IBM Db2 Mirror for i configurations may be subject to this security vulnerability. A PTF for IBM i 7.4 and remediation steps are available.
CVEID: CVE-2019-4536 DESCRIPTION: IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles. A user with restore privileges could exploit this vulnerability to obtain elevated privileges on the restored system.
CVSS Base Score: 6.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165592> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
IBM i 7.4 with Db2 Mirror for i might be affected.
Take the following steps:
The IBM i PTF number is:
Release 7.4 – SI70767
<https://www-945.ibm.com/support/fixcentral/>
If a Restore User Profile (RSTUSRPRF) has been done on an IBM i 7.4 system with Db2 Mirror configured prior to applying the PTF, remediation is required after applying the PTF for the following issues.
Issue #1: After the re-sync, there may be error entries on the Object Tracking List (OTL) for some system user profiles.
Issue #2: User profiles that were restored may have been given elevated privileges on both the source and target systems during the re-sync processing.
Remediation steps for both issues:
There is no issue with RSTUSRPRF on a system that does not have Db2 Mirror configured.
**Important note:**IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
None