IBM Support

Security Bulletin: Unauthorized Access to user data vulnerability in DB2 during certain LOAD operations (CVE-2014-4805)

Security Bulletin


Summary

During certain LOAD operations into Columnar Data Engine (CDE) tables, a temporary file containing user data may be created at the DB2 server. As the file only exists for the duration of the LOAD operation and is automatically removed on completion (both success and error), the vulnerability exists only temporarily.

Vulnerability Details


CVE ID: CVE-2014-4805

DESCRIPTION:

While running LOAD into CDE table, depending on the input source of the LOAD command (more details on this below), DB2 will create a temporary file containing the user data being loaded. The temporary file only exists for the duration of LOAD command, and is automatically removed on completion (both success and error). Thus, the vulnerability exists only temporarily.

DB2 LOAD operation creates a temporary file if the input source of LOAD command into CDE table is one of the following:
- PIPE
- remote fetch (LOAD from CURSOR from a remote database)
- sourceuserexit (LOAD option to start external program to generate and feed data to LOAD)
- LOAD CLIENT

The temporary file is not created for the following sources:
- file
- LOAD from CURSOR, where CURSOR definition does not include DATABASE clause (i.e. local database)

CVSS:
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95307 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

All fix pack levels for IBM DB2 V10.5 editions running on AIX and Linux are affected.

IBM® DB2® Enterprise Server Edition
IBM® DB2® Advanced Enterprise Server Edition

The vulnerability is not applicable to DB2 releases before V10.5.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

FIX:

The fix for DB2 and DB2 Connect release V10.5 is in V10.5 FP4, available for download from Fix Central.

Download the fix pack from the following:

ReleaseFixed in fix packAPARDownload URL
V10.5 FP4IT03761http://www.ibm.com/support/docview.wss?uid=swg24038261

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Workarounds and Mitigations

The recommended workaround is: do not use the above mentioned input sources (i.e. PIPE, remote fetch, sourceuserexit , LOAD Client) for LOAD command into CDE tables.

Alternatively, customers who are performing LOAD into CDE tables via the input sources mentioned above, ensure that no users share instance owner's group. That is, the instance owner group should contain only one user ID, the instance owner ID.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

August 28, 2014: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Business Unit":{"code":"BU001","label":"Analytics Private Cloud"},"Component":"Security \/ Plugins - Authentication","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"10.5","Edition":"Advanced Enterprise Server;Enterprise Server"}]

Document Information

Modified date:
16 June 2018

UID

swg21681723