Date: 16 July 2012
References: ESB-2012.0298 ESB-2012.0884 ESB-2012.1005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2
for Linux, UNIX, and Windows Version 9.1 Fix Pack 12
16 July 2012
AusCERT Security Bulletin Summary
Product: IBM DB2
Operating System: AIX
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Remote/Unauthenticated
Denial of Service -- Unknown/Unspecified
Unauthorised Access -- Unknown/Unspecified
CVE Names: CVE-2012-2197 CVE-2012-2196 CVE-2012-2194
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for
Linux, UNIX, and Windows Version 9.1 Fix Pack 12
DB2 for Linux, UNIX and Windows
Installation - Fix Pack
AIX, HP-UX, Linux, Solaris, Windows
Fix Pack 12 for DB2 V9.1 is now available which includes fixes for some
security vulnerabilities. These fixes, where applicable, are also available in
a Fix Pack for DB2 Version 9.5, a Fix Pack for DB2 Version 9.7, a Fix Pack for
DB2 Version 9.8 and a Fix Pack for DB2 Version 10.1.
IBM recommends that you review the APAR descriptions and deploy one of the
above fix packs to correct them on your affected DB2 installations.
A set of security vulnerabilities was discovered in some DB2 database products.
These vulnerabilities were analyzed by the DB2 development organization and a
set of corresponding fixes was created to address the reported issues.
The affected DB2 UDB for Linux, UNIX, and Windows products are:
DB2 Enterprise Server Edition
DB2 Workgroup Server (all Editions)
DB2 Express Server (all Editions)
DB2 Personal Edition
DB2 Connect Server (all Editions)
DB2 Client component and DB2 products or components other than those listed
above are not affected.
Due to the complexity of the fixes required to eliminate the reported service
issues, it is not feasible to retrofit the same fixes into earlier DB2 Version
9.1, DB2 Version 9.5, DB2 Version 9.7 fix packs and DB2 Version 9.8 fix packs.
V9.1 V9.5 V9.7 V9.8 V10.1
IC80561 IC80728 (in FP9) IC80729 (in FP6) n/a n/a
SECURITY: REMOTE ESCALATION OF PRIVILEGE VULNERABILITY IN DAS (CVE-2012-0711).
IC84019 IC84711 (forthcoming) IC84714 (forthcoming) IC84715 (forthcoming) IC84716 (forthcoming)
SECURITY: SQLJ.DB2_INSTALL_JAR DIRECTORY ESCAPE VULNERABILITY (CVE-2012-2194).
IC84555 IC84752 (forthcoming) IC84753 (forthcoming) IC84754 (forthcoming) IC84755 (forthcoming)
SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN JAVA STORED PROCEDURE INFRASTRUCTURE (CVE-2012-2197).
IC84614 IC84712 (forthcoming) IC84748 (forthcoming) IC84750 (forthcoming) IC84751 (forthcoming)
SECURITY: GET_WRAP_CFG_C AND GET_WRAP_CFG_C2 ALLOWS UNAUTHORIZED ACCESS XML FILES (CVE-2012-2196).
Special Attention APARs
DB2 fix packs for all supported versions can be downloaded at the following
The DB2 team will continue to have a strong focus on delivering timely fixes
for newly discovered issues along with information that helps our customers to
decide on an appropriate course of action. The DB2 team regrets the
inconvenience that these issues are causing to you, our customers. We believe
that our actions are the most prudent steps to address your concerns and
remain open to suggestions on how to further improve our processes.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----