-2016-0729 

Reference:         ESB-2016.1626
                   ESB-2016.0502

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21990061
   http://www.ibm.com/support/docview.wss?uid=swg21984685
   http://www.ibm.com/support/docview.wss?uid=swg21989842

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin:  Local escalation of privilege vulnerability in IBM DB2
(CVE-2016-5995).

Security Bulletin

Document information

More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.7, 10.1, 10.5, 11.1

Operating system(s):

AIX, HP-UX, Linux

Software edition:

Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server

Reference #:

1990061

Modified date:

2016-09-15

Summary

A vulnerability in IBM DB2 for Linux, Unix and Windows could allow a local
user to gain elevated privilege.

Vulnerability Details

CVEID:

CVE-2016-5995

DESCRIPTION:

DB2 for Linux, Unix and Windows is vulnerable to a privilege escalation due
to loading libraries from insecure locations. A local user could place a
malicious library in a location that a SETGID or SETUID binary would execute
and gain root level access.

CVSS Base Score: 8.4

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/116653

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

The following IBM DB2 and DB2 Connect editions running on AIX, Linux and HP
are vulnerable.

IBM DB2 Express Edition

IBM DB2 Workgroup Server Edition

IBM DB2 Enterprise Server Edition

IBM DB2 Connect Application Server Edition

IBM DB2 Connect Application Server Advanced Edition

IBM DB2 Connect Enterprise Edition

IBM DB2 Connect Unlimited Edition for System i

IBM DB2 Connect Unlimited Edition for System z

IBM DB2 Connect Unlimited Advanced Edition for System z

IBM DB2 10.5 Advanced Enterprise Server Edition

IBM DB2 10.5 Advanced Workgroup Server Edition

IBM DB2 10.5 Developer Edition for Linux, Unix and Windows

The IBM data server client and driver types are as follows:

IBM Data Server Driver Package

IBM Data Server Driver for ODBC and CLI

IBM Data Server Runtime Client

IBM Data Server Client

The following table details which DB2 release, fixpacks and platforms are
affected:

Release     Fixpacks     Platforms
V9.7        All          Linux Power
V10.1       All          Linux Power
V10.5       All          Linux Power
V10.5       FP7          All except Windows, Solaris SPARC and Solaris x86
V11.1       GA           Linux Power little endian and Linux System z

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

The fix for DB2 and DB2 Connect is in V10.5 FP8, available for download from
Fix Central.

Customers running any vulnerable fixpack level of an affected Program, V9.7,
V10.1 and V11.1 can download the special build containing the interim fix for
this issue from Fix Central. These special builds are available based on the
most recent fixpack level for each impacted release: DB2 V9.7 FP11, DB2 V10.1
FP5 and DB2 V11.1 GA. They can be applied to any affected fixpack level of
the appropriate release to remediate this vulnerability.

Refer to the following chart to determine how to proceed to obtain a needed
fixpack or special build.

Release 	Fixed in fix pack 	APAR 		Download URL

V9.7 		TBD 			IT17010 	Special Build for V9.7 FP11:
							Linux 64-bit, POWER

V10.1 		TBD 			IT17011 	Special Build for V10.1 FP5:
							Linux 64-bit, POWER

V10.5 		FP8 			IT16921 	http://www.ibm.com/support/docview.wss?uid=swg24042680

V11.1 		TBD 			IT17012 	Special Build for V11.1 GA:
							Linux 64-bit, System z, System z9 or zSeries
							Linux 64-bit, POWER little endian on Power System

Workarounds and Mitigations

The following remediation instructions will remove the vulnerability without
side-effects. The user executing the commands must be root and the
instructions must be repeated for each DB2 instance and in the DB2 install
directory.

The following example will use /home/db2inst1/sqllib as the DB2 instance
install directory. You should replace the sample directory with your DB2
instance install directory. Repeat the procedure with the DB2 install
directory which is under /opt/ibm/db2/<db2_release_name> or
/opt/IBM/db2/<db2_release_name>, depending on the platform.

