Db2 (On Premises and Cloud)

Db2 11.5 "GA" versus "Special Build 39398 for 11.5.0.0" : Stabilty ? Security APARs ?

  • 1.  Db2 11.5 "GA" versus "Special Build 39398 for 11.5.0.0" : Stabilty ? Security APARs ?

    Posted Fri January 03, 2020 05:53 AM
    Edited by Erwin Hattingh Thu January 09, 2020 11:11 AM
    For planning and testing purposes, I am desperately waiting for the first FixPack for Db2 v 11.5
    Sadly, so far, only the GA version (v.11.5.0.0) is available (through Passport Advantage) for on-premise Db2 customers.

    By coincidence I found out, there is a "Special Build 39398 for DB2 11.5.0 Fix Pack 0"  (Released 2019/11/12). ( for for Linux/x86-64  https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=special_39398_DB2-linuxx64-universal_fixpack-11.5.0.0-FP000&continue=1 )

    Questions:
    1) When will the first ModPack and/or FixPack for v11.5 arrive (for on-premise customers) ?
    for what I heard, that could be as late as march / april 2020 .... 

    2) What's the difference between the Db2 11.5 GA (11.5.0.0) and this Special Build 39398  ?
    • Is it fully tested by IBM ?   
    if so, why wasn't it simply called  FixPak 1, public available as usual  ..... in https://www.ibm.com/support/pages/download-db2-fix-packs-version-db2-linux-unix-and-windows 
    • what APAR's are fixed ?
    It seems (only) these APAR's , or are there more ? 
    • IT30143: SECURITY: DB2 AFFECTED BY BUFFER OVERFLOW VULNERABILITIES (CVE-2019-4584)
    • IT30432: SECURITY: DB2 IS VULNERABLE TO PRIVILEGE ESCALATION (CVE-2019-4587)
    • IT30157: SECURITY: DB2 EXPOSES SENSITIVE INFORMATION WHEN USING ADMIN_CMDWITH LOAD OR UPDATE ALERT CFG (CVE-2019-4524)
    Notice: usually Special Builds are not downloadable for the public, and also undergo limited IBM testing
    (compared to regular Fixpacks and Interim Fix packs , see  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.trb.doc/doc/c0020824.html  :   Test fix =  a.k.a "special build" )

    3) it is unclear, if "Special Build 39398 for DB2 11.5.0 Fix Pack 0" also includes the Security issues that were fixed in "Db2 Version 11.1 Mod 4 Fix Pack 5" 
    The latest Db2 v11.1.4.5 (Release Date: 28.Nov.2019) includes these Security APARs :
    they only (?) seem applicable for Db2  11.1.x ( internally know as "B10") ,  Db2 11.5  internally is known as "B50"
    • IT29115: SECURITY: DB2 AFFECTED BY BUFFER OVERFLOW VULNERABILITIES (CVE-2019-4322)
    • IT29350: SECURITY: DB2 IS VULNERABLE TO A DENIAL OF SERVICE (CVE-2019-4386)
    • IT28440: SECURITY: DB2 IS VULNERABLE TO A BUFFER OVERFLOW (CVE-2019-4154)
    • IT28267: SECURITY: DB2 DOES NOT EXPLICITLY FORBID A WEAKER THAN EXPECTED 3DES CIPHER WHEN CONFIGURED TO USE SSL (CVE-2019-4102)
    • IT28255: SECURITY: DB2 IS VULNERABLE TO A DENIAL OF SERVICE (CVE-2019-4101)
    • IT27203: SECURITY: PRIVILEGE ESCALATION DURING ROUTINE EXECUTION IN FENCED MODE (CVE-2019-4057)
    • IT27328: SECURITY: DB2 IS VULNERABLE TO BUFFER OVERFLOW LEADING TO PRIVILEGE ESCALATION (CVE-2019-4014)

    Because of Db2 licensing (PVU versus VPC license) and Costs issues, IBM more or less is enforcing us to upgrade from Db2 v11.1 to v11.5 , and this within 3 months...
    Before that can even happen, of course,  we need (pre)testings of all our applications and server setup.

    Sure hope IBM will deliver the first FixPack for  v11.5 Db2 on-premise very soon !


    regards,
    Erwin Hattingh

    ------------------------------
    Erwin Hattingh
    Systems Engineer / Db2 DBA
    Triodos Bank
    ------------------------------