#VU16209 Information disclosure in IBM DB2 - CVE-2018-1857

Cybersecurity Help s.r.o.

Published: 2018-11-28 | Updated: 2018-12-03

Vulnerability identifier: #VU16209

Vulnerability risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1857

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM DB2
Server applications / Database software

Vendor: IBM Corporation

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to Db2's Row and Column Access Control (RCAC) rules are not being enforced when creating a table using AS (CTAS) sub-select statements. A local attacker can create a table using AS (CTAS) sub-select statements to bypass Row and Column Access Control (RCAC) rules when using the 'WITH DATA' clause to select and insert data, allowing a user to bypass FGAC access controls and gain access important data.

Mitigation
Update to version 11.1.4.4.

Vulnerable software versions

IBM DB2: 11.1 FP1 - 11.1.3.3 iFix002

External links
https://www-01.ibm.com/support/docview.wss?uid=ibm10734059

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM DB2