Fixes are available
APAR status
Closed as program error.
Error description
DB2 server contain a security vulnerability which could allow an authenticated user to temporarily gain SELECT, INSERT, UPDATE or DELETE privileges on a table. To exploit the vulnerability, the user would need to have a valid security credential to connect to the database and EXPLAIN, SQLADM or DBADM authority. Under unspecified conditions, a user with the above authorities will be able to execute a DML statement such as SELECT, INSERT, UPDATE and DELETE on a table that they do not have authority for. Only DML statements are vulnerable. The following query will show which user has EXPLAIN / SQLADM / DBADM authority but no DATAACCESS authority: select substr(grantor,1,10) grantor , substr(grantee,1,20) grantee , granteetype, explainauth, dbadmauth, sqladmauth, dataaccessauth from SYSCAT.DBAUTH where dataaccessauth = 'N' and (explainauth = 'Y' or dbadmauth = 'Y' or sqladmauth = 'Y') GRANTOR GRANTEE GRANTEETYPE EXPLAINAUTH DBADMAUTH SQLADMAUTH DATAACCESSAUTH ---------- -------------------- ----------- ----------- --------- ---------- -------------- MYSECADM BOB U Y N N N MYSECADM ROLE_DBADM R N Y N N MYSECADM ROLE_SQLADM R N N Y N MYSECADM ROLE_EXPLAIN R Y N N N MYSECADM ALEX U N Y N N MYSECADM JOHN U N N Y N
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All DB2 systems on all Linux, Unix and Windows platforms at * * service levels Version 9.7 GA through to Version 9.7 Fix * * Pack 8. * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * **************************************************************** * RECOMMENDATION: * * Upgrade to DB2 Version 9.7 Fix Pack 9. * ****************************************************************
Problem conclusion
The complete fix for this problem first appears in DB2 Version 9.7 Fix Pack 9 and all the subsequent Fix Packs. Security Bulletin: Unauthorized Access to Table Vulnerability in DB2 (CVE-2013-4033) http://www-01.ibm.com/support/docview.wss?uid=swg21646809
Temporary fix
Comments
APAR Information
APAR number
IC94523
Reported component name
DB2 FOR LUW
Reported component ID
DB2FORLUW
Reported release
970
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-07-31
Closed date
2013-12-16
Last modified date
2013-12-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DB2 FOR LUW
Fixed component ID
DB2FORLUW
Applicable component levels
R970 PSN
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
16 December 2013