|
Problem IC99480
|
Status: Closed |
SECURITY: VULNERABILITY IN STORED PROCEDURE INFRASTRUCTURE CAN ALLOW ESCALATION OF PRIVILEGE TO ADMINISTRATOR (CVE-2013-6744). |
| product: |
DB2 FOR LUW / DB2FORLUW / A10 - DB2 |
| Problem description: |
There is a security vulnerability in the Stored Procedure
Infrastructure that will allow a malicious user to gain
administrator privilege on the server. This vulnerability is
only applicable to DB2 on Windows.
To exploit the vulnerability, the DB2 user will need to have
CREATE_EXTERNAL_ROUTINE privilege which is by default not
granted to PUBLIC. |
| Problem Summary: |
****************************************************************
* USERS AFFECTED: *
* All DB2 Servers on Windows platforms at service levels from *
* Version 10.1 GA through to Version 10.1 Fix Pack 3. *
****************************************************************
* PROBLEM DESCRIPTION: *
* See Error Description *
****************************************************************
* RECOMMENDATION: *
* See security bulletin: *
* http://www-01.ibm.com/support/docview.wss?uid=swg21673947 *
**************************************************************** |
| Local Fix: |
Revoke CREATE_EXTERNAL_ROUTINE from all users and only grant the
privilege to trusted users. |
| available fix packs: |
DB2 Version 10.1 Fix Pack 4 for Linux, UNIX, and Windows
DB2 Version 10.1 Fix Pack 3a for Linux, UNIX, and Windows
DB2 Version 10.1 Fix Pack 6 for Linux, UNIX, and Windows
|
| Solution |
See security bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21673947 |
| Workaround |
not known / see Local fix |
| Timestamps |
Date - problem reported :
Date - problem closed :
Date - last modified :
| 19.02.2014
23.05.2014
06.06.2014 |
| Problem solved at the following versions (IBM BugInfos) |
|
| Problem solved according to the fixlist(s) of the following version(s) |
| 10.1.0.4
|
 |
