IBM Support

IZ37697: SECURITY: MALICIOUS CONNECT DATA STREAM CAN CAUSE DENIAL OF SERV ICE.

Fixes are available

DB2 Version 9.5 Fix Pack 3b for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 4  for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 3a for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 4a for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 5 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 6a for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 8 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A malicious connect data stream can cause the DB2 server
to go into an infinite loop, incapacitating the server
.
This problem was reported to IBM by Dennis Yurichev.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
All DB2 systems on all Linux, Unix and Windows platforms at
service levels from Version 9.5 GA through to Version 9.5 Fix
Pack 3.
****************************************************************
PROBLEM DESCRIPTION:
A malicious DRDA connect data stream can cause the DB2 server
to go into infinite loop, incapacitating the server.
.
This problem was reported to IBM by Dennis Yurichev.
****************************************************************
RECOMMENDATION:
Upgrade to DB2 V9.5 FP3a and above.
****************************************************************

    



Problem conclusion


    

  • The DB2 server will keep the machine busy and the overall
performance of the machine will degrade.
.
The complete fix for this problem first appears in DB2 Version
9.5 Fix Pack 3a and all the subsequent Fix Packs.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IZ37697
    • 

  • Reported component name
    DB2 UDB ESE AIX
    • 

  • Reported component ID
    5765F4100
    • 

  • Reported release
    950
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2008-11-17
    • 

  • Closed date
    2009-02-13
    • 

  • Last modified date
    2009-02-13
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
IZ36534
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    DB2 UDB ESE AIX
    • 

  • Fixed component ID
    5765F4100
    • 



Applicable component levels


    

  • R950  PSN
       UP
    • 








      
          
                    

          

          [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"950","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
          

                    

        
        

        

      


      


        

            

            
Document Information


            

            


                        

            Modified date:
            

            13 February 2009
            

            
            
          

        


        

        


      


    


  





    

  



  
    
      

      
Page Feedback