CVE-2021-38931 Overview
CVE-2021-38931 is an information disclosure vulnerability affecting IBM Db2 for Linux, UNIX and Windows, including DB2 Connect Server, versions 11.1 and 11.5. The flaw allows a connected database user to indirectly read data from a table they are not authorized to query directly. The weakness is classified under [CWE-668: Exposure of Resource to Wrong Sphere]. IBM tracks the issue as X-Force ID 210418. Because Db2 is widely deployed for financial, healthcare, and enterprise workloads, unauthorized read access to restricted tables can expose regulated and confidential data.
Critical Impact
An authenticated low-privilege Db2 user can bypass table-level authorization controls and obtain confidential data from restricted tables across affected IBM Db2 11.1 and 11.5 deployments.
Affected Products
- IBM Db2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server)
- IBM Db2 for Linux, UNIX and Windows 11.5 (includes DB2 Connect Server)
- NetApp OnCommand Insight (per NetApp Security Advisory NTAP-20220114)
Discovery Timeline
- 2021-12-09 - CVE-2021-38931 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-38931
Vulnerability Analysis
The issue is an authorization-boundary failure inside the Db2 query engine. A user who is connected to the database and authorized to issue queries can construct statements that indirectly reference a target table for which they lack SELECT privilege. Through that indirect access path, the engine returns values derived from the restricted table to the caller. The result is unauthorized read access to data that table-level privileges and row/column access controls were intended to protect.
The vulnerability requires a valid database session, so it is exploitable by insiders, by attackers who have phished or stolen application credentials, and by any process that already holds a low-privilege Db2 account. Confidentiality is the only impact dimension affected. Integrity and availability of the database remain intact, and no privilege escalation on the host operating system is reported.
Root Cause
The root cause is the exposure of a resource to the wrong control sphere [CWE-668]. Db2's authorization checks are not consistently applied to every execution path that can dereference a table's contents. When the optimizer or a specific SQL construct evaluates an expression that touches the protected table, the privilege check appropriate for direct SELECT access is skipped or evaluated against the wrong principal, allowing data to flow back to the unauthorized user.
Attack Vector
The attack vector is network-based and requires authentication. An attacker with any connected Db2 user account submits SQL that indirectly references the restricted table. No user interaction is required, complexity is low, and the scope is unchanged. Because Db2 is commonly reachable from application servers and middleware, an attacker who compromises an application identity inherits the ability to exercise this flaw against the database tier.
No public proof-of-concept is listed in the advisory, and the CVE is not present on the CISA Known Exploited Vulnerabilities catalog. The current EPSS probability is 0.27%. See the IBM Support Knowledge Article and IBM X-Force Vulnerability #210418 for vendor technical detail.
Detection Methods for CVE-2021-38931
Indicators of Compromise
- Db2 audit records showing successful query completion against statements that reference tables for which the executing AUTHID has no granted SELECT privilege.
- Anomalous query patterns from application service accounts that touch sensitive tables outside their normal access path.
- Unexpected growth in result set volume returned to low-privilege users connecting through DB2 Connect Server.
Detection Strategies
- Enable the Db2 audit facility (db2audit) with the EXECUTE and OBJMAINT categories and review events where the AUTHID differs from expected table grantees.
- Compare runtime query targets against the authorization catalog (SYSCAT.TABAUTH) to flag sessions that retrieve data from tables not granted to the connected user.
- Forward Db2 diagnostic and audit logs to a centralized SIEM and alert on queries whose referenced objects fall outside the user's documented privilege set.
Monitoring Recommendations
- Inventory all Db2 11.1 and 11.5 instances, including embedded deployments inside NetApp OnCommand Insight, and confirm patch level.
- Monitor authentication sources to Db2 listeners on TCP 50000/50001 and correlate with application identity behavior baselines.
- Track changes to GRANT/REVOKE statements and audit policy modifications that could mask exploitation attempts.
How to Mitigate CVE-2021-38931
Immediate Actions Required
- Apply the IBM-supplied fix pack for Db2 11.1 and 11.5 as described in the IBM Support Knowledge Article.
- For NetApp OnCommand Insight deployments, follow the remediation guidance in NetApp Security Advisory NTAP-20220114.
- Audit existing database accounts and remove privileges that are not required for the application's documented function.
- Rotate credentials for any account that may have been used to access restricted data prior to patching.
Patch Information
IBM has released fixes for Db2 11.1 and 11.5. Administrators should consult the IBM Support Knowledge Article for the specific fix pack and Special Build identifiers applicable to their version and platform (AIX, HP-UX, Linux, Solaris, Windows). NetApp customers should apply the OnCommand Insight update referenced in advisory NTAP-20220114.
Workarounds
- Restrict Db2 network exposure so that only application servers can reach the database listener, reducing the population of accounts that can submit SQL.
- Tighten table-level privileges and remove indirect grants such as SELECT on views, routines, or aliases that resolve to sensitive tables.
- Enable and continuously review the Db2 audit facility to detect unauthorized access attempts until the fix pack is deployed.
# Enable Db2 audit logging for execution and object-maintenance events
db2audit configure scope execute status both errortype audit
db2audit configure scope objmaint status both errortype audit
db2audit start
# Review tables granted to a specific user to validate least privilege
db2 "SELECT GRANTEE, TABSCHEMA, TABNAME, SELECTAUTH FROM SYSCAT.TABAUTH WHERE GRANTEE = 'APPUSER'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
