IBM Support

Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.1 Fix Pack 12

Flashes (Alerts)


Abstract

Fix Pack 12 for DB2 V9.1 is now available which includes fixes for some security vulnerabilities. These fixes, where applicable, are also available in a Fix Pack for DB2 Version 9.5, a Fix Pack for DB2 Version 9.7, a Fix Pack for DB2 Version 9.8 and a Fix Pack for DB2 Version 10.1.

IBM® recommends that you review the APAR descriptions and deploy one of the above fix packs to correct them on your affected DB2 installations.

Content

A set of security vulnerabilities was discovered in some DB2 database products. These vulnerabilities were analyzed by the DB2 development organization and a set of corresponding fixes was created to address the reported issues.

The affected DB2 UDB for Linux, UNIX, and Windows products are:

  • DB2 Enterprise Server Edition
  • DB2 Workgroup Server (all Editions)
  • DB2 Express Server (all Editions)
  • DB2 Personal Edition
  • DB2 Connect Server (all Editions)

DB2 Client component and DB2 products or components other than those listed above are not affected.

Due to the complexity of the fixes required to eliminate the reported service issues, it is not feasible to retrofit the same fixes into earlier DB2 Version 9.1, DB2 Version 9.5, DB2 Version 9.7 fix packs and DB2 Version 9.8 fix packs.

The specifics of the Security APARs incorporated into the above DB2 fix packs can be found in the following table:

Security APARs

V9.1
FP12
V9.5
V9.7
V9.8
V10.1
ABSTRACT
IC80728 (in FP9)
IC80729 (in FP6)
n/a
n/a
SECURITY: REMOTE ESCALATION OF PRIVILEGE VULNERABILITY IN DAS (CVE-2012-0711).
IC84711 (forthcoming)
IC84714 (forthcoming)
IC84715 (forthcoming)
IC84716 (forthcoming)
SECURITY: SQLJ.DB2_INSTALL_JAR DIRECTORY ESCAPE VULNERABILITY (CVE-2012-2194).
IC84752 (forthcoming)
IC84753 (forthcoming)
IC84754 (forthcoming)
IC84755 (forthcoming)
SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN JAVA STORED PROCEDURE INFRASTRUCTURE (CVE-2012-2197).
IC84712 (forthcoming)
IC84748 (forthcoming)
IC84750 (forthcoming)
IC84751 (forthcoming)
SECURITY: GET_WRAP_CFG_C AND GET_WRAP_CFG_C2 ALLOWS UNAUTHORIZED ACCESS XML FILES (CVE-2012-2196).

HIPER APARs

None.

Special Attention APARs

None.

DB2 fix packs for all supported versions can be downloaded at the following site: http://www.ibm.com/support/docview.wss?uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes for newly discovered issues along with information that helps our customers to decide on an appropriate course of action. The DB2 team regrets the inconvenience that these issues are causing to you, our customers. We believe that our actions are the most prudent steps to address your concerns and remain open to suggestions on how to further improve our processes.


My Notifications
Sign-up to receive e-mail notification of changes to this document.
1. Sign in to My Notifications
2. select Subscribe tab
3. select "Information Management" from the Software column
4. select the check box for "DB2 for Linux, UNIX and Windows"
click the Continue button.
5. select the check box for "Flashes" and all other document types
click the Submit button.

For more information about My Notifications please click on

[{"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Install\/Migrate\/Upgrade - Fixpak","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
25 September 2022

UID

swg21600837