home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Latest versionsfixlist
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Have problems? - contact us.
Register for free anmeldung-x26
Contact form kontakt-x26

DB2 - Problem description

Problem IC94523 Status: Closed

SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033)

product:
DB2 FOR LUW / DB2FORLUW / 970 - DB2
Problem description:
DB2 server contain a security vulnerability which could allow an 
authenticated user to temporarily gain SELECT, INSERT, UPDATE or 
DELETE privileges on a table. To exploit the vulnerability, the 
user would need to have a valid security credential to connect 
to the database and EXPLAIN, SQLADM or DBADM authority. 
 
Under unspecified conditions, a user with the above authorities 
will be able to execute a DML statement such as SELECT, INSERT, 
UPDATE and DELETE on a table that they do not have authority 
for. Only DML statements are vulnerable. 
 
The following query will show which user has EXPLAIN / SQLADM / 
DBADM authority but no DATAACCESS authority: 
 
select substr(grantor,1,10) grantor , substr(grantee,1,20) 
grantee , granteetype, explainauth, dbadmauth, sqladmauth, 
dataaccessauth from SYSCAT.DBAUTH where dataaccessauth = 'N' and 
(explainauth = 'Y' or dbadmauth = 'Y' or sqladmauth = 'Y') 
 
GRANTOR GRANTEE GRANTEETYPE EXPLAINAUTH DBADMAUTH SQLADMAUTH 
DATAACCESSAUTH 
---------- -------------------- ----------- ----------- 
--------- ---------- -------------- 
MYSECADM BOB U Y N N N 
MYSECADM ROLE_DBADM R N Y N N 
MYSECADM ROLE_SQLADM R N N Y N 
MYSECADM ROLE_EXPLAIN R Y N N N 
MYSECADM ALEX U N Y N N 
MYSECADM JOHN U N N Y N
Problem Summary:
**************************************************************** 
* USERS AFFECTED:                                              * 
* All DB2 systems on all Linux, Unix and Windows platforms at  * 
* service levels Version 9.7 GA  through to Version 9.7 Fix    * 
* Pack 8.                                                      * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See Error Description                                        * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to DB2 Version 9.7 Fix Pack 9.                       * 
****************************************************************
Local Fix:


available fix packs:


DB2 Version 9.7 Fix Pack 9 for Linux, UNIX, and Windows
 DB2 Version 9.7 Fix Pack 9a for Linux, UNIX, and Windows
 DB2 Version 9.7 Fix Pack 10 for Linux, UNIX, and Windows
 


Solution


The complete fix for this problem first appears in DB2 Version 
9.7 Fix Pack 9 and all the subsequent Fix Packs. 
 
Security Bulletin: Unauthorized Access to Table Vulnerability in 
DB2 (CVE-2013-4033) 
http://www-01.ibm.com/support/docview.wss?uid=swg21646809


Workaround


not known / see Local fix


BUG-Tracking


forerunner  : APAR is sysrouted TO one or more of the following: IC94756 IC94757 IC94758 
follow-up : 


Timestamps


Date  - problem reported    :
Date  - problem closed      :
Date  - last modified       :

31.07.2013
16.12.2013
16.12.2013


Problem solved at the following versions (IBM BugInfos)


9.7.FP9



Problem solved according to the fixlist(s) of the following version(s)


9.7.0.9

FixList



9.7.0.9

FixList