DB2 - Problembeschreibung
Problem IC94758 | Status: Geschlossen |
SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033) | |
Produkt: | |
DB2 FOR LUW / DB2FORLUW / A50 - DB2 | |
Problembeschreibung: | |
DB2 server contain a security vulnerability which could allow an authenticated user to temporarily gain SELECT, INSERT, UPDATE or DELETE privileges on a table. To exploit the vulnerability, the user would need to have a valid security credential to connect to the database and EXPLAIN, SQLADM or DBADM authority. Under unspecified conditions, a user with the above authorities will be able to execute a DML statement such as SELECT, INSERT, UPDATE and DELETE on a table that they do not have authority for. Only DML statements are vulnerable. The following query will show which user has EXPLAIN / SQLADM / DBADM authority but no DATAACCESS authority: select substr(grantor,1,10) grantor , substr(grantee,1,20) grantee , granteetype, explainauth, dbadmauth, sqladmauth, dataaccessauth from SYSCAT.DBAUTH where dataaccessauth = 'N' and (explainauth = 'Y' or dbadmauth = 'Y' or sqladmauth = 'Y') GRANTOR GRANTEE GRANTEETYPE EXPLAINAUTH DBADMAUTH SQLADMAUTH DATAACCESSAUTH ---------- -------------------- ----------- ----------- --------- ---------- -------------- MYSECADM BOB U Y N N N MYSECADM ROLE_DBADM R N Y N N MYSECADM ROLE_SQLADM R N N Y N MYSECADM ROLE_EXPLAIN R Y N N N MYSECADM ALEX U N Y N N MYSECADM JOHN U N N Y N | |
Problem-Zusammenfassung: | |
**************************************************************** * USERS AFFECTED: * * All DB2 Server systems on all Linux, Unix and Windows * * platforms at Version 10.5 GA . * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * **************************************************************** * RECOMMENDATION: * * Upgrade to DB2 Version 10.5 Fix Pack 1 * **************************************************************** | |
Local-Fix: | |
verfügbare FixPacks: | |
DB2 Version 10.5 Fix Pack 3 for Linux, UNIX, and Windows | |
Lösung | |
The complete fix for this problem first appears in DB2 Version 10.5 Fix Pack 1 and all the subsequent Fix Packs. Security Bulletin: Unauthorized Access to Table Vulnerability in DB2 (CVE-2013-4033) http://www-01.ibm.com/support/docview.wss?uid=swg21646809 | |
Workaround | |
keiner bekannt / siehe Local-Fix | |
Weitere Daten | |
Datum - Problem gemeldet : Datum - Problem geschlossen : Datum - der letzten Änderung: | 08.08.2013 12.09.2013 16.12.2013 |
Problem behoben ab folgender Versionen (IBM BugInfos) | |
Problem behoben lt. FixList in der Version |