Vigil@nce - IBM DB2: information disclosure via monitoring/audit
May 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can use the monitoring/audit feature of
IBM DB2, in order to obtain sensitive information.
Impacted products: DB2 UDB
Severity: 1/4
Creation date: 04/05/2015
DESCRIPTION OF THE VULNERABILITY
The IBM DB2 product implements the support of:
– federated DDL (CREATE SERVER, CREATE/ALTER USER MAPPING)
– ENCRYPT/DECRYPT UDFs
These queries contain passwords.
However, when the monitoring or the audit is enabled, an
authenticated attacker can read these passwords.
An authenticated attacker can therefore use the monitoring/audit
feature of IBM DB2, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IBM-DB2-information-disclosure-via-monitoring-audit-16799