Changes to Db2 authorities in Db2 11.5.7

To address a potential security vulnerability in Db2, some privileges that previously fell under database authority are now moved to the instance user, SYSADM. A new registry variable can be used to revert to your previous security configuration.

Attention: This mod pack release is currently available for the following Db2 products: Db2 on Cloud and Db2 Warehouse on Cloud will be updated to version 11.5.7 early in 2022.

Changed Db2 authorities

Table 1. Changed authorities in Db2 11.5.7
Authority New behavior
SYSADM needed to GRANT these privileges
  • EXECUTE on UTIL_DIR_MODULE
  • CREATE_EXTERNAL_ROUTINE on the database
  • CREATE_NOT_FENCED_ROUTINE on the database
Instead of SECADM or ACCESSCTRL, SYSADM authority is now needed to grant the EXECUTE privilege on the UTL_DIR module. SYSADM authority is also needed to grant CREATE_EXTERNAL_ROUTINE and CREATE_NOT_FENCED_ROUTONE on the database. These privileges control access to instance resources that exist outside of the database and require an instance-based authority to prevent abuse between databases.
The new DB2_ALTERNATE_AUTHZ_BEHAVIOUR registry variable can be used to revert this behavior in situations where this change is undesirable.
SYSADM has implicit EXECUTE privilege on the UTL_DIR module. Users holding the SYSADM authority now have the implicit privilege to execute the UTL_DIR module.