IBM Support

Security Bulletin: IBM Db2 Big SQL on Cloud Pak for Data is vulnerable to OpenSSH vulnerability CVE-2024-6387

Security Bulletin


Summary

IBM Db2 Big SQL on Cloud Pak for Data embeds a variant of the IBM Db2 database server that runs in MPP mode. For MPP functionality such as scale-out, internally the server uses the secure shell (SSH) protocol for inter-pod communication. SSH protocol is not exposed to external users or processes. Db2 Big SQL uses OpenSSH packages for SSH. OpenSSH is vulnerable to CVE-2024-6387, which can allow a remote attacker to run arbitrary code as a privileged user on the system by using a specially crafted request.

Vulnerability Details

CVEID:   CVE-2024-6387
DESCRIPTION:   OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Db2 Big SQL on Cloud Pak for Data7.7.0 (on Cloud Pak for Data 5.0.0)

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Affected Product(s)

Big SQL Version(s)

CPD Version(s)

Fixes

IBM Db2 Big SQL (Big SQL) on Cloud Pak for Data (CPD)

7.7.0

5.0.0

Follow the instructions to apply the patch and update the affected images.

Use the following patched image digest values :

  • For db2u.watsonquery image:    sha256:b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e
  •  

Important:

  • The Big SQL instance is restarted during the process. Schedule some downtime for the Big SQL instance when you plan to complete these steps.
  • You do not have to apply the patch to all Big SQL instances at the same time. However, it is strongly recommended that you apply this patch to all Big SQL instances as soon as possible to address the vulnerability.

 

Before you begin:

  1. If you use a private container registry to host the IBM Cloud Pak for Data software images, mirror the patch images from the IBM Entitled Registry. For more information, see Preparing to run IBM Cloud Pak for Data installs from a private container registry.

To apply the patch, complete steps A and B:

A. Create a new section in the db2u-release configmap:
This new section has the same value as the 12.1.0.0 section, other than the digest values for the db2u.watsonquery images.
  1. Check which namespace the db2u-release configmap is in, run the following command:
    • oc get configmap -A | grep db2u-release
  2. Specify the namespace as the value for DB2U_OPERATOR_NAMESPACE:
    • DB2U_OPERATOR_NAMESPACE=[add the operator namespace value here]
    • oc project ${DB2U_OPERATOR_NAMESPACE}
    • oc edit configmap db2u-release
  3. Copy the 12.1.0.0 section and then add a new section after it. Name the new section 12.1.0.0-sb1. Add a comma (“,“) to separate 12.1.0.0 and 12.1.0.0-sb1 sections. Don't change the existing 12.1.0.0 section.
  4. In the 12.1.0.0-sb1 section, make the following changes:
    • Change "watsonquery": icr.io/db2u/db2u.watsonquery@sha256:c69dcfe77773bfe9ddd83ea6436f036ed329a7dbe8bcd05f56a0699debfc3eaa         to
      "watsonquery": icr.io/db2udb2u.watsonquery@sha256:b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e

Note: The new 12.1.0.0-sb1 section must include all of the listed images from the 12.1.0.0 section. The only difference between 12.1.0.0-sb1 and 12.1.0.0 is the digest value of “icr.io/db2u/db2u.watsonquery” 

 

B. Update the Big SQL instances db2ucluster custom resources:

Identify the affected Big SQL instances on your cluster:

  1. List the affected Big SQL instances across all namespaces in the cluster (the first column indicates the namespace, the second the instance name and the third one the version, which should always be 12.1.0.0):
    • oc get db2ucluster -A -l app.kubernetes.io/name=db2-bigsql -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,VERSION:.status.version | grep 12.1.0.0
Complete the following steps for each Big SQL instances returned by the previous step:
  1. Update the Big SQL instance db2ucluster custom resources (CR) with the new version and the upgrade/bigsql annotation, substituting <namespace> and <instance-name> by the namespace and instance name for the instance you want to apply the patch to, as reported by the previous command:
    • oc patch db2ucluster -n <namespace> <instance-name> --type merge -p '{"spec":{"version":"12.1.0.0-sb1"}}'
  2. Wait for the Big SQL head pod (c-bigsql-*-db2u-0) and Big SQL worker pods (c-bigsql-*-db2u-N, where N would be 1-n for each of the worker pods) to restart.
  3. Check the time the pods have been running to ensure that the pods were restarted after you completed the previous steps:
    • oc get pod -A -l app=<instance-name> | grep db2u
  4. Verify that the big SQL instance statefulset container image uses the new digest value (b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e):
    • oc get sts -n nez c-<instance-name>-db2u -o custom-columns=NAME:.metadata.name,IMAGE:.spec.template.spec.containers[0].image

The patch is now applied. The patch updates the OpenSSH package in the affected images to an OpenSSH version with a fix for CVE-2024-6387.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

02 Jan 2025: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCRJT","label":"IBM Db2 Big SQL"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.7.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
28 January 2025

UID

ibm17180133