|
Problem IC84714
|
Status: Geschlossen |
SECURITY: SQLJ.DB2_INSTALL_JAR DIRECTORY ESCAPE VULNERABILITY (CVE-2012-2194). |
| Produkt: |
DB2 FOR LUW / DB2FORLUW / 970 - DB2 |
| Problembeschreibung: |
The stored procedure SQLJ.DB2_INSTALL_JAR contains a
vulnerability which could be exploited to replace JAR files at
the DB2 server. |
| Problem-Zusammenfassung: |
****************************************************************
* USERS AFFECTED: *
* All DB2 systems on Windows platforms at service levels from *
* Version 9.7 GA through to Version 9.7 Fix Pack 6. *
****************************************************************
* PROBLEM DESCRIPTION: *
* See Security Bulletin: IBM DB2 Security Vulnerability in *
* SQLJ.DB2_INSTALL_JAR (CVE-2012-2194): *
* http://www.ibm.com/support/docview.wss?uid=swg21607622 *
****************************************************************
* RECOMMENDATION: *
* Upgrade to DB2 Version 9.7 Fix Pack 7 or see "Local Fix" *
* portion for other suggestions. *
**************************************************************** |
| Local-Fix: |
Revoke EXECUTE privilege on SQLJ.DB2_INSTALL_JAR from PUBLIC. |
| verfügbare FixPacks: |
DB2 Version 9.7 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 8 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 9a for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 10 for Linux, UNIX, and Windows
|
| Lösung |
The complete fix for this problem first appears in DB2 Version
9.7 Fix Pack 7 and all the subsequent Fix Packs. |
| Workaround |
keiner bekannt / siehe Local-Fix |
| Weitere Daten |
Datum - Problem gemeldet :
Datum - Problem geschlossen :
Datum - der letzten Änderung:
| 18.06.2012
20.10.2012
20.10.2012 |
| Problem behoben ab folgender Versionen (IBM BugInfos) |
9.7.FP7
|
| Problem behoben lt. FixList in der Version |
| 9.7.0.7
|
 |
