Db2 (On Premises and Cloud)

Expand all | Collapse all

Db2 BETA code connect with wrong user and wrong password possible

  • 1.  Db2 BETA code connect with wrong user and wrong password possible

    Posted Wed April 29, 2020 03:47 PM
    Edited by Gerhard Paulus Wed April 29, 2020 04:20 PM
    Hi,
    I am able to connect (current BETA code) to the database with wrong username and wrong password.

    db2level
    DB21085I This instance or install (instance name, where applicable:
    "db2fed01") uses "64" bits and DB2 code release "SQL11054" with level
    identifier "0605010F".
    Informational tokens are "DB2 v11.5.4.0", "s2003191500", "DYN2003191500AMD64",
    and Fix Pack "0".
    Product is installed at "/db2/db2v115m4fp0s2003191500".

    Current user and password (user db2fed01 exists)
    gerhard@t450s:~$ db2 connect to fed01 user db2fed01
    Enter current password for db2fed01:

    Database Connection Information

    Database server = DB2/LINUXX8664 11.5.4.0
    SQL authorization ID = DB2FED01
    Local database alias = FED01

    Wrong user and password (user db2f does not exist)
    gerhard@t450s:~$ db2 connect to fed01 user db2f
    Enter current password for db2f:

    Database Connection Information

    Database server = DB2/LINUXX8664 11.5.4.0
    SQL authorization ID = DB2F
    Local database alias = FED01

    And furthermore the wrong user with wrong authenticated password is able to create tables!

    db2 "create table (i int)"
    DB20000I The SQL command completed successfully.


    Regards, Gerhard

    ------------------------------
    Gerhard Paulus
    ------------------------------


  • 2.  RE: Db2 BETA code connect with wrong user and wrong password possible

    Posted Thu April 30, 2020 02:39 AM
    Edited by Erwin Hattingh Thu April 30, 2020 02:49 AM
    very convenient , lol. My oh my
    Guess there is a new setting for DB2AUTH registry variable ..... :-)  db2set DB2AUTH=WHOCARES

    ---------------------------
    Erwin Hattingh
    Systems Engineer / Db2 DBA
    ------------------------------



  • 3.  RE: Db2 BETA code connect with wrong user and wrong password possible

    Posted Thu April 30, 2020 03:29 PM
    Hi,
    the problem is contained in the build from March
    DB21085I This instance or install (instance name, where applicable:
    "db2test2") uses "64" bits and DB2 code release "SQL11054" with level
    identifier "0605010F".
    Informational tokens are "DB2 v11.5.4.0", "s2002251500", "DYN2002251500AMD64",
    and Fix Pack "0".

    When I install it -> create an instance and database then I am able to connect with not existing users.
    When I db2iupdt this instance with the build from April then this problem still exists.

    DB21085I This instance or install (instance name, where applicable: "db2test")
    uses "64" bits and DB2 code release "SQL11054" with level identifier
    "06050

    Informational tokens are "DB2 v11.5.4.0", "s2003191500", "DYN2003191500AMD64",
    and Fix Pack "0".

    But when I install a complete fresh install with the build from April the problem is not reproducable.
    So with the current build from yesterday it is solved in my eyes.

    Regards,
    Gerhard

    ------------------------------
    Gerhard Paulus
    ------------------------------