|
Problem IC99481
|
Status: Closed |
SECURITY: VULNERABILITY IN STORED PROCEDURE INFRASTRUCTURE CAN ALLOW ESCALATION OF PRIVILEGE TO ADMINISTRATOR (CVE-2013-6744). |
| product: |
DB2 FOR LUW / DB2FORLUW / A50 - DB2 |
| Problem description: |
There is a security vulnerability in the Stored Procedure
Infrastructure that will allow a malicious user to gain
administrator privilege on the server. This vulnerability is
only applicable to DB2 on Windows.
To exploit the vulnerability, the DB2 user will need to have
CREATE_EXTERNAL_ROUTINE privilege which is by default not
granted to PUBLIC.
See security bulletin for details:
http://www.ibm.com/support/docview.wss?uid=swg21673947 |
| Problem Summary: |
****************************************************************
* USERS AFFECTED: *
* All DB2 Servers on Windows platforms at service levels from *
* Version 10.5 GA through to Version 10.5 Fix Pack 3. *
****************************************************************
* PROBLEM DESCRIPTION: *
* See Error Description *
****************************************************************
* RECOMMENDATION: *
* Upgrade to DB2 Version 10.5 Fix Pack 3a or see "Local Fix" *
* portion for other suggestions. *
**************************************************************** |
| Local Fix: |
Revoke CREATE_EXTERNAL_ROUTINE from all users and only grant the
privilege to trusted users. |
| available fix packs: |
DB2 Version 10.5 Fix Pack 3a for Linux, UNIX, and Windows
DB2 Cancun Release 10.5.0.4 (also known as Fix Pack 4) for Linux, UNIX, and Windows
DB2 Version 10.5 Fix Pack 9 for Linux, UNIX, and Windows
|
| Solution |
The complete fix for this problem first appears in DB2 Version
10.5 Fix Pack 3a and all the subsequent Fix Packs. |
| Workaround |
not known / see Local fix |
| Timestamps |
Date - problem reported :
Date - problem closed :
Date - last modified :
| 19.02.2014
23.05.2014
23.05.2014 |
| Problem solved at the following versions (IBM BugInfos) |
|
| Problem solved according to the fixlist(s) of the following version(s) |
