CVE-2021-20579 Overview
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 9.7, 10.1, 10.5, 11.1, and 11.5 contains an information disclosure vulnerability that allows authenticated users with the ability to create views or inline SQL functions to obtain sensitive information when the AUTO_REVAL database configuration parameter is set to DEFERRED_FORCE. This vulnerability exposes database contents to users who should not have access to the underlying data.
Critical Impact
Authenticated users can bypass intended data access controls to retrieve sensitive information from the database by exploiting view and inline SQL function creation privileges combined with the DEFERRED_FORCE revalidation setting.
Affected Products
- IBM Db2 9.7 (Linux, UNIX, Windows)
- IBM Db2 10.1 (Linux, UNIX, Windows)
- IBM Db2 10.5 (Linux, UNIX, Windows)
- IBM Db2 11.1 (Linux, UNIX, Windows)
- IBM Db2 11.5 (Linux, UNIX, Windows)
- IBM Db2 Connect Server (all affected versions)
Discovery Timeline
- 2021-06-24 - CVE CVE-2021-20579 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-20579
Vulnerability Analysis
This information disclosure vulnerability stems from improper access control enforcement in IBM Db2 when handling view and inline SQL function revalidation. The vulnerability is specifically triggered when the AUTO_REVAL database configuration parameter is configured with the DEFERRED_FORCE setting. Under this configuration, Db2 delays the revalidation of dependent database objects until they are accessed, and forces revalidation to succeed even when underlying objects have been modified.
When an authenticated user creates a view or inline SQL function, the deferred revalidation mechanism can allow the user to access data that would otherwise be protected by standard access controls. This occurs because the revalidation process under DEFERRED_FORCE may not properly re-evaluate the user's privileges against the underlying tables or data sources.
The vulnerability requires network access and authenticated credentials with CREATE VIEW or CREATE FUNCTION privileges, but does not require any user interaction to exploit. The impact is limited to confidentiality, with no effect on data integrity or system availability.
Root Cause
The root cause of CVE-2021-20579 lies in the implementation of the AUTO_REVAL parameter's DEFERRED_FORCE mode. This configuration option was designed to improve database availability by ensuring dependent objects remain functional even when underlying structures change. However, the implementation fails to properly enforce access control checks during the forced revalidation process, creating a window where users can access data beyond their authorized scope through carefully crafted views or inline SQL functions.
Attack Vector
The attack requires an authenticated user with privileges to create views or inline SQL functions in the target database. The attacker would:
- Identify a target database configured with AUTO_REVAL=DEFERRED_FORCE
- Create a view or inline SQL function that references sensitive data in tables the attacker should not have direct access to
- Query the created view or execute the function to retrieve sensitive information
- The deferred revalidation mechanism improperly grants access to the underlying data
The attacker exploits the timing and privilege evaluation gaps in the deferred revalidation process. When the view or function is accessed, Db2 forces revalidation to succeed without properly verifying that the invoking user has appropriate SELECT permissions on the underlying base tables.
Detection Methods for CVE-2021-20579
Indicators of Compromise
- Unexpected view or inline SQL function creation by users without business justification
- Access patterns showing users querying views that reference tables they lack direct permissions to access
- Audit log entries indicating data access through views by unauthorized users
- Database catalog changes showing new views or functions referencing sensitive tables
Detection Strategies
- Monitor Db2 audit logs for CREATE VIEW and CREATE FUNCTION statements from non-administrative users
- Review AUTO_REVAL configuration settings across all Db2 instances using db2 get db cfg command
- Implement alerting on view creation events that reference tables containing sensitive data classifications
- Compare user direct table permissions against view definitions to identify potential privilege escalation paths
Monitoring Recommendations
- Enable comprehensive Db2 auditing including OBJMAINT events for tracking object creation
- Configure SYSLOG or SIEM integration to capture and analyze Db2 security events
- Implement regular reviews of view and function definitions against data access policies
- Monitor for configuration changes to the AUTO_REVAL parameter
How to Mitigate CVE-2021-20579
Immediate Actions Required
- Review and change AUTO_REVAL configuration from DEFERRED_FORCE to a more secure setting such as IMMEDIATE or DISABLED
- Audit existing views and inline SQL functions for potential unauthorized data access paths
- Review user privileges related to CREATE VIEW and CREATE FUNCTION permissions
- Apply the IBM security patch as soon as possible
Patch Information
IBM has released security patches to address this vulnerability. Organizations should apply the appropriate fix pack or interim fix for their Db2 version. Detailed patch information is available through the IBM Support Page. Additional technical details about this vulnerability (IBM X-Force ID: 199283) can be found in the IBM X-Force Vulnerability Report. NetApp customers should also review the NetApp Security Advisory NTAP-20210720-0006 for guidance on affected NetApp products.
Workarounds
- Change the AUTO_REVAL database configuration parameter from DEFERRED_FORCE to IMMEDIATE or DISABLED
- Restrict CREATE VIEW and CREATE FUNCTION privileges to trusted database administrators only
- Implement row-level security or column masking as additional data protection layers
- Use Db2 RCAC (Row and Column Access Control) to enforce fine-grained access controls independent of view definitions
# Configuration example
# Check current AUTO_REVAL setting
db2 get db cfg for <database_name> | grep -i auto_reval
# Change AUTO_REVAL to IMMEDIATE (more secure setting)
db2 update db cfg for <database_name> using AUTO_REVAL IMMEDIATE
# Verify the configuration change
db2 get db cfg for <database_name> | grep -i auto_reval
# Review users with CREATE VIEW privilege
db2 "SELECT GRANTEE, GRANTEETYPE FROM SYSCAT.DBAUTH WHERE CREATETABAUTH = 'Y'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
