IBM Support

IC81387: SECURITY: UNAUTHORIZED ACCESS TO TABLES

Fixes are available

DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • There is a security vulnerability in DB2 servers which an
authenticated, malicious user to read data from a table for
which they do not have the authority to view.

To exploit this vulnerability, the user needs to have valid
security credentials, and CONNECT and CREATEIN privileges
to the database.

Local fix

  • This vulnerability can be mitigated by revoking the CONNECT and
CREATEIN privileges from PUBLIC.  You can revoke the CONNECT and
CREATEIN privileges from PUBLIC by issuing the following
statements: revoke

REVOKE CONNECT ON DATABASE FROM PUBLIC
REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All DB2 systems on all Linux, Unix and Windows platforms at  *
* service levels from Version 9.5 GA through to Version 9.5    *
* Fix Pack 8.                                                  *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See Error Description.                                       *
****************************************************************
* RECOMMENDATION:                                              *
* Upgrade to DB2 Version 9.5 Fix Pack 9 or see "Local Fix"     *
* portion for other suggestions.                               *
****************************************************************

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
9.5 Fix Pack 9 and all the subsequent Fix Packs.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IC81387
    • 

  • Reported component name
    DB2 FOR LUW
    • 

  • Reported component ID
    DB2FORLUW
    • 

  • Reported release
    950
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2012-02-13
    • 

  • Closed date
    2012-03-05
    • 

  • Last modified date
    2012-03-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IC81390 IC81836
    

    • 



Fix information


    

  • Fixed component name
    DB2 FOR LUW
    • 

  • Fixed component ID
    DB2FORLUW
    • 



Applicable component levels


    

  • R950  PSN
       UP
    • 

  • R970  PSN
       UP
    • 

  • R980  PSN
       UP
    • 








      
          
                    

          

          [{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.5","Edition":""}]
          

                    

        
        

        

      


      


        

            

            
Document Information


            

            


                        

            Modified date:
            

            06 March 2012
            

            
            
          

        


        

        


      


    


  





    

  



  
    
      

      
Page Feedback