Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2996 Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 11.1 16 December 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM DB2 Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-5995 CVE-2016-2119 CVE-2016-0729 Reference: ESB-2016.2802 ESB-2016.2421 ESB-2016.2361 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21994955 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 11.1 Flash (Alert) Document information More support for: DB2 for Linux, UNIX and Windows OTHER - Uncategorised Software version: 11.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1994955 Modified date: 15 December 2016 Abstract This document contains a list of fixes for Security and HIPER APARs in DB2 Version 11.1. Content A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues. The affected DB2 UDB for Linux, UNIX, and Windows products are: DB2 Connect Server (all Editions) DB2 Developer Edition DB2 Enterprise Server (all Editions) DB2 Express Server (all Editions) DB2 Workgroup Server (all Editions) DB2 Client component and DB2 products or components other than those listed above are not affected. Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 11.1 fix packs. Select a Fix Pack: 1 DB2 Version 11.1 Fix Pack 1 Security APARs IT15579 SECURITY: DB2 IS AFFECTED BY OPEN SOURCE APACHE XERCES-C XML PARSER VULNERABILITIES (CVE-2016-0729) IT16324 SECURITY: DB2 PURESCALE AFFECTED BY MULTIPLE VULNERABILITIES IN GPFS IT17012 SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2016-5995) IT17530 SECURITY: DB2 PURESCALE AFFECTED BY A VULNERABILITY IN GPFS (CVE-2016-2119) HIPER APARs IT16112 A CORRELATED SCALAR SUBQUERY IN AN UPDATE STATEMENT MAY NOT CORRECTLY RETURN SQL0811N IT16385 DB2 DATA SERVER CLIENT SILENT INSTALL FAILS WITH ERROR: PRODUCT: IBM DATA SERVER CLIENT - DB2COPY1 -- ERROR 1314 IT16656 SQL0801 AND WRONG RESULTS FROM STDDEV_SAMP, VARIANCE_SAMP, COVARIANCE_SAMP WHEN USED IN AN OLAP SPECIFICATION IT16703 DB2 MAY RETURN INCORRECT RESULTS WHEN USING STRING EQUALITY PREDICATES CONTAINING DIFFERING CODE UNITS IT16869 SELECT ROW CHANGE TOKEN WILL RETURN WRONG RESULT WHEN USINGRIDSCAN (ROW IDENTIFIER SCAN) IT16893 ONLINE BACKUP WITH COMPRESSION AND ENCRYPTION MAY CREATE A CORRUPTED BACKUP FILE IT17179 IF ARRAY USED IN AN OPEN CURSOR IS MODIFIED THEN WRONG RESULT OR A TRAP ARE POSSIBLE IT17452 WRONG RESULT IN STORED PROCEDURE QUERY WHEN ADD/DROP CHECK CONSTRAINT IT17458 IN DB2 DPF, POSSIBLE WRONG RESULT WHEN OUTER JOIN PREDICATE COL1=COL2 AND BOTH COLUMNS ARE FROM THE OUTER TABLE IT17489 SELECT AGAINST AN MDC TABLE WITH A RANGE PREDICATE IN SMP MIGHT RETURN A WRONG RESULT IT17556 INCORRECT RESULTS ARE POSSIBLE WHEN JOIN AGAINST CDE TABLES IS DONE AND AN UNDOCUMENTED JOIN SUPPORT REGISTRY VARIABLE SET IT17941 POSSIBLE WRONG RESULTS WHEN THE INPUT PARAMETERS OF AN INLINED SQL SCALAR UDF CONTAINS AN OLAP SPECIFICATION IV90269 QUERIES WITH MULTIPLE OLAP CLAUSES AND DISTINCT AGAINST COLUMN ORGANIZED TABLES COULD RETURN WRONG RESULTS IV90750 INCORRECT RESULTS ARE POSSIBLE WHEN MULTIPLE ROW_NUMBER() , INLINED SQL SCALAR UDF AND COLUMN ORGANIZED TABLES ARE PRESENT DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053 The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWFN20Yx+lLeg9Ub1AQiF1Q//VRii3Kv5U9Nnpv3vieZdeQy4LmnPapPH MOzAW+nVQwz5r++x/eNVJifRT+qJoM+WJEiy/cMIJAtso+YMHzumxaEmfRAZL9RM E2TpRYtMTJwucEAaGORjXCg1D63TbVFzuKJqBbGPMfkB1MTgHZ5hxOFkGZF7bK7t VLLvE+cYhMjsqFlJKAsDxRPc53SCh5bmHoK+Ywj75Ecs9ufT/ICetOJuW9XxpEwM e7PhCU5VrFpBXGgXCbYs2Y9o+hetsYyYS7lHwkRNhCFfy2I2mVD6hNP0LqHShOum L5r7HdjbimAlrObASSqJypJH3qQ80BZZIhghGD/0OUD6QPQWrKdMb1fvtOjXbvEm YY49iPf8e7rwE5C00a6LrKi3zeha8eZgg7kegL5KDQJM4YpgDHyEpLoJWOKgcevl qIUfLFCsSDWf42EfOrD4HiVjm55OX1D2BumgVJYywvneFtRYWB5Kc4hVc0asVGjr tEZeNvS0olVMAFrWuhKg0hFpjeuU5sdIDwJxAu/THu7dpgs6RQi3Y4ynebeRb/2G 0kXMglYvBHGHxEyEgU0AEUMGOn5dkCJCojywPayLSC8X2w71BJyz3l8rrFF8lZUH yLjkGx0iz+peMuharIUYp8xCPVshoW/7Vm8mIeOAC6frodOLUpQCvu5qzr3Z7zl9 mU2SpyPBclQ= =lhx/ -----END PGP SIGNATURE-----