IBM Support

Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 11.5

News


Abstract

This document contains a list of fixes for Security and HIPER APARs in DB2 Version 11.5.

Content

A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues. IBM is not currently aware of any externally reported incidents where production DB2 installations have been compromised due to these issues.

The affected DB2 UDB for Linux, UNIX, and Windows products are:

DB2 Connect Server (all Editions)
DB2 Developer Edition
DB2 Enterprise Server (all Editions)
DB2 Express Server (all Editions)
DB2 Workgroup Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 11.5 fix packs.
 

Select a Fix Pack: m4fp0, m5fp0, m5fp1, m6fp0  

-->

DB2 Version 11.5 Mod 6 Fix Pack 0
Security APARs
IT36026 SECURITY: IBM DB2 IS VULNERABLE TO A DOS WHEN A TABLE IS DROPPED WHILE BEING ACCESSED IN ANOTHER SESSION (CVE-2021-29777)
IT36475 SECURITY: IBM DB2 MAY BE VULNERABLE TO AN INFO. DISC. IN SOME CASES WHEN A USER CREATES AN INLINE SQL FUNC. (CVE-2021-20579)
IT34964 SECURITY: IBM DB2 IS VULNERABLE TO AN ARBITRARY FILE OVERWRITE (CVE-2020-4945)
IT34966 SECURITY: DB2 EXTERNAL TABLE CREATION IS VULNERABLE TO RACE CONDITION ATTACK (CVE-2020-4885)
IT36413 SECURITY: MULTIPLE VULNERABILITIES IN DEPENDENT LIBRARIES AFFECT DB2 (CVE-2020-27216)
IT36279 SECURITY: LOCAL PRIVILEGE ESCALATION IN IBM DB2 WINDOWS CLIENT (CVE-2020-4739)
HIPER APARs
IT35685 QUERY WITH 'ORDER BY' AND REFERENCING A COMMON SUBEXPRESSION OVER COLUMN-ORGANIZED TABLES MAY RETURN ROWS IN THE WRONG ORDER
IT35926 WRONG RESULT WITH MULTIDIMENSIONAL CLUSTERING (MDC) TABLE AND ZIGZAG JOIN (ZZJN)
IT36818 POSSIBLE DATA LOSS IF DELETE AND RUNSTATS/REORG ARE IN A SINGLE TRANSACTION AND THE TRANSACTION IS THEN ROLLEDBACK
IT35891 WRONG RESULT MIGHT BE RETURNED WHEN SUBSTR WITH IF ELSE CLAUSES WAS USED AND THE COLUMN WAS CREATED IN CODEUNIT32
IT36924 IN A RARE SCENARIO THE ERROR COULD BE LOST AND INSTEAD EITHER NULL OR SQL0901N RETURNED
IT36937 IF ROW BEING SORTED IS VERY WIDE MEMORY OVERWRITES OR WRONG RESULTS ARE POSSIBLE.
IT37079 COUNT DISTINCT QUERIES AGAINST COLUMNAR ORGANIZED TABLES COULD RETURN INCORRECT RESULTS
IT33777 BUILD IN FUNCTION "DATE_PART" MIGHT RETURN AN INCORRECT RESULT OF WEEK, I.E. DATE_PART('WEEK', '2020-03-09')
IT35943 WRONG RESULT: QUERIES REFERENCING AN EXISTS SUB-QUERY WITH FETCH FIRST 1 ROW REFERENCED IN A CASE STATEMENT IN THE SELECT LIST
-->

