|
Problem IC84019
|
Status: Closed |
SECURITY: SQLJ.DB2_INSTALL_JAR DIRECTORY ESCAPE VULNERABILITY (CVE-2012-2194). |
| product: |
DB2 FOR LUW / DB2FORLUW / 910 - DB2 |
| Problem description: |
The stored procedure SQLJ.DB2_INSTALL_JAR contains a
vulnerability which could be exploited to replace JAR files at
the DB2 server. |
| Problem Summary: |
****************************************************************
* USERS AFFECTED: *
* All DB2 systems on Windows platforms at service levels from *
* Version 9.1 GA through to Version 9.1 Fix Pack 11. *
****************************************************************
* PROBLEM DESCRIPTION: *
* See Security Bulletin: IBM DB2 Security Vulnerability in *
* SQLJ.DB2_INSTALL_JAR (CVE-2012-2194): *
* http://www.ibm.com/support/docview.wss?uid=swg21607622 *
****************************************************************
* RECOMMENDATION: *
* Upgrade to DB2 Version 9.1 Fix Pack 12 or see "Local Fix" *
* portion for other suggestions. *
**************************************************************** |
| Local Fix: |
Revoke EXECUTE privilege on SQLJ.DB2_INSTALL_JAR from PUBLIC. |
| Solution |
The complete fix for this problem first appears in DB2 Version
9.1 Fix Pack 12 and all the subsequent Fix Packs. |
| Workaround |
not known / see Local fix |
| BUG-Tracking |
forerunner : APAR is sysrouted TO one or more of the following: IC84711 IC84714 IC84715 IC84716
follow-up : |
| Timestamps |
Date - problem reported :
Date - problem closed :
Date - last modified :
| 07.06.2012
17.07.2012
21.08.2012 |
| Problem solved at the following versions (IBM BugInfos) |
9.1.FP12
|
| Problem solved according to the fixlist(s) of the following version(s) |
| 9.1.0.12
|
 |
