IBM Support

IT06351: SECURITY: TLS padding vulnerability affects IBM© DB2© LUW (CVE-2014-8730)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The TLS padding vulnerability could allow a remote attacker to
    obtain sensitive information, caused by the failure to check the
    contents of the padding bytes when using CBC cipher suites of
    some TLS implementations. A remote user with the ability to
    conduct a man-in-the-middle attack could exploit this
    vulnerability via a POODLE (Padding Oracle On Downgraded Legacy
    Encryption) like attack to decrypt sensitive information and
    calculate the plaintext of secure connections.
    
    Customers have Secure Sockets Layer (SSL) support enabled in
    their DB2 database system are affected. SSL support is not
    enabled in DB2 by default.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 systems on all Linux, Unix and Windows platforms at  *
    * service levels Version 10.5 GA  through to Version 10.5 Fix  *
    * Pack 5.                                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 Version 10.5 Fix Pack 6.                      *
    * Refer to security bulletin for details:                      *
    * http://www-01.ibm.com/support/docview.wss?uid=swg21693011    *
    ****************************************************************
    

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
    10.5 Fix Pack 6 and all the subsequent Fix Packs.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT06351

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    A50

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-01-07

  • Closed date

    2015-08-27

  • Last modified date

    2015-08-27

  • APAR is sysrouted FROM one or more of the following:

    IT06317

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • RA50 PSN

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
27 August 2015