|
Problem IC65922
|
Status: Closed |
SECURITY: BUFFER OVERRUN IN REPEAT UDF (CVE-2010-0462) |
| product: |
DB2 FOR LUW / DB2FORLUW / 910 - DB2 |
| Problem description: |
The scalar function REPEAT contains a buffer overrun defect that
malicious user could manipulate, causing the DB2 server to trap.
A valid database connection is required to exploit the
vulnerability. |
| Problem Summary: |
****************************************************************
* USERS AFFECTED: *
* All DB2 systems on all Linux, Unix and Windows platforms *
* atservice levels from Version 9.1 GA through to Version *
* 9.1Fix Pack 9. *
****************************************************************
* PROBLEM DESCRIPTION: *
* See error description. *
****************************************************************
* RECOMMENDATION: *
* Upgrade to DB2 Version 9.1 Fix Pack 9 or see "Local *
* Fix"portion for other suggestions. *
**************************************************************** |
| Local Fix: |
It is not possible to revoke EXECUTE privilege on the scalar
function REPEAT from PUBLIC.
To minimize the exposure, revoke CONNECT privilege from PUBLIC
and only grant CONNECT privilege to trusted users. |
| available fix packs: |
DB2 Version 9.1 Fix Pack 9 for Linux, UNIX and Windows
DB2 Version 9.1 Fix Pack 10 for Linux, UNIX and Windows
DB2 Version 9.1 Fix Pack 11 for Linux, UNIX and Windows
DB2 Version 9.1 Fix Pack 12 for Linux, UNIX and Windows
|
| Solution |
The complete fix for this problem first appears in DB2 Version
9.1 Fix Pack 9 and all the subsequent Fix Packs. |
| Workaround |
not known / see Local fix |
| BUG-Tracking |
forerunner : APAR is sysrouted TO one or more of the following: IC65933 IC65935
follow-up : |
| Timestamps |
Date - problem reported :
Date - problem closed :
Date - last modified :
| 28.01.2010
15.04.2010
17.08.2010 |
| Problem solved at the following versions (IBM BugInfos) |
9.1.FP9
|
| Problem solved according to the fixlist(s) of the following version(s) |
| 9.1.0.9
|
 |
