Information
The table function SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID returns the roles for the specified authorization ID. In a non-restrictive database this table function has EXECUTE granted to public. It is recommended that public should not be able to execute this routine.
Rationale:
A malicious user may use this function to conduct information gathering regarding the roles that a user belongs to.
Solution
Perform the following to revoke access from PUBLIC.
Connect to the Db2 database.
db2 => connect to <dbname>
Run the following command:
db2 => revoke EXECUTE on function
SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID from public RESTRICT