Security Advisory: DB2 UDB - FDOCA Manipulation DoS Attack

January 2, 2010


DB2 Universal Database (UDB)™ is a popular database software package from IBM available for legacy platforms as well as open systems (Unix and Windows). Clients use a protocol called DRDA to communicate with the DB2 UDB server. Protocol messages are used for session setup, authentication and data transfer.


Imperva's Application Defense Center is conducting an extensive research of the DRDA protocol and its implementation. As part of the research the team has identified vulnerability in an FD:OCA data object structure that allows an attacker to terminate the DB2 UDB's service, effectively denying service from all database users.


An attacker can send a specially crafted FDODTA object when performing a DB2 load action, causing the server process to crash.


A DB2 load command consists of several commands and objects passed between the client and the DB2 UDB server. As part of this communication sequence, the client sends the EXCSQLSTT (Execute SQL Statement) data object containing the PRCNAM (Procedure Name) object which corresponds to the DB2 ADMIN_CMD procedure. Following such a chain, is another chain with the same Request Correlation Identifier which contains the corresponding SQLDTA (SQL Program Variable Data) object. The SQLDTA contains a FDODSC - a FDOCA data descriptor object, followed by the FDODTA object which contains the data that the FDODSC describes. Under normal conditions, the value 0xA6 is passed as the first parameter to this object. However, manipulation of this parameter with different values such as 0x16, 0x46, 0x57 and possibly other values causes the server to terminate unexpectedly.


Send a DB2 load command to the DB2 UDB server. When the client sends the EXCSQLSTT object, change the value of the first parameter of the corresponding FDODTA object to a different value, such as 0x46. We note that not all values cause a server crash.

Vulnerability ID



  • All DB2 systems on all Linux, Unix and Windows platforms at service levels from Version 9.1 GA through to Version 9.1 Fix Pack 7
  • All DB2 systems on all Linux, Unix and Windows platforms at service levels from Version 9.5 GA through to Version 9.5 Fix Pack 4
  • All DB2 systems on all Linux, Unix and Windows platforms at service levels from Version 9.7 GA

Vendor's Status

Vendor notified on December 22, 2008
Fixed on December 15, 2009



  • Upgrade to DB2 Version 9.1 Fix Pack 8
  • Upgrade to DB2 Version 9.5 Fix Pack 5
  • Upgrade to DB2 Version 9.7 Fix Pack 1


The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, for permission.