IBM Support

Security Bulletin: IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data hve released a fix in response to multiple vulnerabilities found in IBM Db2®

Security Bulletin


Summary

IBM has released the following fix for IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in IBM Db2®.

Vulnerability Details

CVEID:   CVE-2021-38931
DESCRIPTION:   IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from. IBM X-Force ID: 210418.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210418 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2021-29678
DESCRIPTION:   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user with DBADM authority to access other databases and read or modify files. IBM X-Force ID: 199914.
CVSS Base score: 8.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199914 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

CVEID:   CVE-2021-20373
DESCRIPTION:   IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195521 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2021-39002
DESCRIPTION:   IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213217 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2021-38926
DESCRIPTION:   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to gain privileges due to allowing modification of columns of existing tasks. IBM X-Force ID: 210321.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210321 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
IBM® Db2® On OpenshiftAll
IBM® Db2® and Db2 Warehouse® on Cloud Pak for DataAll

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected program: V11.5, Cloud Pak for Data 3.5, Cloud Pak for Data 4.0, can download the latest IBM Db2 On Openshift  or the IBM Db2 and Db2 Warehouse on Cloud Pak for Data fixpack release containing the fix for this issue. These builds are available based on the V11.5.6.0 fix pack release and the Cloud Pak for Data 4.0.3 fix pack release. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Please note: If the affected release is any fix pack level of Cloud Pak for Data 3.5, you must upgrade to Cloud Pak for Data 4.0, then apply the latest fixpack release

ReleaseFixed in Fix Pack
IBM® Db2® On OpenshiftV11.5.7.0
IBM® Db2® and Db2 Warehouse® on Cloud Pak for DataV4.0.4

For more information on how to update to a fix pack, refer to the following documentation:

IBM® Db2® On Openshift: https://www.ibm.com/docs/en/db2/11.5?topic=1156-upgrading-updating

IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=upgrading

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

21 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCJDQ","label":"IBM Db2 Warehouse"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
21 December 2021

Initial Publish date:
21 December 2021

UID

ibm16536602

Page Feedback