CVE-2018-1426

Name of the Vulnerable Software and Affected Versions IBM GSKit (IBM DB2 for Linux, UNIX and Windows) versions 9.7 through 11.1

Description The issue concerns a problem with the PRNG state being duplicated across fork() system calls when multiple ICC instances are loaded, potentially leading to duplicate Session IDs and a risk of duplicate key material. Additionally, the GSKit CMS KDB logic fails to properly salt the hash function, resulting in weaker protection of passwords, which may allow a weak password to be recovered.

Recommendations For versions 9.7 through 11.1, update the software to address the issue with PRNG state duplication and hash function salting, and then change passwords to ensure they are stored more securely.