By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,850 Members | 1,771 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,850 IT Pros & Developers. It's quick & easy.

Work around for db2diag.log vulnerability?

P: n/a
Does anyone have any suggestions for securing against this
vulnerability:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1027

Fixes are not yet available from IBM. They will be in FP2 for V9 and
FP15 for V8.

Would changing the permissions on the db2dump directory so that only
instance owner has access be enough?
Thanks,
Norm

Feb 22 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
On Feb 22, 1:44 pm, "Norm" <w_nor...@hotmail.comwrote:
Does anyone have any suggestions for securing against this
vulnerability:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1027

Fixes are not yet available from IBM. They will be in FP2 for V9 and
FP15 for V8.

Would changing the permissions on the db2dump directory so that only
instance owner has access be enough?

Thanks,
Norm
Loosing the files on the db2dump directory is not exactly a high
priroity fix and has no impact on the operation of the database.

If you are concerned about loosing the db2diag.log, then I would
periodically copy it to a secure directory. Most people compress it
every so often under a different name (when the file is not there, DB2
just creates a new one the next time a log entry is required).

Feb 22 '07 #2

P: n/a
Mark A wrote:
On Feb 22, 1:44 pm, "Norm" <w_nor...@hotmail.comwrote:
>Does anyone have any suggestions for securing against this
vulnerability:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1027

Fixes are not yet available from IBM. They will be in FP2 for V9 and
FP15 for V8.

Would changing the permissions on the db2dump directory so that only
instance owner has access be enough?
The description already says that you already need to have the authorization
to change the db2diag.log file. In fact, the db2dump directory is already
writable for the instance owner only.
Loosing the files on the db2dump directory is not exactly a high
priroity fix and has no impact on the operation of the database.

If you are concerned about loosing the db2diag.log, then I would
periodically copy it to a secure directory. Most people compress it
every so often under a different name (when the file is not there, DB2
just creates a new one the next time a log entry is required).
Mark, the problem is - if I understood it correctly - not that the
db2diag.log can be lost, but that you can explicitly remove db2diag.log,
create a link in its place, and that link points to some other file. That
other file is now written to, possibly corrupting it.

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Feb 22 '07 #3

P: n/a
On Feb 22, 4:53 pm, Knut Stolze <sto...@de.ibm.comwrote:
Mark A wrote:
On Feb 22, 1:44 pm, "Norm" <w_nor...@hotmail.comwrote:
Does anyone have any suggestions for securing against this
vulnerability:
>http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1027
Fixes are not yet available from IBM. They will be in FP2 for V9 and
FP15 for V8.
Would changing the permissions on the db2dump directory so that only
instance owner has access be enough?

The description already says that you already need to have the authorization
to change the db2diag.log file. In fact, the db2dump directory is already
writable for the instance owner only.
Loosing the files on the db2dump directory is not exactly a high
priroity fix and has no impact on the operation of the database.
If you are concerned about loosing the db2diag.log, then I would
periodically copy it to a secure directory. Most people compress it
every so often under a different name (when the file is not there, DB2
just creates a new one the next time a log entry is required).

Mark, the problem is - if I understood it correctly - not that the
db2diag.log can be lost, but that you can explicitly remove db2diag.log,
create a link in its place, and that link points to some other file. That
other file is now written to, possibly corrupting it.

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
I 'm not so concerned about losing db2diag.log. The security
vulnerability seems to indicate that having local access to the file
system is enough to get your privileges elevated by a symbolic link
attack. Since the patches are not available for download, I was
wondering if there was some kind of temporary measure.

Norm

Feb 23 '07 #4

P: n/a
Norm wrote:
>Mark, the problem is - if I understood it correctly - not that the
db2diag.log can be lost, but that you can explicitly remove db2diag.log,
create a link in its place, and that link points to some other file.
That other file is now written to, possibly corrupting it.

I 'm not so concerned about losing db2diag.log. The security
vulnerability seems to indicate that having local access to the file
system is enough to get your privileges elevated by a symbolic link
attack. Since the patches are not available for download, I was
wondering if there was some kind of temporary measure.
Again, unless I really got something wrong (anyone?), you don't have the
problem you're anticipating. Only the DB2 instance owner (or root) can
remove the db2diag.log file and create a symbolic link in its place, which
would point to another file.

So I don't see any urgent need to get this fixed now. It should (and will)
be fixed. A assume that you manage and control who has instance owner
privileges and who has root privileges on your system, and that you can
trust those people. If not, you have much more serious problems anyway...

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Feb 23 '07 #5

P: n/a
On Feb 23, 10:15 am, Knut Stolze <sto...@de.ibm.comwrote:
Norm wrote:
Mark, the problem is - if I understood it correctly - not that the
db2diag.log can be lost, but that you can explicitly remove db2diag.log,
create a link in its place, and that link points to some other file.
That other file is now written to, possibly corrupting it.
I 'm not so concerned about losing db2diag.log. The security
vulnerability seems to indicate that having local access to the file
system is enough to get your privileges elevated by a symbolic link
attack. Since the patches are not available for download, I was
wondering if there was some kind of temporary measure.

Again, unless I really got something wrong (anyone?), you don't have the
problem you're anticipating. Only the DB2 instance owner (or root) can
remove the db2diag.log file and create a symbolic link in its place, which
would point to another file.

So I don't see any urgent need to get this fixed now. It should (and will)
be fixed. A assume that you manage and control who has instance owner
privileges and who has root privileges on your system, and that you can
trust those people. If not, you have much more serious problems anyway...

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Here's an excerpt of the problem description:

Description:
Some vulnerabilities have been reported in IBM DB2, which can be
exploited by malicious, local users to gain escalated privileges.

1) Some vulnerabilities are caused due to several DB2 binaries
accessing files insecurely and having the setuid bit set. This can be
exploited to create or append data to arbitrary files via symlink
attacks.

2) A vulnerability is caused due to several DB2 binaries accessing
files insecurely and having the setuid bit set. This can be exploited
to create or append data to arbitrary files via symlink attacks and
supplying the DB2INSTANCE environment variable.

Successful exploitation of (1) and (2) allows gaining root privileges.

I found this a bit vague. I looked at the db2dump directory and it
didn't use any symbolic links. The db2diag.log file has permissions
for the instance owner. The links to the IBM site point to a page
with a missing document that explains the APAR.

Norm

Feb 24 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.