Security Bulletin: IBM InfoSphere Balanced Warehouse C3000, C4000, and D5100 and IBM Smart Analytics System 1050, 2050, 5600, 5710, 7600, 7700 and 7710 are affected by an unauthorized access to table vulnerability in IBM DB2 (CVE-2013-4033)

Abstract

A vulnerability in IBM DB2 for Linux, UNIX, and Windows could allow an authenticated user holding EXPLAIN authority to temporarily gain SELECT, INSERT, UPDATE or DELETE privilege on a table.

Content

VULNERABILITY DETAILS:

CVE ID:CVE-2013-4033

IBM InfoSphere Balanced Warehouse C3000, C4000, and D5100 systems and IBM Smart Analytics System 1050, 2050, 5600, 5710, 7600, 7700, and 7710 systems are shipped with either IBM DB2 for Linux, UNIX, and Windows Version 9.7 or Version 10.1. There is a security vulnerability that could allow an authenticated user to temporarily gain SELECT, INSERT, UPDATE or DELETE privileges on a table. To exploit the vulnerability, the user would need to have a valid security credential to connect to the database and EXPLAIN, SQLADM, or DBADM authority. For more information, see: Security Bulletin: Unauthorized Access to Table Vulnerability in DB2 (CVE-2013-4033).

Under unspecified conditions, a user with EXPLAIN, SQLADM, or DBADM authority can execute a DML statement such as SELECT, INSERT, UPDATE and DELETE on a table that they do not have DATAACCESS authority for. Only DML statements are vulnerable.

The following query shows which user has EXPLAIN, SQLADM, or DBADM authority but no DATAACCESS authority:

SELECT
SUBSTR(grantor,1,10) grantor,
SUBSTR(grantee,1,20) grantee,
granteetype,
explainauth,
dbadmauth,
sqladmauth,
dataaccessauth
FROM SYSCAT.DBAUTH
WHERE
dataaccessauth = 'N' and
(explainauth = 'Y' or dbadmauth = 'Y' or sqladmauth = 'Y')

CVSS:
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/86093&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:
The following products are affected:

IBM InfoSphere Balanced Warehouse C3000
IBM InfoSphere Balanced Warehouse C4000
IBM InfoSphere Balanced Warehouse D5100
IBM Smart Analytics System 1050
IBM Smart Analytics System 2050
IBM Smart Analytics System 5600
IBM Smart Analytics System 5710
IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710

REMEDIATION:

For DB2 V9.7 and V10.1 the fix is planned to be made available in future updates.

You can request a special build with an interim patch. Contact your service representative to request the special build and reference the APAR number associated with your product in the following table.

Contact IBM Support:* In the United States and Canada dial1-800-IBM-SERV

• View the support contacts for other countries outside of the United States.
• Electronically open a Service Request with DB2 Technical Support.

WORKAROUND(S) and MITIGATION(S):
None.

REFERENCES:
Complete CVSS Guide
On-line Calculator V2

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None.

CHANGE HISTORY
30 October 2013: Original version published.

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY_._

[{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.7;10.1”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 1050”,“Platform”:[{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 2050”,“Platform”:[{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 5710”,“Platform”:[{“code”:“PF016”,“label”:“Linux”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 5600”,“Platform”:[{“code”:“PF016”,“label”:“Linux”}],“Version”:“9.7;10.1”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 7600”,“Platform”:[{“code”:“”,“label”:“AIX 6.1”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 7700”,“Platform”:[{“code”:“”,“label”:“AIX 6.1”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSKT3D”,“label”:“IBM Smart Analytics System”},“Business Unit”:{“code”:“BU050”,“label”:“BU NOT IDENTIFIED”},“Component”:“IBM Smart Analytics System 7710”,“Platform”:[{“code”:“”,“label”:“AIX 6.1”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSFVXC”,“label”:“InfoSphere Balanced Warehouse”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud \u0026 Data Platform”},“Component”:“Balanced Warehouse C Class - C3000”,“Platform”:[{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}},{“Product”:{“code”:“SSFVXC”,“label”:“InfoSphere Balanced Warehouse”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud \u0026 Data Platform”},“Component”:“Balanced Warehouse C Class - C4000”,“Platform”:[{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.7”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}}]