IBM Support

IC90397: SECURITY: MULTIPLE GSKIT VULNERABILITIES IN IBM DB2 (CVE-2012-2190, CVE-2012-2191, CVE-2012-2203, CVE-2013-0169).

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • GSKit is an IBM product that is used by DB2 for SSL support.
    The GSKit that  is shipped with DB2 contains multiple security
    vulnerabilities.  By default, DB2 does not use SSL for
    client-server communication and therefore, DB2 not vulnerable
    if SSL is not enabled.
    
    CVE ID:  CVE-2012-2190 and CVE-2012-2191
    
    Description:
    
    By sending specially-crafted Secure Sockets Layer (SSL) packets
    to the vulnerable DB2 server, a remote attacker could cause the
    DB2 server to trap.
    
    
    CVE ID:  CVE-2012-2203
    
    Description:
    
    A vulnerability in GSKit allows an attacker to insertion an
    arbitrary root Certification Authority certificate into its key
    store.
    
    CVE ID: CVE-2013-0169
    
    Description:
    
    The Transport Layer Security protocol does not properly consider
    timing side-channel attacks, which allows remote attackers to
    conduct distinguishing attacks and plain-text recovery attacks
    via statistical analysis of timing data for crafted packets, aka
    the "Lucky Thirteen" issue.
    
    The attack does not require local network access nor does it
    require authentication, but some degree of specialized knowledge
    and techniques are required. An exploit may impact the
    confidentiality of information but the integrity of data, or the
    availability of the system would not be compromised.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 systems on all Linux, Unix and Windows platforms at  *
    * service levels Version 10.1 GA  through to Version 10.1 Fix  *
    * Pack 3.                                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 Version 10.1 Fix Pack XX.                     *
    ****************************************************************
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IC90397

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    A10

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-02-21

  • Closed date

    2014-06-02

  • Last modified date

    2014-06-02

  • APAR is sysrouted FROM one or more of the following:

    IC90385

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • RA10 PSN

       UP

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
02 June 2014