CVE-2024-40679
📋 TL;DR
IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) version 11.5 may write sensitive information to log files under specific conditions, potentially exposing credentials or other confidential data. This affects administrators and users with access to Db2 log files.
💻 Affected Systems
- IBM Db2 for Linux, UNIX and Windows
- IBM Db2 Connect Server
📦 What is this software?
Db2 by Ibm
⚠️ Risk & Real-World Impact
Worst Case
Attackers with access to log files could obtain database credentials, connection strings, or other sensitive information, leading to unauthorized database access or data exfiltration.
Likely Case
Authorized users or administrators inadvertently viewing logs could see sensitive information that should be protected, potentially violating compliance requirements.
If Mitigated
With proper log file permissions and access controls, the risk is limited to authorized personnel who should already have appropriate clearance.
🎯 Exploit Status
Exploitation requires access to log files, which typically requires some level of system access or privilege.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fix pack or interim fix as specified in IBM advisory
Vendor Advisory: https://www.ibm.com/support/pages/node/7175957
Restart Required: Yes
Instructions:
1. Review IBM advisory for specific fix details. 2. Apply the recommended fix pack or interim fix. 3. Restart Db2 services. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Restrict log file access
linuxSet strict file permissions on Db2 log directories to prevent unauthorized access
chmod 750 /path/to/db2/logs
chown db2inst1:db2iadm1 /path/to/db2/logs
Configure log file permissions
windowsSet appropriate ACLs on Windows to restrict access to Db2 log files
icacls "C:\Program Files\IBM\SQLLIB\LOG" /inheritance:r /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"
🧯 If You Can't Patch
- Implement strict access controls on Db2 log directories and files
- Regularly audit and monitor access to Db2 log files
🔍 How to Verify
Check if Vulnerable:
Check if running Db2 version 11.5 and review IBM advisory for specific vulnerable configurationsCheck Version:
db2levelVerify Fix Applied:
Verify applied fix pack version and check that sensitive information is no longer present in log files📡 Detection & Monitoring
Log Indicators:
- Sensitive strings like passwords, connection strings, or credentials appearing in Db2 log files
Network Indicators:
- Unauthorized access attempts to log file directories
SIEM Query:
source="db2_logs" AND (password OR credential OR secret OR "connection string")