home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Latest versionsfixlist
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Have problems? - contact us.
Register for free anmeldung-x26
Contact form kontakt-x26

DB2 - Problem description

Problem IC71413 Status: Closed

Users able to update statistics for tables without appropriate privileges

product:
DB2 FOR LUW / DB2FORLUW / 950 - DB2
Problem description:
Users are able to incorrectly update statistics columns 
in SYSSTAT.TABLES for tables upon which they do not have 
appropriate privileges.  Thus, a malicious user may be able to 
introduce query performance degradations by modifying table 
statistics via this view. 
 
Normally, in order to update the statistics for a 
table via this view, you must have CONTROL or explicit 
DATAACCESS privilege on the table.    This APAR fix addresses 
this problem.
Problem Summary:
**************************************************************** 
* USERS AFFECTED:                                              * 
* DB2 Version 9.5 GA through to Fix Pack 6 servers on Linux,   * 
* Unix and Windows platforms.                                  * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* A user may gain unauthorized access to the catalog data in a * 
* SYSSTAT view.                                                * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Apply DB2 Version 9.5 Fix Pack 7 and run the db2updv95       * 
* utility.                                                     * 
****************************************************************
Local Fix:
Revoke UPDATE privilege from PUBLIC on the SYSSTAT.TABLES view 
until this APAR is applied. Namely, run: 
 
revoke update on sysstat.tables from public 
 
You may continue updating statistics with appropriate privileges 
via the SYSCAT.TABLES view if needed, which is not affected by 
this problem.
available fix packs:
DB2 Version 9.5 Fix Pack 8 for Linux, UNIX, and Windows
 DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
 DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows
Solution
First fixed in DB2 Version 9.5 Fix Pack 7 and all subsequent Fix 
Packs.
Workaround
not known / see Local fix
BUG-Tracking
forerunner  : APAR is sysrouted TO one or more of the following: IC72118 IC72119 
follow-up :
Timestamps
Date  - problem reported    :
Date  - problem closed      :
Date  - last modified       :

23.09.2010
26.04.2011
26.04.2011
Problem solved at the following versions (IBM BugInfos)
9.5.FP7
Problem solved according to the fixlist(s) of the following version(s)
9.1.0.7 FixList
9.5.0.7 FixList