TeamSHATTER

Threat Finder

Threat ID

2506

Threat Date

01/09/2012

Threat Name

Require explicit authorization for cataloging

CVE Reference

CVE-NO-MATCH

CCE Reference

CCE-NO-MATCH

Risk

High

Database Type

IBM DB2

Category

Misconfigurations

Versions

All versions of IBM DB2 Databases

Summary

DB2 can be configured to allow users that do not possess the SYSADM authority to catalog and uncatalog databases and nodes.

Overview

Cataloging a database is the process of registering a database from a remote client to allow remote call and access. This procedure should only be restricted to user with a valid DB2 account and must have the SYSADM or SYSCTRL authority. Setting the catalog-noauth parameter to YES bypasses all permission checks and allow anyone to catalog and uncatalog databases.

It is recommended that the SYSADM authority be required to catalog and uncatalog databases and nodes, set the catalog_noauth parameter to NO.

The default value (NO or 0) for CATALOG_NOAUTH parameter indicates that SYSADM authority is required. When this parameter is set to YES or 1, SYSADM authority is not required.

References

http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=%2Fcom.ibm.db2.udb.admin.doc%2Fdoc%2Fr0000143.htm

VMSKey

STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.