When installed in Silent mode Db2 creates users with a weak password hashing algorithm, which results in only the first 8 characters of the supplied password being used, and remaining characters being ignored. This does not happen if existing users are used during installation; it only happens when Db2 creates the user during installation. The users created during installation are: instance owner, fenced user, and Db2 administration server (DAS) user. This does not happen when Db2 installation is done in UI mode.
CVE(s): CVE-2017-1571
Affected product(s) and affected version(s):
All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 editions on all platforms except Windows are affected.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22012948
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/131853
The post IBM Security Bulletin: Under specific circumstances IBM® Db2® installation creates users with a weak password hashing algorithm (CVE-2017-1571). appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team http://ift.tt/2peuzoe
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.