home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Neueste VersionenFixList
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Haben Sie Probleme? - Kontaktieren Sie uns.
Kostenlos registrieren anmeldung-x26
Kontaktformular kontakt-x26

DB2 - Problembeschreibung

Problem IC94523 Status: Geschlossen

SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033)

Produkt:
DB2 FOR LUW / DB2FORLUW / 970 - DB2
Problembeschreibung:
DB2 server contain a security vulnerability which could allow an 
authenticated user to temporarily gain SELECT, INSERT, UPDATE or 
DELETE privileges on a table. To exploit the vulnerability, the 
user would need to have a valid security credential to connect 
to the database and EXPLAIN, SQLADM or DBADM authority. 
 
Under unspecified conditions, a user with the above authorities 
will be able to execute a DML statement such as SELECT, INSERT, 
UPDATE and DELETE on a table that they do not have authority 
for. Only DML statements are vulnerable. 
 
The following query will show which user has EXPLAIN / SQLADM / 
DBADM authority but no DATAACCESS authority: 
 
select substr(grantor,1,10) grantor , substr(grantee,1,20) 
grantee , granteetype, explainauth, dbadmauth, sqladmauth, 
dataaccessauth from SYSCAT.DBAUTH where dataaccessauth = 'N' and 
(explainauth = 'Y' or dbadmauth = 'Y' or sqladmauth = 'Y') 
 
GRANTOR GRANTEE GRANTEETYPE EXPLAINAUTH DBADMAUTH SQLADMAUTH 
DATAACCESSAUTH 
---------- -------------------- ----------- ----------- 
--------- ---------- -------------- 
MYSECADM BOB U Y N N N 
MYSECADM ROLE_DBADM R N Y N N 
MYSECADM ROLE_SQLADM R N N Y N 
MYSECADM ROLE_EXPLAIN R Y N N N 
MYSECADM ALEX U N Y N N 
MYSECADM JOHN U N N Y N
Problem-Zusammenfassung:
**************************************************************** 
* USERS AFFECTED:                                              * 
* All DB2 systems on all Linux, Unix and Windows platforms at  * 
* service levels Version 9.7 GA  through to Version 9.7 Fix    * 
* Pack 8.                                                      * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See Error Description                                        * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to DB2 Version 9.7 Fix Pack 9.                       * 
****************************************************************
Local-Fix:


verfügbare FixPacks:


DB2 Version 9.7 Fix Pack 9 for Linux, UNIX, and Windows
 DB2 Version 9.7 Fix Pack 9a for Linux, UNIX, and Windows
 DB2 Version 9.7 Fix Pack 10 for Linux, UNIX, and Windows
 


Lösung


The complete fix for this problem first appears in DB2 Version 
9.7 Fix Pack 9 and all the subsequent Fix Packs. 
 
Security Bulletin: Unauthorized Access to Table Vulnerability in 
DB2 (CVE-2013-4033) 
http://www-01.ibm.com/support/docview.wss?uid=swg21646809


Workaround


keiner bekannt / siehe Local-Fix


Bug-Verfolgung


Vorgänger  : APAR is sysrouted TO one or more of the following: IC94756 IC94757 IC94758 
Nachfolger : 


Weitere Daten


Datum - Problem gemeldet    :
Datum - Problem geschlossen :
Datum - der letzten Änderung:

31.07.2013
16.12.2013
16.12.2013


Problem behoben ab folgender Versionen (IBM BugInfos)


9.7.FP9



Problem behoben lt. FixList in der Version


9.7.0.9

FixList



9.7.0.9

FixList