home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Neueste VersionenFixList
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Haben Sie Probleme? - Kontaktieren Sie uns.
Kostenlos registrieren anmeldung-x26
Kontaktformular kontakt-x26

DB2 - Problembeschreibung

Problem IC85513 Status: Geschlossen

SECURITY: The UTL_FILE COULD ALLOW UNAUTHORIZED ACCESS TO FILES
(CVE-2012-3324).

Produkt:
DB2 FOR LUW / DB2FORLUW / A10 - DB2
Problembeschreibung:
he UTL_FILE module contains a security vulnerability that 
permits the routines within to view, modify and delete a file 
beyond the intended directory.  The vulnerability is applicable 
to DB2 servers running on Windows, only. 
 
UTL_FILE is a built-in module containing routines used by DB2 
applications to access files located at the DB2 server.  By 
design, the files it can operate on are constrained to files in 
the directory as specified by the first parameter.  The 
vulnerability is in the processing of the file name where the 
constraint can be circumvented if the file name contains 
directory paths. 
 
The privilege to execute the routines in UTL_FILE is by default, 
not granted to PUBLIC.  Hence, a general user (PUBLIC) that has 
not been directly or indirectly granted any privileges will not 
be able to execute any routines in UTL_FILE directly. However, 
applications and stored procedures that make use of UTL_FILE are 
vulnerable if it accepts user input and the input value is 
passed directly to routines in UTL_FILE.
Problem-Zusammenfassung:
**************************************************************** 
* USERS AFFECTED:                                              * 
* Users using system module routines on a windows machine.     * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See Security Bulletin:  IBM DB2 Security Vulnerability in    * 
* the UTL_FILE module (CVE-2012-3324)                          * 
* http://www.ibm.com/support/docview.wss?uid=swg21611040       * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to DB2 Version 10.1 Fix Pack 1                       * 
****************************************************************
Local-Fix:
To have better control who has EXECUTE privilege, revoke EXECUTE 
privilege from PUBLIC if it has been granted and only grant it 
to users who needs it.   Review applications and ensure user 
input are not passed directly to routines in UTL_FILE.   Ensure 
the file names are not qualified with any paths.
verfügbare FixPacks:
DB2 Version 10.1 Fix Pack 1 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 2 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 3 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 4 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 3a for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 6 for Linux, UNIX, and Windows
Lösung
Problem was  first fixed in DB2 version 10.1 Fix Pack 1
Workaround
keiner bekannt / siehe Local-Fix
Weitere Daten
Datum - Problem gemeldet    :
Datum - Problem geschlossen :
Datum - der letzten Änderung:

25.07.2012
17.09.2012
17.09.2012
Problem behoben ab folgender Versionen (IBM BugInfos)


Problem behoben lt. FixList in der Version


10.1.0.1

FixList



10.5.0.1

FixList