home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Latest versionsfixlist
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Have problems? - contact us.
Register for free anmeldung-x26
Contact form kontakt-x26

DB2 - Problem description

Problem IC85513 Status: Closed

SECURITY: The UTL_FILE COULD ALLOW UNAUTHORIZED ACCESS TO FILES
(CVE-2012-3324).

product:
DB2 FOR LUW / DB2FORLUW / A10 - DB2
Problem description:
he UTL_FILE module contains a security vulnerability that 
permits the routines within to view, modify and delete a file 
beyond the intended directory.  The vulnerability is applicable 
to DB2 servers running on Windows, only. 
 
UTL_FILE is a built-in module containing routines used by DB2 
applications to access files located at the DB2 server.  By 
design, the files it can operate on are constrained to files in 
the directory as specified by the first parameter.  The 
vulnerability is in the processing of the file name where the 
constraint can be circumvented if the file name contains 
directory paths. 
 
The privilege to execute the routines in UTL_FILE is by default, 
not granted to PUBLIC.  Hence, a general user (PUBLIC) that has 
not been directly or indirectly granted any privileges will not 
be able to execute any routines in UTL_FILE directly. However, 
applications and stored procedures that make use of UTL_FILE are 
vulnerable if it accepts user input and the input value is 
passed directly to routines in UTL_FILE.
Problem Summary:
**************************************************************** 
* USERS AFFECTED:                                              * 
* Users using system module routines on a windows machine.     * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See Security Bulletin:  IBM DB2 Security Vulnerability in    * 
* the UTL_FILE module (CVE-2012-3324)                          * 
* http://www.ibm.com/support/docview.wss?uid=swg21611040       * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to DB2 Version 10.1 Fix Pack 1                       * 
****************************************************************
Local Fix:
To have better control who has EXECUTE privilege, revoke EXECUTE 
privilege from PUBLIC if it has been granted and only grant it 
to users who needs it.   Review applications and ensure user 
input are not passed directly to routines in UTL_FILE.   Ensure 
the file names are not qualified with any paths.
available fix packs:
DB2 Version 10.1 Fix Pack 1 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 2 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 3 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 4 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 3a for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 6 for Linux, UNIX, and Windows
Solution
Problem was  first fixed in DB2 version 10.1 Fix Pack 1
Workaround
not known / see Local fix
Timestamps
Date  - problem reported    :
Date  - problem closed      :
Date  - last modified       :

25.07.2012
17.09.2012
17.09.2012
Problem solved at the following versions (IBM BugInfos)


Problem solved according to the fixlist(s) of the following version(s)


10.1.0.1

FixList



10.5.0.1

FixList