Security Bulletin
Summary
IBM Data Virtualization on Cloud Pak for Data embeds a variant of the IBM Db2 database server that runs in MPP mode. For MPP functionality such as scale-out, internally the server uses the secure shell (SSH) protocol for inter-pod communication. SSH protocol is not exposed to external users or processes. Data Virtualization uses OpenSSH packages for SSH. OpenSSH is vulnerable to CVE-2024-6387, which can allow a remote attacker to run arbitrary code as a privileged user on the system by using a specially crafted request.
Vulnerability Details
CVEID: CVE-2024-6387
DESCRIPTION: OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Data Virtualization Version(s) | Cloud Pak for Data Version(s) |
| IBM Data Virtualization on Cloud Pak for Data | 3.0.0 | 5.0.0 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
|
Affected Product |
Data Virtualization Version |
Cloud Pak for Data Version |
Fixes |
|
IBM Data Virtualization on Cloud Pak for Data |
3.0.0 |
5.0.0 |
Follow the instructions to apply the patch and update the affected images. Use the following patched image digest values : 1. For db2u.watsonquery image: sha256:b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e 2. For db2u.dv.utils image: sha256:2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe |
Important:
- The Data Virtualization instance is restarted during the process. Schedule some downtime for the Data Virtualization instance when you plan to complete these steps.
- You do not have to apply the patch to all Data Virtualization instances at the same time. However, it is strongly recommended that you apply this patch to all Data Virtualization instances as soon as possible to address the vulnerability.
Before you begin:
- If you use a private container registry to host the IBM Cloud Pak for Data software images, you must mirror the patch images from the IBM Entitled Registry. For more information, see Preparing to run IBM Cloud Pak for Data installs from a private container registry.
To apply the patch, complete steps A and B:
A. Create a new section in the db2u-release ConfigMap:
This new section has the same value as the 12.1.0.0 section, other than the digest values for the db2u.watsonquery and db2u.dv.dvutils images.
1. To check which namespace the db2u-release ConfigMap is in, run the following command:
oc get configmap -A | grep db2u-release
2. Specify the namespace as the value for DB2U_OPERATOR_NAMESPACE:
DB2U_OPERATOR_NAMESPACE=[add the operator namespace value here]
oc project ${DB2U_OPERATOR_NAMESPACE}
oc edit configmap db2u-release
3. Copy the 12.1.0.0 section and add a new section after it. Name the new section 12.1.0.0-sb1. Add a comma “,“ to separate 12.1.0.0 and 12.1.0.0-sb1 sections. Don't change the existing 12.1.0.0 section.
4. In the 12.1.0.0-sb1 section, make the following changes:
i. Change "watsonquery": icr.io/db2u/db2u.watsonquery@sha256:c69dcfe77773bfe9ddd83ea6436f036ed329a7dbe8bcd05f56a0699debfc3eaa to "watsonquery": icr.io/db2u/db2u.watsonquery@sha256:b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e
ii. Change "dvutils": icr.io/db2u/db2u.dv.utils@sha256:4b58edae6e92f43c7977ae10ddad4bba89053b96df4f9b4590dbdeca15ac6dbd to "dvutils": icr.io/db2u/db2u.dv.utils@sha256:2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe
Note: The new 12.1.0.0-sb1 section must include all listed images from the 12.1.0.0 section. The only difference between 12.1.0.0-sb1 and 12.1.0.0 is the digest value of icr.io/db2u/db2u.watsonquery and icr.io/db2u/db2u.dv.utils images.
B. Update Db2uCluster db2u-dv custom resource (CR):
Complete the following steps for each Data Virtualization instance.
1. Update the DV_INSTANCE_NAMESPACE value with the namespace of the Data Virtualization instance that you are patching.
DV_INSTANCE_NAMESPACE=[add the Data Virtualization instance namespace value here]
echo ${DV_INSTANCE_NAMESPACE}
Check the value of DV_INSTANCE_NAMESPACE and verify that you are operating on the correct Data Virtualization instance before proceeding.
oc project ${DV_INSTANCE_NAMESPACE}
oc get db2ucluster db2u-dv -o yaml | grep -i 12.1.0.0 | grep -v "-"
Ensure that the line or lines that are displayed include only the version 12.1.0.0.
2. Update Db2uCluster db2u-dv custom resource CR with the new version and the upgrade/bigsql annotation:
oc project ${DV_INSTANCE_NAMESPACE}
oc patch db2ucluster db2u-dv --type merge -p '{"spec":{"version":"12.1.0.0-sb1"}}'
oc annotate db2ucluster db2u-dv "upgrade/bigsql"=""
3. Wait for the Data Virtualization head pod (c-db2u-dv-db2u-0), Data Virtualization worker pods (c-db2u-dv-db2u-X and where X would be 1-n for each of the worker pods), Data Virtualization utils pod (c-db2u-dv-dvutils-0) pod to restart. Check the time the pods have been running to ensure that the pods were restarted after you completed the previous steps:
oc get pods | grep -e c-db2u-dv-db2u -e c-db2u-dv-dvutils
4. Verify that the c-db2u-dv-db2u statefulset has the new digest value:
oc get sts c-db2u-dv-db2u -o yaml | grep -i b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e
5. Verify that the c-db2u-dv-dvutils statefulset has the new digest value:
oc get sts c-db2u-dv-dvutils -o yaml | grep -i 2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe
6. After the Data Virtualization head, worker and dvutils pods restart successfully, run the following command to remove the upgrade/bigsql annotation:
oc annotate db2ucluster db2u-dv "upgrade/bigsql"-
The patch is now applied. The patch updates the OpenSSH package in the affected images to an OpenSSH version with a fix for CVE-2024-6387.
End of document
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
09 August 2024
UID
ibm17161609