Security Bulletin: IBM i is vulnerable to user profile enumeration due to a supplied table function in Db2 for i. [CVE-2024-31870]

Summary

IBM i is vulnerable to a local user enumerating user profile names without authority to the user profile objects as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2024-31870
**DESCRIPTION:**IBM Db2 for i supplies user defined table function is vulnerable to user enumeration by a local authenticated attacker, without having authority to the related *USRPRF objects. This can be used by a malicious actor to gather information about users that can be targeted in further attacks.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287174 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

The issue can be addressed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i 5770-SS1 PTF number resolves the vulnerability.

<https://www.ibm.com/support/fixcentral&gt;

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None.