August 14, 2012

DB2 for LUW Security Alert

IBM just published this security bulletin aimed at DB2 for LUW users, "Buffer Overflow Vulnerability in IBM DB2 Java Stored Procedure Infrastructure":

"DESCRIPTION: The IBM DB2 products listed... contain a security vulnerability that could allow an authenticated user to exploit a vulnerability in DB2's Java Stored Procedure infrastructure to cause a stack-based buffer overflow and possibly attain remote code execution.

"To exploit the vulnerability the malicious user would need:
1. Valid credential to connect to database
2. CONNECT privilege on database
3. A Java stored procedure to which the user has EXECUTE privilege.

"If you do not have any Java stored procedures installed then you are not affected. To find the names of your Java stored procedures, execute the following SQL statement using the DB2 Command Line Processor (CLP):


"If you have no Java stored procedures installed then you would get back an empty result like the following:



0 record(s) selected. "


Initially I didn't think this posed a significant risk, because only an authorized user would be able to get far enough to cause a problem. However, most security breaches happen with people on the inside, so this should be taken seriously. The link above provides details, including a list of affected platforms and a link to the patch that must be installed to correct the vulnerability.

I didn't see any mention of DB2 for z/OS. If you're aware of any security vulnerabilities for DB2 for z/OS, please post a comment.