Security Bulletin: Vulnerability in OpenSSL affects IBM® DB2® LUW (CVE-2015-1788)

Summary

An OpenSSL denial of service vulnerability disclosed by the OpenSSL Project affects GSKit and IBM Tivoli Flash Copy Manager. IBM DB2 LUW uses GSKit & IBM Tivoli Flash Copy Manager and addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2015-1788**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103778 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

This vulnerability affects two components of DB2: SSL support and DB2 Advanced Copy Services.

For DB2 SSL Support
Customers who have Secure Sockets Layer (SSL) support enabled in their DB2 database system or DB2 client are affected. SSL support is not enabled in DB2 by default.

All fix pack levels of IBM DB2 V9.7, V10.1 and V10.5 editions listed below and running on AIX, Linux, HP, Solaris or Windows are affected.

IBM® DB2® Express Edition
IBM® DB2® Workgroup Server Edition
IBM® DB2® Enterprise Server Edition
IBM® DB2® Advanced Enterprise Server Edition
IBM® DB2® Advanced Workgroup Server Edition
IBM® DB2® Connect™ Application Server Edition
IBM® DB2® Connect™ Enterprise Edition
IBM® DB2® Connect™ Unlimited Edition for System i®
IBM® DB2® Connect™ Unlimited Edition for System z®

IBM® DB2® pureScale™ Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected.

The IBM data server client and driver types are as follows:

IBM Data Server Driver Package
IBM Data Server Driver for ODBC and CLI
IBM Data Server Runtime Client
IBM Data Server Client

For DB2 Advanced Copy Services
IBM DB2 Advanced Copy Services included in IBM DB2 and DB2 Connect V10.1 and V10.5 editions listed below and running on AIX and Linux are affected.

IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Connect™ Application Server Edition
IBM DB2 Connect Application Server Advanced Edition
IBM DB2 Connect Enterprise Edition
IBM DB2 Connect Unlimited Edition for System i®
IBM DB2 Connect Unlimited Edition for System z®
IBM DB2 Connect Unlimited Advanced Edition for System z
IBM DB2 10.1 pureScale Feature
IBM DB2 10.5 Advanced Enterprise Server Edition
IBM DB2 10.5 Advanced Workgroup Server Edition
IBM DB2 10.5 Developer Edition for Linux, Unix and Windows

NOTE: The DB2 Connect products mentioned are affected only if a local database has been created.

Only users of DB2 Advanced Copy Services (snapshot backup) are affected by this vulnerability. IBM DB2 includes restricted version of IBM Tivoli Flash Copy Manager, i.e. FCM v3.2 and v4.1, and both versions are affected by this vulnerability. IBM DB2 Advanced Copy Services in conjunction with IBM Tivoli FCM 3.2 or 4.1, on all current fix packs of IBM DB2 V10.1 and V10.5, are affected. AIX installations of DB2 may have this package installed by default, though it may not be in use on the system.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

Fix for DB2 SSL Support:

For customer running IBM DB2 Server and DB2 Connect Server

The fix for DB2 and DB2 Connect V9.7 is in V9.7 FP11, V10.1 is in V10.1 FP6 and V10.5 is in V10.5 FP7, available for download from Fix Central.

Customers running any vulnerable fixpack level of an affected Program, V9.8 can contact support to obtain a special build containing an interim fix for this issue. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.8 FP5. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Refer to the following chart to determine how to proceed to obtain a needed fixpack or special build.

Fix for customer running IBM data server client and driver types

Customers running on V10.5 FP5 and without additional global GSKit version installed, please contact customer support to obtain a special build containing a fix for this issue.

Upgrading of global GSKit is required if either of the following applies to you:
* IBM data server client and driver types V9.7, V10.1 level and any V10.5 level before fixpack 5.
* IBM data server client and driver types V10.5 fixpack 5 and the additionally installed global GSKit version is 8.0.50.46 or less.

Where to obtain the global GSKit depends on the DB2 release and platform:

* IBM data server client and driver types V10.5 fix pack 5 and additionally installed global GSKit version is 8.0.50.46 or less, download "IBM DB2 Support Files for SSL Functionality" from IBM Passport Advantage and perform the GSKit upgrade.
*     * IBM data server client and driver types V9.7, V10.1 level and any V10.5 level before fixpack 5:
  * _Client and the server are on the same physical computer_: For the Windows platform, you do not need to upgrade the GSKit as GSKit is automatically installed with the DB2 server image. For all other platforms, you will need to download "IBM DB2 Support Files for SSL Functionality" from IBM Passport Advantage.
  * _Client and the server are on different computer_: For all platforms, download "IBM DB2 Support Files for SSL Functionality" from IBM Passport Advantage and perform the GSKit upgrade.

The following link gives instructions on downloading “IBM DB2 Support Files for SSL Functionality” from IBM Passport Advantage
http://www-01.ibm.com/support/docview.wss?uid=swg21433407

To know the existing global GSKit version in the current setup, one can run the GSKit version executable eg: gsk8ver_64.

Refer to the following chart below for the proper version of global GSKit

Fix for****DB2 Advanced Copy Services****:

The fix for DB2 and DB2 Connect release V10.1 is in V10.1 FP6 and V10.5 is in V10.5 FP7, available for download from Fix Central.

Refer to the folowing chart to determine how to proceed to obtain a needed fixpack.

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.
Note:_ IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion._

Workarounds and Mitigations

None