Security Bulletin: IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file (CVE-2024-25030)

Summary

IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file.

Vulnerability Details

CVEID:CVE-2024-25030
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) stores potentially sensitive information in log files that could be read by a local user.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281677 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

11.1.4.x

|

Server

Only Linux 64-bit, x86-64 platform is affected. Unix, Windows are not affected.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, v11.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V11.1.4 FP7 They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Linux 64-bit, x86-64

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Workarounds and Mitigations

None