Threat Finder

Threat ID
2506
Threat Date
01/09/2012
Threat Name
Require explicit authorization for cataloging
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
IBM DB2
Category
Misconfigurations
Versions
All versions of IBM DB2 Databases
Summary
DB2 can be configured to allow users that do not possess the SYSADM authority to catalog and uncatalog databases and nodes.
Overview
Cataloging a database is the process of registering a database from a remote client to allow remote call and access. This procedure should only be restricted to user with a valid DB2 account and must have the SYSADM or SYSCTRL authority. Setting the catalog-noauth parameter to YES bypasses all permission checks and allow anyone to catalog and uncatalog databases.

It is recommended that the SYSADM authority be required to catalog and uncatalog databases and nodes, set the catalog_noauth parameter to NO.

The default value (NO or 0) for CATALOG_NOAUTH parameter indicates that SYSADM authority is required. When this parameter is set to YES or 1, SYSADM authority is not required.
References
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=%2Fcom.ibm.db2.udb.admin.doc%2Fdoc%2Fr0000143.htm
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by