DB2 Version 11.5 Mod 5 Fix Pack 1
Security APARs
IT34294 SECURITY: IBM® DB2® IS VULNERABLE TO A DENIAL OF SERVICE ON WINDOWS (CVE-2020-4642)
IT35289 SECURITY: IBM DB2 CLIENT MAY HANG IN THE EXECUTION OF THE TERMINATE COMMAND (CVE-2020-5024)
IT35303 SECURITY: IBM DB2 DB2FM IS VULNERABLE TO A BUFFER OVERFLOW (CVE-2020-5025)
IT35445 SECURITY: DB2 CREATES SOME FILES WITH INSECURE PERMISSIONS (CVE-2020-4976)
IT34862 SECURITY: IBM DB2 IS VULNERABLE TO A DENIAL OF SERVICE WHEN EXECUTING A SPECIFICALLY CRAFTED SELECT STATEMENT. (CVE-2021-29702)
HIPER APARs
IT34613 INCORRECT RESULTS WITH DB2_EXTENDED_OPTIMIZATION='MQTENFORCE REPLICATED'
IT34960 DATE PRECISION IS LOST WHEN REMOTE SQL SHIPPED TO FEDERATED DB AND RESULTS IN 0 ROWS.
IT34658 DB2 QUERY MAY GENERATE FODC AND APP_ERR OR WRONG RESULT IN CERTAIN CONDITIONS
IT34940 WRONG RESULT WHEN EQUALITY PREDICATE HAS IS NOT NULL WITH FALSE ON OTHER SIDE.
IT35377 WRONG RESULT IN A VERY SPECIFIC PLAN/SPECIFIC DATA FLOW WITH NLJN AND DATAPART TABLE ON THE INNER AND NULL KEYS.
IT35198 A QUERY ON COLUMNAR TABLES MAY RETURN MORE ROWS THAN EXPECTED

-->

DB2 Version 11.5 Mod 5 Fix Pack 0
Security APARs
IT34614 SECURITY: MULTIPLE BUFFER OVERFLOW VULNERABILITIES AFFECT DB2
IT34221 SECURITY: LOCAL PRIVILEGE ESCALATION IN IBM DB2 WINDOWS CLIENT
HIPER APARs
IT32992 WRONG RESULT, WHEN OPTIMIZATION LEVEL IS LESS THAN 5 AND NULL EQUALS NULL PREDICATE
IT33525 INACCURATE RESULT OF DECIMAL DIVISION ON NON-AIX PLATFORM

-->

DB2 Version 11.5 Mod 4 Fix Pack 0
Security APARs
IT32357 SECURITY: DB2 IS VULNERABLE TO BUFFER OVERFLOW LEADING TO PRIVILEGE ESCALATION
IT32363 SECURITY: IBM® DB2® LUW IS VULNERABLE TO A DENIAL OF SERVICE ATTACK
IT32689 SECURITY: IBM DB2 IS VULNERABLE TO AN INFORMATION DISCLOSURE
IT32714 SECURITY: IBM® DB2® IS VULNERABLE TO AN INFORMATION DISCLOSURE
IT32716 SECURITY: IBM DB2 IS VULNERABLE TO AN INFORMATION DISCLOSURE AND DENIAL OF SERVICE
IT32766 SECURITY - DB2 IS VULNERABLE TO A DENIAL OF SERVICE ATTACK
IT31637 SECURITY: DB2 IS VULNERABLE TO MULTIPLE BUFFER OVERFLOWS (CVE-2020-4204)
HIPER APARs
IT29945 10 CHAR VALUE CAN BE INSERTED INTO VARGRAPHIC(5 CODEUNITS32).THIS SHOULD FAIL WITH SQL0433N ERROR.
IT31634 WRONG RESULT IN UPDATE STATEMENT HAVING CORRELATION.
IT32195 IF THE ROW WIDTH PROCESSED BY A PARTIAL AGGREGATION OPERATOR IS MORE THEN 32K THEN WE COULD GENERATE INCORRECT RESULTS
IT33218 DB2 SERVER TERMINATES ABNORMALLY IN THE SQLDFETCHLARGEROW FUNCTION WITH DB2_4K_DEVICE_SUPPORT=ON SET.
DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.

My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select "Information Management" from the Software column
4. select the check box for "DB2 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for "Flashes" and all other document types
click the Submit button.

For more information about My Notifications please click on


[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"ARM Category":[{"code":"a8m500000008PkpAAE","label":"OTHER - Uncategorised"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.5.0","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEPDU","label":"Db2 Connect"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
22 June 2021

UID

ibm16242296