Weekly Tip from Experts: Clarification on the security Bulletin for DB2 Accessories Suite CVE-2013-5879

Abstract

Weekly Tip from Experts: Clarification on the security Bulletin for DB2 Accessories Suite CVE-2013-5879

Body

Hello DB2 DBAs

Hope you are having a nice time during this holiday season!

I recently helped a diligent DBA who was concerned about this security bulletin and ended up providing more details. So wanted to share with you all especially the ones who end up supporting this Text Search extender.

Here is the link to this tech advisory which is very cryptic.
/support/pages/node/248107
Security Bulletin: IBM DB2 Accessories Suite for Linux, UNIX and Windows denial of service vulneribility (CVE-2013-5879)

Here is DBA questions.
1. How to find out if they have installed the DB2 Accessories Suite in their Server? 2. Does the absence of accSuiteRelease.properties indicate the absence of that product ? If so then why should they consider applying the latest release?

Here is the detailed explanation that can help all DBAs who find themselves in that situation :)

Customer can not install the DB2 Text Search Feature through DB2 Accessories Suite, it comes as part of DB2 Install Image. Customer needs DB2 Accessories Suite to support Rich Text Processing.

So, there are 4 cases,
_Case - 1:_If the Customer has installed the DB2, Created the DB2 instance and not configured the DB2 instance to use Text Search feature, then no need to worry about this Security Bulletin.

Case - 2: If the Customer has installed the DB2, Created the DB2 instance and configured the DB2 instance to use Text Search feature but not installed the Accessory Suite for Rich Text Processing, then in this case also no need to worry about this Security Bulletin.

_Case - 3:_If the Customer has installed the DB2, Created the DB2 instance and configured the DB2 instance to use Text Search feature and installed the Accessory Suite for Rich Text but not enabled, they might be using the rich text processing in the future.

Case - 4: If the Customer has installed the DB2, Created the DB2 instance and configured the DB2 instance to use Text Search feature and installed the Accessory Suite for Rich Text Processing, also enabled using richtextTool, then they are already using the rich text processing using the stellant libraries.

From the above 4 cases, if the customer falls under Case-3 or case-4,then they should follow the steps given in the Security bulletin.

Question: How can I find out if DB2 Accessories Suite installed in the Server?

Answer: You should be able to find the stellant directory and the accSuiteRelease.properties in the path <DB2_install_dir>/db2tss.

Question: Does the absence of accSuiteRelease.properties indicate the absence of that product ? If so then why should they consider applying the latest release?

Answer: No, just only the absence of accSuiteRelease.properties file does not indicate the absence of that product, if they don’t have the stellant libraries or the stellent directory in the path <DB2_install_dir>/db2tss along with the absence of accSuiteRelease.properties file, then the customer falls under the Case - 2 and no need to bother about the security bulletin.

Hope you find the above information useful! Reach out to me if you have any further questions or comments. It is highly appreciated.

Murali
DB2 LUW Technical Support

[{“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Product”:{“code”:“SSEPGG”,“label”:“Db2 for Linux, UNIX and Windows”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]

UID

ibm13286995