The following will fix the install component that exists at the DB2 client
and server.

cd /home/db2inst1/sqllib

bin/db2chglibpath -s '\.:' -r '' adm/db2iclean

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

September 15, 2016: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: Vulnerabilty in XMLC affects IBM DB2 LUW (CVE-2016-0729,
CVE-2016-4463)

Security Bulletin

Document information

More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.7, 10.1, 10.5, 11.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server

Reference #:

1984685

Modified date:

2016-09-16

Summary

IBM DB2 for LUW bundles a XMLC library that is affected by CVE-2016-0729. A
remote, authenticated DB2 user could exploit this vulnerability by issuing a
specially crafted statement. This may cause the DB2 server to terminate
abnormally or execute arbitary code.

Vulnerability Details

CVE-ID:

CVE-2016-0729

Description: Apache Xerces-C XML Parser library is vulnerable to a denial of
service, caused by improper bounds checking during processing and error
reporting. By sending specially crafted input documents, an attacker could
exploit this vulnerability to cause the library to crash or possibly execute
arbitrary code on the system.

CVSS Base Score: 7.3

CVSS Temporal Score:

https://exchange.xforce.ibmcloud.com/vulnerabilities/111028

for more information

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVE-ID:

CVE-2016-4463

Description: Apache Xerces-C XML Parser library is vulnerable to a denial of
service, caused by a stack-based buffer overflow when parsing a deeply nested
DTD. A remote attacker could exploit this vulnerability to cause a denial of
service.

CVSS Base Score: 5.3

CVSS Temporal Score:

https://exchange.xforce.ibmcloud.com/vulnerabilities/114596

for more information

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

All fix pack levels of IBM DB2 V9.7, V10.1, V10.5 and V11.1 editions listed
below and running on AIX, Linux, HP, Solaris or Windows are affected

IBM DB2 Express Edition

IBM DB2 Workgroup Server Edition

IBM DB2 Enterprise Server Edition

IBM DB2 Advanced Enterprise Server Edition

IBM DB2 Advanced Workgroup Server Edition

IBM DB2 Direct Advanced Edition

IBM DB2 Direct Standard Edition

IBM DB2 Connect Application Server Edition

IBM DB2 Connect Enterprise Edition

IBM DB2 Connect Unlimited Edition for System i

IBM DB2 Connect Unlimited Edition for System z

The DB2 Connect products mentioned are affected only if a local database has
been created.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

The fix for DB2 and DB2 Connect release V10.5 is in V10.5 FP8, available for
download from Fix Central.

Customers running any vulnerable fixpack level of an affected Program, V9.7,
V10.1 and V11.1 can download the special build containing the interim fix for
this issue from Fix Central. These special builds are available based on the
most recent fixpack level for each impacted release: DB2 V9.7 FP11, DB2 V10.1
FP5 and DB2 V11.1 GA. They can be applied to any affected fixpack level of
the appropriate release to remediate this vulnerability.

Refer to the following chart to determine how to proceed to obtain a needed
fixpack or special build.

Release	Fixed in fix pack	APAR		Download URL

V9.7	TBD			IT15576		Special Build for V9.7 FP11:
						AIX 64-bit
						HP-UX 64-bit
						Linux 32-bit, x86-32
						Linux 64-bit, x86-64
						Linux 64-bit, POWER
						Linux 64-bit, System z, System z9 or zSeries
						Solaris 64-bit, SPARC
						Solaris 64-bit, x86-64
						Windows 32-bit, x86
						Windows 64-bit, x86

V10.1	TBD			IT15577		Special Build for V10.1 FP5:
						AIX 64-bit
						HP-UX 64-bit
						Linux 32-bit, x86-32
						Linux 64-bit, x86-64
						Linux 64-bit, POWER
						Linux 64-bit, System z, System z9 or zSeries
						Solaris 64-bit, SPARC
						Solaris 64-bit, x86-64
						Windows 32-bit, x86
						Windows 64-bit, x86			

V10.5	FP8			IT15578		http://www.ibm.com/support/docview.wss?uid=swg24042680

V11.1	TBD			IT15579		Special Build for V11.1 GA:
						AIX 64-bit
						Linux 64-bit, x86-64
						Linux 64-bit, System z®, System z9® or zSeries®
						Windows 64-bit, x86
						Linux 64-bit, POWER little endian on Power System

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

September 15, 2016: Original version published.

September 16, 2016: Previous V11.1 Windows 64-bit special build reported
wrong DB2 level. Entered new URL for corrected version.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: IBM DB2 LUW on AIX and Linux Affected by Multiple
Vulnerabilities in GPFS (CVE-2016-2984, CVE-2016-2985).

