IBM Support

安全公告:IBM DB2 LUW 运行一个含有UNION子查询的SELECT语句时可能会暴露拒绝服务安全漏洞(CVE-2014-3095)

Created by Fu Fei Xu on
Published URL:
https://www.ibm.com/support/pages/node/252125
252125

Security Bulletin


Summary

IBM DB2 LUW engine 包含一个拒绝服务漏洞,恶意用户可以利用这个漏洞致使服务中断。

Vulnerability Details

安全漏洞CVE-ID: CVE-2014-3095


安全漏洞描述:

IBM DB2 包含一个拒绝服务安全漏洞。恶意用户可以通过一个经过验证的远程用户提交一个刻意编写的含有UNION子查询的SQL使得DB2 Sever宕机而中断服务。


通用漏洞评分系统(CVSS)信息:
CVSS 基本评分: 3.5
CVSS 时间评分: 参考链接https://exchange.xforce.ibmcloud.com/vulnerabilities/94263 获取当前评分
CVSS 环境评分*: 未定义

Affected Products and Versions

该安全漏洞影响到运行在系统AIX, Linux, HP, Solaris 和 Windows 上的IBM DB2 所有以下产品版本,包括 V9.5, V9.7, V10.1 and V10.5,包含所有补丁版本:

IBM® DB2® Express Edition
IBM® DB2® Workgroup Server Edition
IBM® DB2® Enterprise Server Edition
IBM® DB2® Advanced Enterprise Server Edition
IBM® DB2® Advanced Workgroup Server Edition
IBM® DB2® Connect™ Application Server Edition
IBM® DB2® Connect™ Enterprise Edition
IBM® DB2® Connect™ Unlimited Edition for System i®
IBM® DB2® Connect™ Unlimited Edition for System z®

DB2 Connect 产品只有在本地创建了数据库的环境才受影响。

ESE版本的PureScale系统只有运行在AIX和Linux操作系统的V9.8才受影响。

Remediation/Fixes


建议安装该漏洞的对应补丁。

补丁信息:

DB2 和 DB2 Connect V10.5的官方补丁V10.5 FP4已经可以从Fix Central 下载。

使用受影响的其它版本(V9.5, V9.7, V9.8, 或者 V10.1)产品的用户可以联系IBM技术支持开PMR获取相应的Special build. 这些Special build都是基于目前最新的FixPack版本:DB2 V9.5 FP10, V9.7 FP9a, DB2 V9.8 FP5 和 DB2 v10.1 FP4。基于DB2 V9.5 FP9, V9.7 FP9 或者 DB2 V10.1 FP3a 的Special build也可以通过开PMR获取。

请参照下面的表格获取相应的补丁或者Special Build:

版本补丁APAR下载 URL
V9.5暂无IT02643请联系IBM Support获取Special build。
V9.7暂无IT02645请联系IBM Support获取Special build。
V9.8暂无IT02644请联系IBM Support获取Special build。
V10.1暂无IT02646请联系IBM Support获取Special build。
V10.5 FP4IT02433http://www.ibm.com/support/docview.wss?uid=swg24038261

Workarounds and Mitigations

暂无。

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"OTHER - Uncategorised","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.8;9.7;9.5;10.1;10.5","Edition":"Advanced Enterprise Server;Advanced Workgroup Server;Enterprise Server;Express;Express-C;Personal;Workgroup Server","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSEPDU","label":"Db2 Connect"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21685619