home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Neueste VersionenFixList
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Haben Sie Probleme? - Kontaktieren Sie uns.
Kostenlos registrieren anmeldung-x26
Kontaktformular kontakt-x26

DB2 - Problembeschreibung

Problem IC94758 Status: Geschlossen

SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033)

Produkt:
DB2 FOR LUW / DB2FORLUW / A50 - DB2
Problembeschreibung:
DB2 server contain a security vulnerability which could allow an 
authenticated user to temporarily gain SELECT, INSERT, UPDATE or 
DELETE privileges on a table. To exploit the vulnerability, the 
user would need to have a valid security credential to connect 
to the database and EXPLAIN, SQLADM or DBADM authority. 
 
Under unspecified conditions, a user with the above authorities 
will be able to execute a DML statement such as SELECT, INSERT, 
UPDATE and DELETE on a table that they do not have authority 
for. Only DML statements are vulnerable. 
 
The following query will show which user has EXPLAIN / SQLADM / 
DBADM authority but no DATAACCESS authority: 
 
select substr(grantor,1,10) grantor , substr(grantee,1,20) 
grantee , granteetype, explainauth, dbadmauth, sqladmauth, 
dataaccessauth from SYSCAT.DBAUTH where dataaccessauth = 'N' and 
(explainauth = 'Y' or dbadmauth = 'Y' or sqladmauth = 'Y') 
 
GRANTOR GRANTEE GRANTEETYPE EXPLAINAUTH DBADMAUTH SQLADMAUTH 
DATAACCESSAUTH 
---------- -------------------- ----------- ----------- 
--------- ---------- -------------- 
MYSECADM BOB U Y N N N 
MYSECADM ROLE_DBADM R N Y N N 
MYSECADM ROLE_SQLADM R N N Y N 
MYSECADM ROLE_EXPLAIN R Y N N N 
MYSECADM ALEX U N Y N N 
MYSECADM JOHN U N N Y N
Problem-Zusammenfassung:
**************************************************************** 
* USERS AFFECTED:                                              * 
* All DB2 Server systems on all Linux, Unix and Windows        * 
* platforms at Version 10.5 GA .                               * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See Error Description                                        * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to DB2 Version 10.5 Fix Pack 1                       * 
****************************************************************
Local-Fix:
verfügbare FixPacks:
DB2 Version 10.5 Fix Pack 3 for Linux, UNIX, and Windows
DB2 Version 10.5 Fix Pack 3a for Linux, UNIX, and Windows
DB2 Cancun Release 10.5.0.4 (also known as Fix Pack 4) for Linux, UNIX, and Windows
DB2 Version 10.5 Fix Pack 9 for Linux, UNIX, and Windows

Lösung
The complete fix for this problem first appears in DB2 Version 
10.5 Fix Pack 1 and all the subsequent Fix Packs. 
 
Security Bulletin: Unauthorized Access to Table Vulnerability in 
DB2 (CVE-2013-4033) 
http://www-01.ibm.com/support/docview.wss?uid=swg21646809
Workaround
keiner bekannt / siehe Local-Fix
Weitere Daten
Datum - Problem gemeldet    :
Datum - Problem geschlossen :
Datum - der letzten Änderung:
08.08.2013
12.09.2013
16.12.2013
Problem behoben ab folgender Versionen (IBM BugInfos)
Problem behoben lt. FixList in der Version