Date: 16 July 2012
References: ESB-2012.0298 ESB-2012.0884 ESB-2012.1005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0678
Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2
for Linux, UNIX, and Windows Version 9.1 Fix Pack 12
16 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM DB2
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Remote/Unauthenticated
Denial of Service -- Unknown/Unspecified
Unauthorised Access -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2197 CVE-2012-2196 CVE-2012-2194
CVE-2012-0711
Reference: ESB-2012.0298
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21600837
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for
Linux, UNIX, and Windows Version 9.1 Fix Pack 12
Flash (Alert)
Document information
DB2 for Linux, UNIX and Windows
Installation - Fix Pack
Software version:
9.1
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1600837
Modified date:
2012-07-13
Abstract
Fix Pack 12 for DB2 V9.1 is now available which includes fixes for some
security vulnerabilities. These fixes, where applicable, are also available in
a Fix Pack for DB2 Version 9.5, a Fix Pack for DB2 Version 9.7, a Fix Pack for
DB2 Version 9.8 and a Fix Pack for DB2 Version 10.1.
IBM recommends that you review the APAR descriptions and deploy one of the
above fix packs to correct them on your affected DB2 installations.
Content
A set of security vulnerabilities was discovered in some DB2 database products.
These vulnerabilities were analyzed by the DB2 development organization and a
set of corresponding fixes was created to address the reported issues.
The affected DB2 UDB for Linux, UNIX, and Windows products are:
DB2 Enterprise Server Edition
DB2 Workgroup Server (all Editions)
DB2 Express Server (all Editions)
DB2 Personal Edition
DB2 Connect Server (all Editions)
DB2 Client component and DB2 products or components other than those listed
above are not affected.
Due to the complexity of the fixes required to eliminate the reported service
issues, it is not feasible to retrofit the same fixes into earlier DB2 Version
9.1, DB2 Version 9.5, DB2 Version 9.7 fix packs and DB2 Version 9.8 fix packs.
Security APARs
V9.1 V9.5 V9.7 V9.8 V10.1
FP12
IC80561 IC80728 (in FP9) IC80729 (in FP6) n/a n/a
SECURITY: REMOTE ESCALATION OF PRIVILEGE VULNERABILITY IN DAS (CVE-2012-0711).
IC84019 IC84711 (forthcoming) IC84714 (forthcoming) IC84715 (forthcoming) IC84716 (forthcoming)
SECURITY: SQLJ.DB2_INSTALL_JAR DIRECTORY ESCAPE VULNERABILITY (CVE-2012-2194).
IC84555 IC84752 (forthcoming) IC84753 (forthcoming) IC84754 (forthcoming) IC84755 (forthcoming)
SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN JAVA STORED PROCEDURE INFRASTRUCTURE (CVE-2012-2197).
IC84614 IC84712 (forthcoming) IC84748 (forthcoming) IC84750 (forthcoming) IC84751 (forthcoming)
SECURITY: GET_WRAP_CFG_C AND GET_WRAP_CFG_C2 ALLOWS UNAUTHORIZED ACCESS XML FILES (CVE-2012-2196).
HIPER APARs
None.
Special Attention APARs
None.
DB2 fix packs for all supported versions can be downloaded at the following
site: http://www.ibm.com/support/docview.wss?uid=swg27007053
The DB2 team will continue to have a strong focus on delivering timely fixes
for newly discovered issues along with information that helps our customers to
decide on an appropriate course of action. The DB2 team regrets the
inconvenience that these issues are causing to you, our customers. We believe
that our actions are the most prudent steps to address your concerns and
remain open to suggestions on how to further improve our processes.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUAN8Fu4yVqjM2NGpAQIvzQ/9HYNTzEwdfvTTCRms9uKC3MIKOHaIBpXu
pScce8L11PtWrH9d75NBg22Gi4gyNq/xvWN/mokMcvm6oVd8PhW/VuWnIxe6YTDO
lKsk/u13V3ZRLD+/s3k99h1SFR33bjmp8S3xw0kDJ0DDAohuR2cpEURaP/O2K8HK
Q26RCsUf4Z7EjsOmlIlXIk/9gdFn70ucVaXjtMEWeaobB1xaUJoiow3WD8PmZGCi
Ul+CCKLRxPDUcDaMh4mt2LuuEb0744wy5/WXn43qxy1q6qewan7sZ/6eaa4kQd+M
GALhZuqXljQGQ9pVum1UowSa3XtluKpdKt49lfwAdRZ9FWqWJtHW5ee89GB7kvaj
yuTk92pbis9sklpnEKuqINoyIWuphSvw2xT5UDfEBKugUZeNvilejjvk4Krw88kt
dbgF4Ra3ouhby85nbRBQQvl8Y1G7YPrDFdepClVwV5CGMaFXDw8w6+aBYT2HTEAW
tmUiBz62LK+M+Yjrzocin/5GHIfpOoQPBB+sOu0J9zJl+3CVFf6HtCfzcP2BiEHc
lvciA89fYPARG99qBfzafVd2FB230/h/A8Nxf/Byp1ygAq6N1XXT4CAa7sDOuA58
IVEQ+5XHiOVUzUMTV4FgehhbYxhFERKmWjpMl+kltCgN9zozN7D5Qm9JVc1BEEw/
Fym6IkVKF30=
=9ZBm
-----END PGP SIGNATURE-----
|