IBM Db2 Information Disclosure Vulnerability in CLPPLUS Command

An information disclosure vulnerability has been identified in the IBM Db2 CLPPLUS command, specifically in versions 11.1.0 prior to 11.1.4.7, 11.5.0 prior to 11.5.9, and 12.1.0 prior to 12.1.3, for Linux, UNIX, and Windows. This vulnerability exposes user credentials to the terminal, potentially allowing a third party with physical access to the system to obtain these credentials.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user credentials, which could then be used to impersonate the user or gain unauthorized access to systems or data.

Reproduction

The vulnerability occurs when the CLPPLUS command is executed with the '-nw' option, which disables the normal windowing interface. This combination exposes user credentials in a way that can be seen by someone with physical access to the terminal.

Remediation

Users can upgrade to the special build containing the interim fix for this issue, available through IBM Fix Central. Instructions for downloading this special build can be found on the IBM Support page.