|
Problem IC65933
|
Status: Closed |
SECURITY: BUFFER OVERRUN IN REPEAT UDF (CVE-2010-0462). |
| product: |
DB2 FOR LUW / DB2FORLUW / 950 - DB2 |
| Problem description: |
The scalar function REPEAT contains a buffer overrun defect that
malicious user could manipulate, causing the DB2 server to trap.
A valid database connection is required to exploit the
vulnerability. |
| Problem Summary: |
****************************************************************
* USERS AFFECTED: *
* All DB2 systems on all Linux, Unix and Windows platforms at *
* service levels from Version 9.5 GA through to Version 9.5 *
* Fix Pack 6. *
****************************************************************
* PROBLEM DESCRIPTION: *
* See "Error Description" *
****************************************************************
* RECOMMENDATION: *
* Upgrade to DB2 Version 9.5 Fix Pack 6 or see "Local Fix" *
* portion for other suggestions. *
**************************************************************** |
| Local Fix: |
It is not possible to revoke EXECUTE privilege on the scalar
function REPEAT from PUBLIC.
To minimize the exposure, revoke CONNECT privilege from PUBLIC
and only grant CONNECT privilege to trusted users. |
| available fix packs: |
DB2 Version 9.5 Fix Pack 6a for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 8 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows
|
| Solution |
The complete fix for this problem first appears in DB2 Version
9.5 Fix Pack 6 and all the subsequent Fix Packs. |
| Workaround |
not known / see Local fix |
| Timestamps |
Date - problem reported :
Date - problem closed :
Date - last modified :
| 28.01.2010
14.06.2010
17.08.2010 |
| Problem solved at the following versions (IBM BugInfos) |
9.5.FP6
|
| Problem solved according to the fixlist(s) of the following version(s) |
