home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Latest versionsfixlist
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Have problems? - contact us.
Register for free anmeldung-x26
Contact form kontakt-x26

DB2 - Problem description

Problem IC94757 Status: Closed

SECURITY: UNAUTHORIZED ACCESS TO TABLE VULNERABILITY IN DB2 (CVE-2013-4033)

product:
DB2 FOR LUW / DB2FORLUW / A10 - DB2
Problem description:
DB2 server contain a security vulnerability which could allow an 
authenticated user to temporarily gain SELECT, INSERT, UPDATE or 
DELETE privileges on a table. To exploit the vulnerability, the 
user would need to have a valid security credential to connect 
to the database and EXPLAIN, SQLADM or DBADM authority. 
 
Under unspecified conditions, a user with the above authorities 
will be able to execute a DML statement such as SELECT, INSERT, 
UPDATE and DELETE on a table that they do not have authority 
for. Only DML statements are vulnerable. 
 
The following query will show which user has EXPLAIN / SQLADM / 
DBADM authority but no DATAACCESS authority: 
 
select substr(grantor,1,10) grantor , substr(grantee,1,20) 
grantee , granteetype, explainauth, dbadmauth, sqladmauth, 
dataaccessauth from SYSCAT.DBAUTH where dataaccessauth = 'N' and 
(explainauth = 'Y' or dbadmauth = 'Y' or sqladmauth = 'Y') 
 
GRANTOR GRANTEE GRANTEETYPE EXPLAINAUTH DBADMAUTH SQLADMAUTH 
DATAACCESSAUTH 
---------- -------------------- ----------- ----------- 
--------- ---------- -------------- 
MYSECADM BOB U Y N N N 
MYSECADM ROLE_DBADM R N Y N N 
MYSECADM ROLE_SQLADM R N N Y N 
MYSECADM ROLE_EXPLAIN R Y N N N 
MYSECADM ALEX U N Y N N 
MYSECADM JOHN U N N Y N
Problem Summary:
**************************************************************** 
* USERS AFFECTED:                                              * 
* All DB2 systems on all Linux, Unix and Windows platforms at  * 
* service levels Version 10.1 GA  through to Version 10.1 Fix  * 
* Pack 2.                                                      * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See Error Description                                        * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to DB2 Version 10.1 Fix Pack 3.                      * 
****************************************************************
Local Fix:


available fix packs:


DB2 Version 10.1 Fix Pack 3 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 4 for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 3a for Linux, UNIX, and Windows
 DB2 Version 10.1 Fix Pack 6 for Linux, UNIX, and Windows
 


Solution


The complete fix for this problem first appears in DB2 Version 
10.1 Fix Pack 3 and all the subsequent Fix Packs. 
 
Security Bulletin: Unauthorized Access to Table Vulnerability in 
DB2 (CVE-2013-4033) 
http://www-01.ibm.com/support/docview.wss?uid=swg21646809


Workaround


not known / see Local fix


Timestamps


Date  - problem reported    :
Date  - problem closed      :
Date  - last modified       :

08.08.2013
17.10.2013
16.12.2013


Problem solved at the following versions (IBM BugInfos)




Problem solved according to the fixlist(s) of the following version(s)


10.1.0.3

FixList



10.1.0.3

FixList