漏洞类别:Database
漏洞等级: 
漏洞信息
When a table is renamed and a new table is created with the old name, users who had access on the old table may be able to access the new table.
A user may incorrectly acquire privileges on a table if the table is created with the same name as a previously renamed table. During a RENAME TABLE, a user maintains privileges on the renamed table. However, if a new table is then created with the old name, the user may also incorrectly maintain their privileges on this new table. The problem is caused by the rename operation not updating the user authorization cache. The error will be cleared up when the database is deactivated or when the DB2 instance is restarted.
Affected Versions:-
IBM DB2 10.1
IBM DB2 10.5
IBM DB2 11.1.1
漏洞危害
IBM DB2 could allow an authenticated attacker with specialized access to tables that they should not be permitted to view.
解决方案
Please refer to the following link swg21999515 for more details. Workaround:
Workaround #1
Recycling the database:
db2stop
db2start
Workaround #2
Create a new table with the old table name.
For each affected grantee:
Grant the privilege(s) held by the grantee on the old table.
Revoke the granted privilege(s) from step a.
Drop the table created on step 1 (if not needed anymore).
Workaround #3
Revoke all the privileges from other grantees prior to the RENAME TABLE and re-grant the privileges to the grantees on the newly named table.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
上一篇:CVE-2017-3308
0day
文章评论