ESB-2017.3187 - [Win][Linux][HP-UX][Solaris][AIX] IBM DB2: Multiple vulnerabilities 2017-12-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3187
             Multiple serious vulnerabilities fixed in IBM DB2
                             14 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM DB2
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Root Compromise                 -- Existing Account            
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Existing Account            
                   Overwrite Arbitrary Files       -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1520 CVE-2017-1519 CVE-2017-1451
                   CVE-2017-1439 CVE-2017-1438 CVE-2017-1434
                   CVE-2017-1297 CVE-2017-1134 CVE-2017-1105
                   CVE-2016-9842 CVE-2016-9841 CVE-2016-9840
                   CVE-2016-4463 CVE-2016-2985 CVE-2016-2984
                   CVE-2016-2183 CVE-2016-2118 CVE-2016-2115
                   CVE-2016-2114 CVE-2016-2113 CVE-2016-2112
                   CVE-2016-2111 CVE-2016-2110 CVE-2016-0729
                   CVE-2016-0392 CVE-2016-0361 CVE-2016-0263
                   CVE-2015-7560 CVE-2015-5370 

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21994955

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Vulnerabilities, HIPER and Special Attention APARs fixed in DB2 for
Linux, UNIX, and Windows Version 11.1

Flash (Alert)

Document information

Software version: 11.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1994955

Modified date: 12 December 2017

Abstract

This document contains a list of fixes for Security and HIPER APARs in DB2
Version 11.1.

Content

A set of security vulnerabilities was discovered in some DB2 database products.
These vulnerabilities were analyzed by the DB2 development organization and a
set of corresponding fixes was created to address the reported issues. IBM is
not currently aware of any externally reported incidents where production DB2
installations have been compromised due to these issues.
The affected DB2 UDB for Linux, UNIX, and Windows products are:

DB2 Connect Server (all Editions)
DB2 Developer Edition
DB2 Enterprise Server (all Editions)
DB2 Express Server (all Editions)
DB2 Workgroup Server (all Editions)

DB2 Client component and DB2 products or components other than those listed
above are not affected.

Due to the complexity of the fixes required to eliminate the reported service
issues, it is not feasible to retrofit the same fixes into earlier DB2 Version
11.1 fix packs.


Select a Fix Pack: 1 2 m2ifx001 m2ifx002

                    DB2 Version 11.1 Fix Pack m2ifx002
HIPER APARs
IJ00193 PARALLEL IXSCANS FOR COLUMN-ORGANIZED TABLES MIGHT CAUSE AN ABEND/
        WRONG RESULTS IF UPDATE ACTIVITY OCCURS IN THE SAME CONNECTION
IT21948 DB2 MAY RETURN WRONG RESULTS WITH ORACLE COMPATIBILITY AND SUBSTR
IT21985 DOING LIKE ON A CODEUNITES32 FIXED LENGTH COLUMN  IN THE COLUMNAR
        ORGANIZED TABLE  COULD RETURN AN INCORRECT RESULT
IT22013 WRONG RESULT IS POSSIBLE WHEN CODEUNITS 32 IS USED IN A ROW DATA
        TYPE ASSIGNMENT AND CAST IS USED
IT22345 WRONG RESULT WHEN EXPRESSION ON JOIN COLUMN
IT22386 DB2 : IF ANY COMMAND WITH RECLAIM EXTENTS OPTION IS RUN ON AN MDC
        TABLE DURING A BACKUP, A ROLLFORWARD ON IT COULD FAIL
IT22750 POSSIBLE WRONG RESULTS WITH VARCHAR_FORMAT WHEN USING 'DY DDD YYYY'
        FORMAT
IV97845 A QUERY AGAINST COLUMNAR ORGANIZED TABLE AND ARITHMETIC ON BOTH
        TIME AND DECIMAL DATATYPES MAY RETURN INCORRECT RESULT
IV99561 RARE TRAP DURING  CDE HASH JOIN WHEN DATA VOLUME ON THE INNER OF
        THE JOIN IS EXTREMELY LARGE

