1

We are getting ” IBM DB2 Universal Database Known Default Password Vulnerability” alert in PCI scans. To fix this we should change the DB2 default password.

anybody from DBA can help us on this?

For more information on this please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0051

mithuna kous
  • 309
  • 3
  • 11
  • In the CVE report it says it is for DB2 V6, for WinNT and other OSs around 2000 year. You must update your DB2 version before trying to solve this issue. – AngocA Jan 18 '13 at 15:18
  • When you want to ask DBA's, you should use [http://dba.stackexchange.com/](http://dba.stackexchange.com/) – WarrenT Jan 19 '13 at 18:48

1 Answers1

5

DB2 does not store user authentication credentials, but uses external systems for authentication - DB2 For Linux, Unix, Windows (LUW) by default uses underlying OS for auth.

If you have Linux installation, SSH to machine and check if "db2inst1" user exists in OS. If so, just change its password (sudo passwd db2inst) in OS shell. Of course this is only default user name, your actual may differ (but on Linux it will be the same as DB2 instance name, hence the warning of scanner).

The "use underlying OS for authentication" is default on Windows machine as well, but db2 sysadmin user name may differ from instance name.

Mariusz Sakowski
  • 3,232
  • 14
  • 21
  • Also, you can create another instance (db2icrt) with another name, to prevent to use the 'standard' name, and then, you move the database to the new instance. – AngocA Jan 18 '13 at 15:21