IBM Support

Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9.

Created by Oktawian Powązka on
Published URL:
https://www.ibm.com/support/pages/node/958159
958159

Security Bulletin


Summary

IBM DB2 is shipped with IBM License Metric Tool.
Information about a security vulnerabilities affecting IBM DB2 has been published in a security bulletin.

Vulnerability Details

CVEID: CVE-2019-4322 
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. 
CVSS Base Score: 8.4 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/161202 for the current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-4102 
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. 
CVSS Base Score: 5.9 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158092 for the current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2019-4057 
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow malicious user with access to the DB2 instance account to leverage a fenced execution process to execute arbitrary code as root. 
CVSS Base Score: 6.7 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/156567 for the current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-4101 
DESCRIPTION: DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a denial of service. Users that have both EXECUTE on PD_GET_DIAG_HIST and access to the diagnostic directory on the DB2 server can cause the instance to crash. 
CVSS Base Score: 6.2 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158091 for the current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-4154 
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. 
CVSS Base Score: 8.4 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158519 for the current score 
CVSS Environmental Score*: Undefined 
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM License Metric Tool v9.x

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

2 July 2019: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JFY","label":"IBM License Metric Tool"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
10 October 2019

UID

ibm10958159