Back to top


                    DB2 Version 11.1 Fix Pack m2ifx001
Security APARs
IT21140 SECURITY: ESCALATION TO ROOT VULNERABILITY IN DB2.
IT21347 SECURITY: CONNECTION STRING DISPLAYED IN ERROR MESSAGE
IT21364 ESCALATION TO ROOT VULNERABILITY IN DB2.
IT21455 SECURITY: DB2CONNECT SERVER CAN CRASH UNDER SPECIFIC CONDITIONS.
IT21458 SECURITY: DB2 CAN BE USED TO OVERWRITE ARBITRARY FILES OWNED BY DB2
        INSTANCE
IT21459 SECURITY: USER WITHOUT PROPER AUTHORITY CAN ACTIVATE DATABASE.
HIPER APARs
IT18136 INSERT QUERY THAT HAS A COLUMN VALUE GENERATED USING TRIGGER COULD
        PRODUCE WRONG RESULTS OR SQL0407N
IT19976 SQL QUERIES WITH IN OR NOT IN CLAUSE MAY PRODUCE INCORRECT RESULTS
        FOR A COLUMN-ORGANIZED TABLE
IT20438 INCORRECT RESULT OR SQL0811N ARE POSSIBLE WHEN SQL CONTAINS SCALAR
        NOT EXISTS SUBQUERY
IT20518 IN DPF, WHEN UNIQUE TQ IS PRESENT IN THE PLAN AND SPECIAL INTERN AL
        PERF OPT IS HAPPENING, POSSIBLE DUPLICATE VALUES RETURNED
IT20720 TRUNCATING CAST  TO (VAR)CHAR AGAINST A COLUMNAR ORGANIZED TABLE
        COULD RETURN DANGLING BYTE INSTEAD OF A BLANK CHARACTER.
IT20786 INCORRECT RESULT POSSIBLE WHEN CASE AND ANOTHER PREDICATE  HAVE THE
        SAME COMPARISON OPERATION
IT21100 UPDATE OF UNIQUE COLUMNS MIGHT RESULT IN DUPLICATES IN A TABLE WITH
        A UNIQUE INDEX


