CVE-2021-20373
📋 TL;DR
IBM Db2's LOAD utility fails to properly enforce directory restrictions under certain circumstances, allowing unauthorized access to sensitive files. This information disclosure vulnerability affects Db2 versions 9.7, 10.1, 10.5, 11.1, and 11.5 when using the LOAD utility.
💻 Affected Systems
- IBM Db2
📦 What is this software?
Db2 by Ibm
Db2 by Ibm
Db2 by Ibm
Db2 by Ibm
Db2 by Ibm
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive database files, configuration files, or other system files containing credentials, personal data, or proprietary information.
Likely Case
Unauthorized users with LOAD utility access could read files outside permitted directories, potentially accessing sensitive data they shouldn't have permission to view.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users who might accidentally access restricted files.
🎯 Exploit Status
Exploitation requires LOAD utility access. No public exploit code has been identified, but the vulnerability is well-documented in advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fixes as specified in IBM advisory APAR IT35980
Vendor Advisory: https://www.ibm.com/support/pages/node/6523804
Restart Required: Yes
Instructions:
1. Review IBM advisory APAR IT35980. 2. Apply the appropriate fix pack for your Db2 version. 3. Restart Db2 services. 4. Verify the fix by testing LOAD utility directory restrictions.
🔧 Temporary Workarounds
Restrict LOAD Utility Access
allLimit which users and applications can execute the LOAD utility to only those with legitimate business need.
-- Use Db2 authorization controls to restrict LOAD privilege
GRANT LOAD ON DATABASE TO authorized_users_only;
-- Review and revoke unnecessary LOAD privileges
Implement File System Controls
linuxUse operating system file permissions to restrict access to sensitive directories outside Db2's permitted paths.
# Linux example: Restrict directory permissions
chmod 750 /sensitive/directories
chown db2inst1:db2iadm1 /db2/data/directories
🧯 If You Can't Patch
- Implement strict access controls on LOAD utility usage and monitor for unauthorized LOAD operations
- Use file system auditing to detect attempts to access files outside permitted LOAD directories
🔍 How to Verify
Check if Vulnerable:
Check if your Db2 version is 9.7, 10.1, 10.5, 11.1, or 11.5 and if LOAD utility is used in your environment.Check Version:
db2level | grep "Product installed"Verify Fix Applied:
After applying patches, test LOAD utility with attempts to access files outside permitted directories to confirm restrictions are enforced.📡 Detection & Monitoring
Log Indicators:
- Unusual LOAD utility activity
- Failed LOAD operations with path traversal attempts
- Access to files outside expected LOAD directories
Network Indicators:
- Unusual database administrative traffic patterns
SIEM Query:
source="db2*" AND (event="LOAD" OR command="LOAD") AND (path="*../*" OR error="permission denied")🔗 References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/195521
- https://security.netapp.com/advisory/ntap-20220225-0005/
- https://www.ibm.com/support/pages/node/6523804
- https://exchange.xforce.ibmcloud.com/vulnerabilities/195521
- https://security.netapp.com/advisory/ntap-20220225-0005/
- https://www.ibm.com/support/pages/node/6523804
