Db2’s Row and Column Access Control (RCAC) rules are not being enforced when creating a table using AS (CTAS) sub-select statements. RCAC is not enforced when Db2 uses the ‘WITH DATA’ clause to select and insert data into the target table.
CVEID: CVE-2018-1857 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a user to bypass FGAC control and gain access to data they shouldn’t be able to see.
CVSS Base Score: 4.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151155> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)
All fix pack levels of IBM Db2 V11.1 editions on all platforms are affected.
The recommended solution is to apply the appropriate fix for this vulnerability.
FIX:
The fix for DB2 release V11.1 is in V11.1.4.4, available for download from Fix Central.
Release | Fixed in fix pack | APAR | Download URL |
---|---|---|---|
V11.1 | FP4 |
|
<http://www.ibm.com/support/docview.wss?uid=ibm10741687>
None.