IBM Support

IZ38818: SECURITY: VISIBILITY OF PASSWORDS IN SET ENCRYPTION PASSWORD STATEMENT

 

APAR status

  • Closed as program error.

Error description

  • The password parameter of SET ENCRYPTION PASSWORD can be made
    visible by users with SYSADM, SYSCTRL, SYSMAINT or SYSMON
    authority

Local fix

  • NA

Problem summary

  • ****************************************************************
    * USERS AFFECTED: *
    * All DB2 systems on all Linux, Unix and Windows platforms at *
    * service levels from Version 9.1 GA through to Version 9.1 *
    * Fix Pack 7 *
    ****************************************************************
    * PROBLEM DESCRIPTION: *
    * See Error Description *
    ****************************************************************
    * RECOMMENDATION: *
    * Upgrade to DB2 Version 9.1 Fix Pack 8 or see "Local Fix" *
    * portion for other suggestions. *
    ****************************************************************
    ERROR DESCRIPTION:
    Environment where problem was first encountered :
    OS : AIX 5.3
    DB2 : DB V9 FP3

    Problem Description :
    The Encryption password set by a user1 on a column is visible to
    user2 if "snapshot for dynamic sql" is run with user2's login.

    Analysis :
    ----------------------------------------------------------------

    Following is the reproduction scenario :

    > db2 connect to sample

    > db2 "create table test_encr (name varchar(15), department
    char(5),
    salary varchar(24) for bit data)"

    > db2 "SET ENCRYPTION PASSWORD = 'MyPass01'"

    > db2 "insert into test_encr values ('Jones', 'DEP01',
    encrypt('25000'))"

    Connect to the database with another userid, who has the
    ncessary rights
    to get a snapshot

    > db2 get snapshot for dynamic sql on psam | grep -i password

    -> the password is displayed.
    ----------------------------------------------------------------
    Whenever you run the "get snapshot for dynamic sql" from some
    other user's login you get the following output :

    Number of executions = 1
    Number of compilations = 1
    Worst preparation time (ms) = 13
    Best preparation time (ms) = 13
    Internal rows deleted = Not Collected
    Internal rows inserted = Not Collected
    Rows read = Not Collected
    Internal rows updated = Not Collected
    Rows written = Not Collected
    Statement sorts = Not Collected
    Statement sort overflows = Not Collected
    Total sort time = Not Collected
    Buffer pool data logical reads = Not Collected
    Buffer pool data physical reads = Not Collected
    Buffer pool temporary data logical reads = Not Collected
    Buffer pool temporary data physical reads = Not Collected
    Buffer pool index logical reads = Not Collected
    Buffer pool index physical reads = Not Collected
    Buffer pool temporary index logical reads = Not Collected
    Buffer pool temporary index physical reads = Not Collected
    Buffer pool xda logical reads = Not Collected
    Buffer pool xda physical reads = Not Collected
    Buffer pool temporary xda logical reads = Not Collected
    Buffer pool temporary xda physical reads = Not Collected
    Total execution time (sec.ms) = Not Collected
    Total user cpu time (sec.ms) = Not Collected
    Total system cpu time (sec.ms) = Not Collected
    Statement text = insert into test_encr
    values ('Philip', 'DEP02', encrypt('30000')) << ========



    Number of executions = 1
    Number of compilations = 1
    Worst preparation time (ms) = 2
    Best preparation time (ms) = 2
    Internal rows deleted = Not Collected
    Internal rows inserted = Not Collected
    Rows read = Not Collected
    Internal rows updated = Not Collected
    Rows written = Not Collected
    Statement sorts = Not Collected
    Statement sort overflows = Not Collected
    Total sort time = Not Collected
    Buffer pool data logical reads = Not Collected
    Buffer pool data physical reads = Not Collected
    Buffer pool temporary data logical reads = Not Collected
    Buffer pool temporary data physical reads = Not Collected
    Buffer pool index logical reads = Not Collected
    Buffer pool index physical reads = Not Collected
    Buffer pool temporary index logical reads = Not Collected
    Buffer pool temporary index physical reads = Not Collected
    Buffer pool xda logical reads = Not Collected
    Buffer pool xda physical reads = Not Collected
    Buffer pool temporary xda logical reads = Not Collected
    Buffer pool temporary xda physical reads = Not Collected
    Total execution time (sec.ms) = Not Collected
    Total user cpu time (sec.ms) = Not Collected
    Total system cpu time (sec.ms) = Not Collected
    Statement text = SET ENCRYPTION PASSWORD =
    'MyPass01' << ========

    LOCAL FIX:
    NA

Problem conclusion

  • The complete fix for this problem first appears in DB2 Version
    9.1 Fix Pack 8 and all the subsequent Fix Packs

Temporary fix

  • NA

Comments

APAR Information

  • APAR number

    IZ38818

  • Reported component name

    DB2 UDB ESE AIX

  • Reported component ID

    5765F4100

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-11-27

  • Closed date

    2009-12-15

  • Last modified date

    2009-12-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IZ38819 IC64853

Fix information

  • Fixed component name

    DB2 UDB ESE AIX

  • Fixed component ID

    5765F4100

Applicable component levels

  • R910 PSY

       UP

Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 910

Reference #: IZ38818

Modified date: 15 December 2009