IBM Support

IC66099: Security: Special group and user enumeration on Windows 2008 could trap the server.

Fixes are available

DB2 Version 9.1 Fix Pack 10  for Linux, UNIX and Windows
DB2 Version 9.1 Fix Pack 11  for Linux, UNIX and Windows
DB2 Version 9.1 Fix Pack 12  for Linux, UNIX and Windows

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Special group and user enumeration operation on the DB2 server
or DB2 Administrator Server (DAS) could trap when running on
Windows 2008.

The group and user enumeration affected is not part of the
normal connect or database authorization checking processing.
The vulnerability requires a valid database connection to
exploit.

Local fix

  • Do not grant connection privilege to PUBLIC.  Grant connect to
trusted users, roles or groups, only.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All on Windows 2008                                          *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* Special group and user enumeration operation on the DB2      *
* server or DB2 Administrator Server (DAS) could trap when     *
* running on Windows 2008. The group and user enumeration      *
* affected is not part of the normal connect or database       *
* authorization checking processing. The vulnerability         *
* requires a valid database connection to exploit.             *
****************************************************************
* RECOMMENDATION:                                              *
* Do not grant connection privilege to PUBLIC.  Grant connect  *
* to trusted users, roles or groups, only.                     *
****************************************************************

Problem conclusion

  • Fixed in v9.1 Fixpack 9

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IC66099
    • 

  • Reported component name
    DB2 FOR LUW
    • 

  • Reported component ID
    DB2FORLUW
    • 

  • Reported release
    910
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2010-02-04
    • 

  • Closed date
    2010-08-30
    • 

  • Last modified date
    2010-08-30
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IC66642 IC66643
    

    • 



Fix information


    

  • Fixed component name
    DB2 FOR LUW
    • 

  • Fixed component ID
    DB2FORLUW
    • 



Applicable component levels


    

  • R910  PSN
       UP
    • 

  • R950  PSN
       UP
    • 

  • R970  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 August 2010
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback