IBM Support

IT35305: SECURITY: IBM DB2 DB2FM IS VULNERABLE TO A BUFFER OVERFLOW (CVE-2020-5025)

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • IBM DB2 db2fm is vulnerable to a heap buffer overflow, caused by
    improper bounds checking which could allow an attacker to
    execute arbitrary code.
    See Security Bulletin for details.
    https://ibm.com/support/pages/node/6427855
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 systems on all Linux, Unix and Windows platforms at  *
    * service levels Version 11.1 GA  through to Version 11.1 Fix  *
    * Pack 5.                                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 Version 11.1.4 Fix Pack 6 or higher. See      *
    * Security Bulletin for details.                               *
    ****************************************************************
    

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
    11.1.4.6 and all the subsequent Fix Packs.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT35305

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    B10

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-12-17

  • Closed date

    2021-03-09

  • Last modified date

    2021-03-10

  • APAR is sysrouted FROM one or more of the following:

    IT35303

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1"}]

Document Information

Modified date:
11 March 2021