SB2018120305 - Multiple vulnerabilities in IBM DB2

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Privilege escalation (CVE-ID: CVE-2018-1711)

The vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.

The vulnerability exists due to unspecified flaw. A local attacker can modify the contents of the control tables used by the ATS to permit unauthorized access to authorizations held by other users as well as RCAC row permissions and column masks.

2) Information disclosure (CVE-ID: CVE-2018-1857)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to Db2's Row and Column Access Control (RCAC) rules are not being enforced when creating a table using AS (CTAS) sub-select statements. A local attacker can create a table using AS (CTAS) sub-select statements to bypass Row and Column Access Control (RCAC) rules when using the 'WITH DATA' clause to select and insert data, allowing a user to bypass FGAC access controls and gain access important data.

Remediation

Install update from vendor's website.

References

• https://www-01.ibm.com/support/docview.wss?uid=ibm10729983
• https://www-01.ibm.com/support/docview.wss?uid=ibm10734059