IBM Db2 information disclosure

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) version 11.5.x is vulnerable to an insecure cryptographic algorithm and information disclosure in stack traces under exceptional conditions [1]. The vulnerability affects the Db2 client and all platforms [1]. Specific details about the cryptographic weakness are not disclosed in the available references.

Exploitation

An attacker with network access can exploit the insecure cryptographic algorithm or trigger exceptional conditions that cause stack-trace information to be disclosed [1]. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates that exploitation requires high attack complexity, no privileges, and no user interaction [1]. The exact steps to trigger the issue are not published.

Impact

A successful exploit leads to information disclosure, compromising confidentiality of data processed by the Db2 server [1]. The attack does not affect integrity or availability [1]. The CVSS confidentiality impact is rated High [1].

Mitigation

IBM provides special builds containing the interim fix for V11.5.9 and earlier fixpack levels; these are available from Fix Central [1]. Customers must contact Db2 support to obtain the updated db2jcc4.jar file [1]. The permanent fix is tracked as APAR DT255114 and will be included in a future fix pack [1].