Security Bulletin

Document information

More support for:

DB2 for Linux, UNIX and Windows

pureScale

Software version:

10.1, 10.5, 11.1

Operating system(s):

AIX, Linux

Software edition:

Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Workgroup Server

Reference #:

1989842

Modified date:

2016-09-15

Summary

DB2 LUW is affected by multiple vulnerabilities in IBM General Parallel File
System, Version 3.5 and 4.1.1 that is used by DB2 pureScale Feature on AIX
and Linux.

Vulnerability Details

CVEID:

CVE-2016-2984

DESCRIPTION:

A security vulnerability has been identified in IBM Spectrum Scale and IBM
GPFS that could allow a local attacker to execute commands as root by
supplying command line parameters to setuid programs.

CVSS Base Score: 7.4

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/114000

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:

CVE-2016-2985

DESCRIPTION:

A security vulnerability has been identified in IBM Spectrum Scale and IBM
GPFS that could allow a local attacker to execute commands as root by setting
environment variables processed by setuid programs.

CVSS Base Score: 7.4

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/114001

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

All fix pack levels of IBM DB2 V10.1, V10.5 and V11.1 editions listed below,
running on AIX and Linux are affected, and only for those customers who have
DB2 pureScale Feature installed.

IBM DB2 Enterprise Server Edition

IBM DB2 Workgroup Server Edition

IBM DB2 Advanced Enterprise Server Edition

IBM DB2 Advanced Workgroup Server Edition

IBM DB2 Direct Advanced Edition

IBM DB2 Direct Standard Edition

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

The fix for DB2 release V10.5 is in V10.5 FP8, available for download from

Fix Central

Customers running any vulnerable fixpack level of an affected Program, V10.1
and V11.1 can contact IBM technical support to obtain the GPFS eFix. Before
installing the GPFS eFix, the DB2 level might need to be upgraded to the
level that includes the supported GPFS level. Do not attempt to upgrade GPFS
by any other means. The table below lists the DB2 releases, the prerequisite
that needs to be installed first and the GPFS efix to request from IBM
technical support.

DB2 Release    Install following prerequisite before installing efix    Obtain following GPFS efix from IBM technical support

11.1           None                                                     4.1.1.4 efix 14

10.1           AIX 64-bit                                               3.5.0.29 efix 8
               Linux 64-bit, x86-64

The GPFS efix install instructions are available here: 
http://www-01.ibm.com/support/docview.wss?uid=swg27048484

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV

View the support contacts for other countries outside of the United States.

Electronically open a Service Request with DB2 Technical Support.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

September 15, 2016: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV99q2Yx+lLeg9Ub1AQjFaA/8DL9puO8bOOh3BcgF4OF2vj8gsnEL9DTA
jIPWNqtJOPk45t2Mrf5pkWUcl2e9Gilk7HLEKuYNKzEEEfJsvCA9zY4ENphzcUzX
SwM0ECs6F84fxPdeh9I1Mu9kOpY4rUp55A5m86EvVIz0EXvxOEYb/hwzkFX0p0jd
3yMqL6koLZSdh8I507MgJyi/m0/DmkoG9I2cNAxHBjnQW1XYyDIK7O6aNnQ0wj3o
9EE26e9FF8yCN/+ovB89vfT+3zqfw+lFY3xdMaamauKZj64iFbu7bz1yjirtWRCx
WEngMHRwF5qIR1vn8CNmswIkn5Y5gzqFkLul1rwxVUnmsd6WZtd6gQfRFdxrTZAe
YjGRIvP4ZscWOGoVJtXRVbWhqJsA0YWnLMUVj645i2Sf5aGJ82IsS7Uw7N9UHBs1
thiFMG/DJRRZCnfCpUzepdzdllgaZgz87P6skI4/6HP9SLBpZE+E3Qtfv3a7ARgC
LxZ9Oem8qDxh7qTPugdEpCxjvf2HkkDsSaj6vuC7v/i1ZRpAaGutZwBpP6mwV6cO
PSC2FVMOJV8GatkIMqkbnoxUCJXqz0QyUWoQ8Gl9gFERn47pl8ZLC0kieZh6ciEX
LmlVFCjHlfce5tsWG5yGD0A3Z2iE/Pn4CcrvesrNawdazThmTuDrlO6eY7rofN0H
Qsf9syebo2w=
=DWWG
-----END PGP SIGNATURE-----