CVE-2025-13755

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including DB2 Connect Server) versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 store potentially sensitive information in the db2diag log files when executing specific testcase buckets. This vulnerability affects all platforms for the listed versions. Earlier unsupported releases (10.1, 9.7, etc.) may also be affected. The issue stems from CWE-532: Insertion of Sensitive Information into Log File [1].

Exploitation

An attacker must have local access to the system and the ability to read the db2diag log files. No special authentication beyond existing local user privileges is required. The attacker can view the log file content where sensitive information, such as credentials, may have been written during the execution of specific testcase buckets. IBM has not disclosed the exact replication steps to avoid aiding malicious actors [1].

Impact

A successful local attacker can read sensitive information, including credentials, stored in the db2diag log files. This leads to a high impact on confidentiality, while integrity and availability are not affected (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, base score 5.5) [1].

Mitigation

IBM has released interim fixes via special builds available from Fix Central. For V11.5, special build #81937 or later for V11.5.9 (APAR DT454491). For V12.1, special build #83501 or later for V12.1.4 (APAR DT454491). The permanent fix is not yet included in a formal mod pack (TBD). Users should apply the special builds to any affected level of the appropriate release. No workaround is provided. Earlier unsupported versions should be upgraded to a supported release [1].