Db2 (On Premises and Cloud)

Db2 11.5 GA - "Special Build 39711 for 11.5.0.0", Security APARs (Release Date 2020/02/08)

  • 1.  Db2 11.5 GA - "Special Build 39711 for 11.5.0.0", Security APARs (Release Date 2020/02/08)

    Posted Fri February 21, 2020 08:21 AM
    Edited by Erwin Hattingh Fri February 21, 2020 08:50 AM
    There is a Special Build 39711 for DB2 11.5.0 Fix Pack 0  (V11.5 GA) , Release Date 2020/02/08
    (it's the second SB for V11.5 GA : previous Special Build 39398 for DB2 11.5.0 Fix Pack 0 was Released 2019/11/12)

    Sadly, so far, only the GA version (v.11.5.0.0) is available (through Passport Advantage) for on-premise Db2 customers.

    ( good news however, this new Special Build 39711 does include the Security APAR's that were in the previous Special Build 39398)

    fixed Security APAR's:  IT30143, IT30432, IT30157  and  IT31515, IT31637, IT31481, IT31462, IT31520

    - IT30143: SECURITY: DB2 AFFECTED BY BUFFER OVERFLOW VULNERABILITIES (CVE-2019-4584)
    - IT30432: SECURITY: DB2 IS VULNERABLE TO PRIVILEGE ESCALATION (CVE-2019-4587)
    - IT30157: SECURITY: DB2 EXPOSES SENSITIVE INFORMATION WHEN USING ADMIN_CMDWITH LOAD OR UPDATE ALERT CFG (CVE-2019-4524)
    - IT31515: SECURITY: DB2 IS VULNERABLE TO A DENIAL OF SERVICE ATTACK. (CVE-2020-4200)
    - IT31637: SECURITY: DB2 IS VULNERABLE TO MULTIPLE BUFFER OVERFLOWS (CVE-2020-4204)
    - IT31481: SECURITY: DB2 IS VULNERABLE TO A PRIVILEGE ESCALATION ATTACK (CVE-2020-4230)
    - IT31462: SECURITY: DB2 IS VULNERABLE TO DENIAL OF SERVICE ATTACK (CVE-2020-4161)
    - IT31520: SECURITY: DB2 IS VULNERABLE TO A DENIAL OF SERVICE ATTACK (CVE-2020-4135)


    Can be downloaded from Fix Central , after logging on ( the Linux 64-bit,x86_64  tar file) :
     http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_39711_DB2-linuxx64-universal_fixpack-11.5.0.0-FP000%3A680752447250358528&includeSupersedes=0

    Notice: Special Builds are not downloadable 'for the public', and also undergo limited IBM testing compared to regular FixPacks

    So, sure hope IBM will deliver the first FixPack for v11.5 Db2 on-premise very soon ...
    what I heard, that could be as late as march / april 2020 .... 

    ------------------------------
    Erwin Hattingh
    Systems Engineer / Db2 DBA
    Triodos Bank
    ------------------------------