                        DB2 Version 11.1 Fix Pack 2
Security APARs
IT17647 SECURITY: VULNERABILITY IN GSKIT AFFECTS IBM DB2 (CVE-2016-2183)
IT20462 SECURITY: TSAMP PRIVILEGE ESCALATION VULNERABILITY AFFECTS DB2
        (CVE-2017-1134)
IT20562 SECURITY: DB2 CLP WILL TRAP IF IT IS PASSED A ROUTINE NAME GREATER
        THEN THE ALLOWED MAXIMUM LENGTH (CVE-2017-1297).
IT20563 SECURITY: BUFFER OVERFLOW THAT COULD ALLOW A LOCAL USER TO
        OVERWRITE DB2 FILES OR CAUSE A DENIAL OF SERVICE (CVE-2017-1105).
IT20566 SECURITY: DB2 IS AFFECTED BY VULNERABILITIES IN COMPRESSION
        ROUTINES.
HIPER APARs
IT17787 SQL STATEMENT WITH AN EXISTS PREDICATE AND A JOIN INVOLVING
        NON-DETERMINISTIC CORRELATED SUBQUERY MAY RETURN MORE ROWS
IT17894 PREDICATE COMPARING SUBSTR ON CODEUNITES32 COLUMN  IN THE COLUMN AR
        ORGANIZED TABLE TO HOST VAR COULD RETURN AN INCORRECT RESULT
IT18021 INCORRECTLY GENERATED DERIVED PREDICATES MIGHT CAUSE INCORRECTQUERY
        RESULTS DUE TO TRAILING BLANKS
IT18083 WRONG RESULTS AGAINST COLUMN ORGANIZED TABLE ARE POSSIBLE WITH
        EXPANDING JOIN PLAN
IT18101 AN SQL STATEMENT IN A PARTITIONED DATABASE ENV CONTAINING THE
        ROW_NUMBER() OVER() OPERATION MIGHT PRODUCE INCONSISTENT RESULTS
IT18170 WRONG RESULT IS POSSIBLE IF GENERATED ALWAYS EXPRESSION REFERENCES
        A BUILT-IN FUNCTION WITH MORE THEN ONE STRING INPUT
IT18204 WRONG RESULT IS POSSIBLE IN ORACLE COMPATIBILITY MODE UNICODE DB
        WHEN COMPARING A CHAR COLUMN WITH A GRAPHIC CONSTANT
IT18381 DB2 MAY RETURN INCORRECT RESULTS IF USING A CASE STATEMENT TO
        COMPARE FIXED CHAR/GRAPHIC STRINGS IN VARCHAR2 COMPATIBILITY MODE
IT18502 DB2 MAY RETURN SQLCODE:-901 OR RETURN WRONG RESULTS ON QUERIES WITH
        PLANS THAT INVOVLE SORT ON AN ENCRYPTED DATABASE
IT18506 DB2 CAN RETURN WRONG RESULTS WHEN USING THE SPECIAL REGISTER
        'CURRENT DECFLOAT ROUNDING MODE' IN A QUERY IN AN MPP ENVIRONMENT
IT18742 TRUNC ON MINIMUM  INTEGER VALUE MIGHT RETURN 0 WHEN (VALUE, -X) IS
        DONE
IT18797 PURESCALE: QUERY MIGHT RETURNS WRONG RESULT WHEN INPLACE (ONLINE)
        TABLE REORGANIZATION IS RUNNING
IT19197 DB2 MIGHT PRODUCE INCORRECT RESULT WHEN EXECUTING XQUERY WITH
        MULTIPLE OR SUBTERMS
IT19608 DB2 MAY CONVERT VIEW COLUMN TYPES INCORRECTLY OR RETURN SQL0418N
        UPON REVALIDATION OF A VIEW WITH UNTYPED EXPRESSIONS
IT19796 COMPILED COMPOUND SQL OR A PL/SQL ANONYMOUS BLOCK CAN DELETE ALL
        ROWS OF A ON COMMIT DELETE ROWS TEMPORARY TABLE
IT20463 INCORRECT RESULTS ARE POSSIBLE WHEN CONCURRENT QUERIES ACCESS
        COLUMNAR ORGANIZED TABLES AND USE  CS ISOLATION
IT20661 WRONG RESULTS MIGHT OCCUR WHEN SCALAR SUB-QUERY IS ON THE LEFT HAND
        SIDE OF A NOT IN PREDICATE
IV91752 THE FIRST UPDATE STATEMENT FOR A COLUMN-ORGANIZED TABLE MAY IN RARE
        CASES CAUSE FUTURE QUERIES TO MISS SOME MATCHING RESULTS
IV93080 WRONG RESULT IS POSSIBLE WHEN COLUMNAR TABLES ARE INVOLVED IN A
        PLAN WITH A UNION AND CSE IS PUSHED DOWN ON TO CDE

