Headline
CVE-2008-1997: IZ06972: SECURITY VULNERABILITY IN SYSPROC.ADMIN_SP_C
Unspecified vulnerability in the ADMIN_SP_C2 procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unknown vectors. NOTE: the ADMIN_SP_C issue is already covered by CVE-2008-0699.
APAR status
- Closed as program error.
Error description
- Security vulnerability in SYSPROC.ADMIN_SP_C which allows users to load arbitrary library and execute arbitrary code in the system. The vulnerability exists in Window platforms only. This problem was reported to IBM by Martin Rakhmanov of Application Security Inc.
Local fix
- The local fix will be in DB2 V8 fix pack 16.
Problem summary
- see problem description
Problem conclusion
- First fixed in DB2 UDB Version 8.2, FixPak 9
Temporary fix
Comments
APAR Information
APAR number
IZ06972
Reported component name
DB2 UDB ESE AIX
Reported component ID
5765F4100
Reported release
820
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt
Submitted date
2007-10-21
Closed date
2008-05-02
Last modified date
2008-05-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
IZ06973 IZ06974 IZ06975 IZ07082 IZ07083 IZ07084 IZ07085 IZ07086
IZ07087 IZ07088 IZ08619 IZ09155 IZ10740 IZ10750 IZ10751 IZ10752
IZ10753 IZ10809 IZ10916 IZ11227 IZ11396
Fix information
Fixed component name
DB2 UDB ESE AIX
Fixed component ID
5765F4100
Applicable component levels
R910 PSY
UP
R950 PSY
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"820","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]