CVE-2022-43930 - Sensitive Information Disclosure in IBM Db2 (10.5, 11.1, 11.5) – Exploit Details, Code Snippet & How To Stay Safe

CVE-2022-43930 is a security issue found in IBM Db2, the popular database used on Linux, UNIX, and Windows systems. This vulnerability can leak sensitive information into system log files and potentially allow attackers to access things that should be kept confidential. In this post, we’ll break down what the issue is, how it can be exploited, show an example, and explain what you should do to protect yourself.

What is CVE-2022-43930?

IBM Db2 versions 10.5, 11.1, and 11.5 were affected by a weakness where sensitive data could end up written into log files. This means if someone got access to those logs, they might see information they're not supposed to—like passwords, personal data, or corporate secrets.

IBM tracks this problem as X-Force ID: 241677.

How Does the Vulnerability Work?

When you use Db2, some actions—especially failed logins, configuration changes, or even application errors—get written to a log file for troubleshooting. In these specific versions, data that should have been masked or omitted, like cleartext user credentials or confidential query data, could sometimes be included in these logs.

Why is that Dangerous?  
If an attacker or unauthorized user can read these logs—be it by being on the same server, or accessing backup files—they could:

Imagine a careless application logs the following line when a user connects

[2024-06-05 10:02:17] AUTHENTICATION FAILURE: user=admin, password=secret123, host=10...2

This line—in a poorly implemented logging system—would put both the username and cleartext password in a place any attacker with read access could get.

Code Snippet – Sensitive Logging Example

In practice, logging like this may be caused by SQL queries or connection errors being logged with all parameters:

-- Example of a vulnerable logging function in a pseudo code snippet
FUNCTION handleDb2Error(errorCode, username, password)
    log("DB2 ERROR: Code=" + errorCode + ", User=" + username + ", Pass=" + password)
END FUNCTION

This function records both the username and password to a log file whenever there’s a database error—violating basic security rules.

How Might Attackers Exploit This?

An attacker with access to a server—due to a stolen credential, rogue employee, malware, or weak file permissions—could:

1. Browse to the /sqllib/db2dump/ or wherever your db2diag.log lives.

Run grep -i password db2diag.log or similar commands, looking for juicy info.

3. Harvest credentials and use them to connect to the database, escalate access, steal data, or do further harm.

Sample Shell Command

grep -i "password" /path/to/db2diag.log

If log rotation or backups exist, attackers may even get historic data.

Identify your Db2 version:

Run db2level at the command line—make sure your version is not 10.5, 11.1, or 11.5 (or see if security patches are installed).

`sh

ls -l /db2_install_path/sqllib/db2dump/db2diag.log

Use words like password, secret, or credential to spot if sensitive data is present.

`sh

grep -E "password|secret|credential" /db2_install_path/sqllib/db2dump/db2diag.log

How To Protect Yourself

A. Update Now!  
IBM has issued a fix. Apply latest Db2 Fix Packs for your version as soon as possible.

B. Secure Log Files:

Turn on log rotation and securely dispose of old logs.

C. Proper Application Logging:  
Do not log sensitive information like passwords in your custom apps.

D. Mask Data in Logs:  
If messages must include user IDs or queries, always mask confidential fields.

Example (Right Way)

log("DB2 ERROR: Code=" + errorCode + ", User=" + username + ", Pass=<hidden>")

E. Monitor Access:
Use SIEM or log monitoring to detect strange access to logs.

Original References & More Reading

- IBM Security Bulletin: Information leak vulnerability in IBM Db2 (CVE-2022-43930)
- IBM X-Force Exchange: CVE-2022-43930
- Db2 Documentation – Keeping your data secure
- Best practices for application logging

Conclusion

CVE-2022-43930 is a high-impact reminder that logs are gold mines for attackers. Even if your database is "safe," leaking sensitive information to a file can be just as damaging.

Never log passwords!

Stay safe out there—and if you need help auditing your systems for this flaw, don’t hesitate to reach out!

Timeline

Published on: 02/17/2023 18:15:00 UTC
Last modified on: 03/01/2023 19:08:00 UTC