Back to top


                        DB2 Version 11.1 Fix Pack 1
Security APARs
IT15579 SECURITY: DB2 IS AFFECTED BY OPEN SOURCE APACHE XERCES-C XML PARSER
        VULNERABILITIES (CVE-2016-0729)
IT16324 SECURITY: DB2 PURESCALE AFFECTED BY MULTIPLE VULNERABILITIES IN
        GPFS
IT17012 SECURITY: ELEVATED PRIVILEGES WITH DB2 EXECUTABLES (CVE-2016-5995)
IT17530 SECURITY: DB2 PURESCALE AFFECTED BY A VULNERABILITY IN GPFS
        (CVE-2016-2119)
HIPER APARs
IT16112 A CORRELATED SCALAR SUBQUERY IN AN UPDATE STATEMENT MAY NOT
        CORRECTLY RETURN SQL0811N
IT16385 DB2 DATA SERVER CLIENT SILENT INSTALL FAILS WITH ERROR: PRODUCT:
        IBM DATA SERVER CLIENT - DB2COPY1 -- ERROR 1314
IT16656 SQL0801 AND WRONG RESULTS FROM STDDEV_SAMP, VARIANCE_SAMP,
        COVARIANCE_SAMP WHEN USED IN AN OLAP SPECIFICATION
IT16703 DB2 MAY RETURN INCORRECT RESULTS WHEN USING STRING EQUALITY
        PREDICATES CONTAINING DIFFERING CODE UNITS
IT16869 SELECT ROW CHANGE TOKEN WILL RETURN WRONG RESULT WHEN USINGRIDSCAN
        (ROW IDENTIFIER SCAN)
IT16893 ONLINE BACKUP WITH COMPRESSION AND ENCRYPTION MAY CREATE A
        CORRUPTED BACKUP FILE
IT17179 IF ARRAY USED IN AN OPEN CURSOR IS MODIFIED THEN WRONG RESULT OR A
        TRAP ARE POSSIBLE
IT17452 WRONG RESULT IN STORED PROCEDURE QUERY WHEN ADD/DROP CHECK
        CONSTRAINT
IT17458 IN DB2 DPF, POSSIBLE WRONG RESULT WHEN OUTER JOIN PREDICATE COL1=
        COL2 AND BOTH COLUMNS ARE FROM THE OUTER TABLE
IT17489 SELECT AGAINST AN MDC TABLE WITH A RANGE PREDICATE IN SMP MIGHT
        RETURN A WRONG RESULT
IT17556 INCORRECT RESULTS ARE POSSIBLE WHEN JOIN AGAINST CDE TABLES IS DONE
         AND AN UNDOCUMENTED JOIN SUPPORT REGISTRY VARIABLE SET
IT17941 POSSIBLE WRONG RESULTS WHEN THE INPUT PARAMETERS OF AN INLINED SQL
        SCALAR UDF CONTAINS AN OLAP SPECIFICATION
IV90269 QUERIES WITH MULTIPLE OLAP CLAUSES AND DISTINCT AGAINST COLUMN
        ORGANIZED TABLES COULD RETURN WRONG RESULTS
IV90750 INCORRECT RESULTS ARE POSSIBLE WHEN MULTIPLE ROW_NUMBER() , INLINED
        SQL SCALAR UDF AND COLUMN ORGANIZED TABLES ARE PRESENT




DB2 fix packs for all supported versions can be downloaded at the following
site: http://www.ibm.com/support/docview.wss?uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes
for newly discovered issues along with information that helps our customers to
decide on an appropriate course of action. The DB2 team regrets the
inconvenience that these issues are causing to you, our customers. We believe
that our actions are the most prudent steps to address your concerns and remain
open to suggestions on how to further improve our processes.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWjG60Yx+lLeg9Ub1AQjxaw//S4Gyk0qMYVLv0qb9ifZx/8Vrib1kYGLp
RjrNV+RbBDhGB2BqkIeXnZv3WOZBE4gt7rfb34CGusdd4gAaFlQNs3sD2h9q82GS
CcMso3c72oDjJ41W6L69SkT+H21IOx4Hk4KE9IL0SpX0MgTBeilMsbNbdnok/dMF
1FIb0403yztOTMqRRNDiABnz+xhcV0Fmbrn9YFhhhKB+n52S+pr/vnVb6VXiQdjS
MIAVT/8s7lvqKqV7zAlwKmGPzCu7BraTCf18OXEGnTu429VF6pxNQHNxJO7asSLf
KiQ3Eyqjxs11ArQppEXLAT/15P+O/HT3eiPUdnHcbNHh7pxZ3UjHIaCUHlpU2X/S
4on9nimo1pFtNUtWDXiwgL/1DFo0MtNPoLqUF4QeaUk/d8GQfW6WFKxgUrUHXDpo
LMQn4Dq1Y22wroOGjYgKBquK6A/FCY7NKiHfX9Qo4LM6RPPVCYF2DX5tqep/BJs5
ZeZzXPjoWyUdUir5E3yt13pDF89xamTDP4fzzLbB6Aj/j8KjmRKAapUqsVwP6JcI
rNyLFkFkNZRLNgrBcpc5ymfmYgM98cQWBnM2XceAFto8ifCpPxCvDskseYZN2iQT
UQN7OAyAlnFzznBO1JIXCd9XkafwbdRPPnQuypdiT36fY/a1GE8gJ5J6Zp7VUex9
9SP3Xk2bfP4=
=gQ7s
-----END PGP SIGNATURE-----

« Back to bulletins