Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

             IBM Db2 Mirror for i is affected by CVE-2019-4536
                              26 August 2019


        AusCERT Security Bulletin Summary

Product:           IBM Db2 Mirror for i
Publisher:         IBM
Operating System:  IBM i
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4536  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Db2 Mirror for i is affected by CVE-2019-4536

Product:             IBM i
Software version:    7.4
Operating system(s): IBM i
Reference #:         1071586


IBM Db2 Mirror for i configurations may be subject to this security
vulnerability. A PTF for IBM i 7.4 and remediation steps are available.

Vulnerability Details

CVEID: CVE-2019-4536
DESCRIPTION: IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF)
on a system which has been configured with Db2 Mirror for i might have user
profiles with elevated privileges caused by incorrect processing during a
restore of multiple user profiles. A user with restore privileges could exploit
this vulnerability to obtain elevated privileges on the restored system.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
165592 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

IBM i 7.4 with Db2 Mirror for i might be affected.


Take the following steps:

 1. apply the PTF to IBM i 7.4, and
 2. on systems with Db2 Mirror configured, review the scenarios below and take
    the steps if needed.

The IBM i PTF number is:
Release 7.4 - SI70767

If a Restore User Profile (RSTUSRPRF) has been done on an IBM i 7.4 system with
Db2 Mirror configured prior to applying the PTF, remediation is required after
applying the PTF for the following issues.

Issue #1: After the re-sync, there may be error entries on the Object Tracking
List (OTL) for some system user profiles.
Issue #2: User profiles that were restored may have been given elevated
privileges on both the source and target systems during the re-sync processing.

Remediation steps for both issues:

 1. Delete any user profile error entries on the OTL that contain 'RSTUSRPRF
    user_name' in the Description field. Use the GUI to delete the entries.
 2. Resume Db2 Mirror using the GUI.
 3. Redo the RSTUSRPRF. You MUST use the same Save Security Data (SAVSECDTA)
    media as the original RSTUSRPRF. Do not use a SAVSECDTA media that was
    created after doing a RSTUSRPRF with Db2 Mirror configured and without the
    PTF applied.

There is no issue with RSTUSRPRF on a system that does not have Db2 Mirror

Important note: IBM recommends that all users running unsupported versions of
affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations


Change History

23 August 2019: Original Version Published

        Cross reference information
 Product  Component Platform Version Edition
IBM i 7.4           IBM i    7.4

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967