Security Bulletin: Unauthorized Access to user data vulnerability in DB2 during certain LOAD operations (CVE-2014-4805)

Summary

During certain LOAD operations into Columnar Data Engine (CDE) tables, a temporary file containing user data may be created at the DB2 server. As the file only exists for the duration of the LOAD operation and is automatically removed on completion (both success and error), the vulnerability exists only temporarily.

Vulnerability Details

CVE ID:CVE-2014-4805

DESCRIPTION:

While running LOAD into CDE table, depending on the input source of the LOAD command (more details on this below), DB2 will create a temporary file containing the user data being loaded. The temporary file only exists for the duration of LOAD command, and is automatically removed on completion (both success and error). Thus, the vulnerability exists only temporarily.

DB2 LOAD operation creates a temporary file if the input source of LOAD command into CDE table is one of the following:
- PIPE
- remote fetch (LOAD from CURSOR from a remote database)
- sourceuserexit (LOAD option to start external program to generate and feed data to LOAD)
- LOAD CLIENT

The temporary file is not created for the following sources:
- file
- LOAD from CURSOR, where CURSOR definition does not include DATABASE clause (i.e. local database)

CVSS:****_ _
CVSS Base Score: 2.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95307&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
_ _

Affected Products and Versions

All fix pack levels for IBM DB2 V10.5 editions running on AIX and Linux are affected.

IBM® DB2® Enterprise Server Edition
IBM® DB2® Advanced Enterprise Server Edition

The vulnerability is not applicable to DB2 releases before V10.5.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

FIX:

The fix for DB2 and DB2 Connect release V10.5 is in V10.5 FP4, available for download from Fix Central.

Download the fix pack from the following:

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

Note:_ IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion._

Workarounds and Mitigations

The recommended workaround is: do not use the above mentioned input sources (i.e. PIPE, remote fetch, sourceuserexit , LOAD Client) for LOAD command into CDE tables.

Alternatively, customers who are performing LOAD into CDE tables via the input sources mentioned above, ensure that no users share instance owner’s group. That is, the instance owner group should contain only one user ID, the instance owner ID.