DB2 FOR LUW / DB2FORLUW / 910 - DB2

The stored procedure GET_WRAP_CFG_C and GET_WRAP_CFG_C2 could be 
exploited to read any XML file 
owned by the DB2 fenced ID.  On Windows, the DB2 fenced ID is an 
administrator.

**************************************************************** 
* USERS AFFECTED:                                              * 
* All DB2 systems on all Linux, Unix and Windows platforms at  * 
* service levels from Version 9.1 GA through to Version 9.1    * 
* Fix Pack 11.                                                 * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See Security Bulletin: XML File Disclosure Vulnerability in  * 
* IBM DB2 GET_WRAP_CFG_C and GET_WRAP_CFG_C2 (CVE-2012-2196):  * 
* http://www-01.ibm.com/support/docview.wss?uid=swg21607618    * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to DB2 Version 9.1 Fix Pack 12 or see "Local Fix"    * 
* portion for other suggestions.                               * 
****************************************************************

The two stored procedures are used by Control Center.  If 
Control Center is not being used then revoke EXECUTE privilege 
on the stored procedures from PUBLIC: 
 
REVOKE EXECUTE ON PROCEDURE SYSPROC.GET_WRAP_CFG_C FROM PUBLIC 
RESTRICT 
REVOKE EXECUTE ON PROCEDURE SYSPROC.GET_WRAP_CFG_C2 FROM PUBLIC 
RESTRICT

The complete fix for this problem first appears in DB2 Version 
9.1 Fix Pack 12 and all the subsequent Fix Packs.

not known / see Local fix

forerunner  : APAR is sysrouted TO one or more of the following: IC84712 IC84748 IC84750 IC84751 
follow-up : 

Date  - problem reported    :
Date  - problem closed      :
Date  - last modified       :

14.06.2012
17.07.2012
21.08.2012

9.1.FP12