CVE-2022-22390: IBM Db2 Information Disclosure Vulnerability

CVE-2022-22390 Overview

CVE-2022-22390 is an information disclosure vulnerability affecting IBM Db2 for Linux, UNIX and Windows versions 9.7, 10.1, 10.5, 11.1, and 11.5. The flaw stems from improper privilege management [CWE-269] when a table function is used, allowing unauthorized access to data that should be restricted. An unauthenticated remote attacker can exploit this weakness over the network without user interaction. IBM tracks this issue as X-Force ID 221973.

Critical Impact
Remote attackers can disclose sensitive database information without authentication due to improper privilege enforcement in Db2 table functions.

Affected Products

IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5
Linux Kernel platforms running affected Db2 versions
Microsoft Windows and UNIX platforms running affected Db2 versions

Discovery Timeline

2022-06-24 - CVE-2022-22390 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-22390

Vulnerability Analysis

The vulnerability resides in IBM Db2's handling of table functions. Table functions return a table of rows and are invoked in the FROM clause of SQL queries. Due to improper privilege management, the database engine fails to correctly enforce access controls when a table function is invoked. This allows a requesting user to retrieve information beyond their authorization scope.

The weakness maps to CWE-269 (Improper Privilege Management). The attack surface is reachable over the network with low complexity. The impact is limited to confidentiality, with no effect on data integrity or service availability, according to the published CVSS vector.

IBM rates the issue across multiple long-supported Db2 release trains, indicating the defect exists in shared code paths spanning Db2 9.7 through 11.5. NetApp also issued a corresponding advisory because affected Db2 components are embedded in some NetApp products.

Root Cause

The root cause is improper privilege enforcement during the execution of table functions. The Db2 authorization layer does not consistently validate whether the invoking user has rights to all data returned through the table function interface. As a result, query results may include rows or columns that should have been filtered by the access control system.

Attack Vector

An attacker requires network connectivity to the Db2 instance and the ability to submit SQL containing a table function invocation. Because the CVSS vector lists Privileges Required as None, the vulnerable code path is reachable in configurations where guest or low-privilege connections can execute queries. Successful exploitation discloses data managed by the database without modifying it. No proof-of-concept exploit is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

The vulnerability is described in prose only; refer to the IBM Support Document #6597993 and IBM X-Force Vulnerability #221973 for vendor technical details.

Detection Methods for CVE-2022-22390

Indicators of Compromise

Unexpected SQL statements invoking table functions from accounts that typically do not run analytic queries.
Query logs showing access to tables or schemas outside a user's normal authorization scope.
Anomalous result-set sizes returned from sessions where the user lacks direct SELECT privileges on referenced objects.

Detection Strategies

Enable Db2 audit facility (db2audit) to capture EXECUTE and OBJMAINT events involving table functions.
Correlate database authentication logs with statement-level audit records to identify low-privilege accounts issuing table function calls.
Compare returned data sets against the invoking user's documented privileges using periodic access reviews.

Monitoring Recommendations

Forward Db2 audit logs to a centralized SIEM for retention and behavioral analysis.
Alert on table function invocations originating from service accounts or application identities outside their baseline.
Monitor for new or unusual table function definitions created with elevated privileges.

How to Mitigate CVE-2022-22390

Immediate Actions Required

Apply the fix pack referenced in the IBM Support Document #6597993 for the relevant Db2 release.
Inventory all Db2 9.7, 10.1, 10.5, 11.1, and 11.5 instances and prioritize internet-exposed or multi-tenant systems.
Review and tighten privileges on table functions; revoke EXECUTE from PUBLIC where not required.
For embedded Db2 deployments, review the NetApp Security Advisory NTAP-20220729-0007 for platform-specific guidance.

Patch Information

IBM published fix pack guidance in IBM Support Document #6597993. Customers should upgrade affected Db2 instances to the remediated fix pack level for their major version. NetApp customers running affected products should follow the remediation path in NTAP-20220729-0007.

Workarounds

Restrict network access to Db2 listener ports to trusted application hosts only.
Revoke EXECUTE privileges on non-essential table functions from PUBLIC and broad roles.
Require strong authentication for all Db2 connections and disable anonymous or guest access where possible.

bash

# Example: revoke EXECUTE on a table function from PUBLIC
db2 "REVOKE EXECUTE ON FUNCTION schema.tablefunc FROM PUBLIC"

# Example: enable Db2 audit for execute events
db2audit configure scope execute status both
db2audit start