Security Bulletin
Summary
IBM Db2® is shipped with IBM Cloud Pak System Software and Cloud Pak System Software Suite. IBM Db2 is a component of Platform System Manager, and Db2 pattern type (pType). Multiple vulnerabilities have been found in Db2® that affect Cloud Pak System Software and Cloud Pak System Software Suite. IBM Cloud Pak System has released a fix in response to vulnerabilities in Db2 with Cloud Pak System v2.3.3.4 update to Db2 v11.5.7 and add support to Db2 Advanced Edition.
Vulnerability Details
CVEID: CVE-2020-4976
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and write specific files due to weak file permissions. IBM X-Force ID: 192469.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2021-29752
DESCRIPTION: IBM Db2 11.2 and 11.5 contains an information disclosure vulnerability, exposing remote storage credentials to privileged users under specific conditions. IBM X-Fporce ID: 201780.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201780 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2021-29763
DESCRIPTION: IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. IBM X-Force ID: 202267.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202267 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-29825
DESCRIPTION: IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. IBM X-Force ID: 204470.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204470 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2020-5024
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated attacker to cause a denial of service due a hang in the SSL handshake response. IBM X-Force ID: 193660.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193660 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-5025
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 db2fm is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 193661.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193661 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-29777
DESCRIPTION: IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5, under specific circumstance of a table being dropped while being accessed in another session, could allow an authenticated user to cause a denial of srevice IBM X-Force ID: 203031.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203031 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-20579
DESCRIPTION: IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user who can create a view or inline SQL function to obtain sensitive information when AUTO_REVAL is set to DEFFERED_FORCE. IBM X-Force ID: 199283.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199283 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2021-29703
DESCRIPTION: Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server terminates abnormally when executing a specially crafted SELECT statement. IBM X-Force ID: 200659.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200659 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-4885
DESCRIPTION: IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190909 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2020-4945
DESCRIPTION: IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user to overwrite arbirary files due to improper group permissions. IBM X-Force ID: 191945.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191945 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
|
Main Product(s) Version(s) |
Affected Supporting Product version(s) |
|
IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite V2.3.2.0, V2.3.3.0, V2.3.3.1, V2.3.3.2, V2.3.3.3 |
IBM Db2 LUW V11.5 |
|
IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite V2.3.0.1, V2.3.1.1 |
IBM Db2 LUW V11.1 - Notice Db2 Linux, Unix, and Windows, and Db2 Connect v11.1 is end of support by April 30, 2022 as per IBM Withdrawal Announcement 920-049. |
Remediation/Fixes
For all minor release version that are end of support and unsupported releases the recommendation is to upgrade to latest fixed release.
Multiple vulnerabilities have been identified in DB2 which is shipped with Cloud Pak System components. IBM Cloud Pak System has released a fix with IBM Cloud Pak System Software v2.3.3.4 update DB2 Platform System Manager and pType 1.2.17 update to DB2 v11.5.7. Additionally IBM Cloud Pak System v2.3.3.4 ships with support for DB2 Advanced Edition.
Consult the following security bulletins for IBM Db2 for vulnerability details and information about fixes.
Security : IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024)
https://www.ibm.com/support/pages/node/6427861
Security : IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025)
https://www.ibm.com/support/pages/node/6427855
Security : Under special circumstances, Db2 is vulnerable to a denial of service during drop table (CVE-2021-29777)
https://www.ibm.com/support/pages/node/6466373
Security: IBM® Db2® is vulnerable to an information disclosure (CVE-2021-20579)
https://www.ibm.com/support/pages/node/6466369
Security : IBM® Db2® is vulnerable to a denial of service as the server terminates abnormally when executing a specially crafted SELECT statement. (CVE-2021-29703)
https://www.ibm.com/support/pages/node/6466371
Security: Multiple vulnerabilities in dependent libraries affect IBM® Db2® leading to denial of service or privilege escalation.
https://www.ibm.com/support/pages/node/6466365
Security : IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885)
https://www.ibm.com/support/pages/node/6466363
Security: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945)
https://www.ibm.com/support/pages/node/6466367
Security: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976)
https://www.ibm.com/support/pages/node/6489495
Security: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752)
https://www.ibm.com/support/pages/node/6489489
Security: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory and cause a denial of service. (CVE-2021-29763)
https://www.ibm.com/support/pages/node/6489493
Security: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825)
https://www.ibm.com/support/pages/node/6489499
Multiple vulnerabilities have been identified in DB2 which is shipped with Cloud Pak System components. IBM Cloud Pak System has released a fix with IBM Cloud Pak System Software v2.3.3.4 update DB2 Platform System Manager and pType 1.2.17 update to DB2 v11.5.7.IBM Cloud Pak System v2.3.3.4 ships with support for DB2 Advanced Edition.
The fix requires minimum fix pack level Cloud Pak System v.2.3.3.0 and Db2 v.11.5.0.0.
For Cloud Pak System V2.3.0.1, V2.3.1.1, V2.3.2.0
Upgrade to minimal fix pack levels as required by the fix and then apply the fix.
For Cloud Pak System V.2.3.3.0, V.2.3.3.1, V.2.3.3.2, V2.3.3.3, V2.3.3.3 interim Fix1,
- Upgrade to IBM Cloud Pak System V.2.3.3.4 Platform System Manager update to DB2 v11.5.7.
Information on upgrading here:http://www.ibm.com/support/docview.wss?uid=ibm10887959.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
05 May 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
06 May 2022
UID
ibm16583541