Fixes are available
DB2 Version 9.7 Fix Pack 3 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 2 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 3a for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 1 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 4 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 5 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 6 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 9a for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 8 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 10 for Linux, UNIX, and Windows
APAR status
Closed as program error.
Error description
Special group and user enumeration operation on the DB2 server or DB2 Administrator Server (DAS) could trap when running on Windows 2008. The group and user enumeration affected is not part of the normal connect or database authorization checking processing. The vulnerability requires a valid database connection to exploit.
Local fix
Do not grant connection privilege to PUBLIC. Grant connect to trusted users, roles or groups, only.
Problem summary
**************************************************************** * USERS AFFECTED: * * All users on Windows 2008 * **************************************************************** * PROBLEM DESCRIPTION: * * Special group and user enumeration operation on the DB2 * * server or DB2 Administrator Server (DAS) could trap when * * running on Windows 2008. The group and user enumeration * * affected is not part of the normal connect or database * * authorization checking processing. The vulnerability * * requires a valid database connection to exploit. * **************************************************************** * RECOMMENDATION: * * Do not grant connection privilege to PUBLIC. Grant connect * * to trusted users, roles or groups, only. * ****************************************************************
Problem conclusion
Fixed in DB2 v9.7 Fixpack 2
Temporary fix
Comments
APAR Information
APAR number
IC66643
Reported component name
DB2 FOR LUW
Reported component ID
DB2FORLUW
Reported release
970
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-02-24
Closed date
2010-08-30
Last modified date
2010-08-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DB2 FOR LUW
Fixed component ID
DB2FORLUW
Applicable component levels
R910 PSN
UP
R950 PSN
UP
R970 PSN
UP
Document Information
Modified date:
16 September 2021