Preventive Service Planning
Abstract
Published Security Vulnerabilities for Db2 for Linux, UNIX, and Windows, including links to Special Builds (where available).
Content
Latest Db2 Security Special Builds
The special builds listed below are the latest available security special builds for Db2 and fix all published security vulnerability APARs. For more information on a specific APAR, refer to the relevant security bulletin in the next section.
The latest JDK Bulletin applies to all supported Db2 releases and fixes all previously published JDK security bulletins. JDK upgrades are performed independently of the Db2 special build installation.
Most recent JDK Bulletin | Publication Date |
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (Jan 2024 CPU) | February 27, 2024 |
Db2 11.5.8 | Db2 11.5.9 | Db2 12.1 | Publication Date |
Special Build 50594 for V12.1 | November 13, 2024 |
Db2 10.5 | Db2 11.1 | Publication Date |
Special Build 41536 for V10.5 FP11:
AIX 64-bit |
Special Build 41535 for V11.1.4 FP7:
AIX 64-bit |
November 13, 2024 |
Published Security Vulnerabilities
Note: The topmost Security Bulletin contains links to the latest Special Build. Special Builds are cumulative so the latest Special Build contains the fixes for all current Security Vulnerability APARs.
For more information about a specific APAR, see the relevant Security Bulletin.
- SB = Special Build
- EoS = End of Support, refer to DB2 Distributed end of support (EOS) dates
- N/A = The vulnerability described in the security bulletin does not apply to the version of Db2 specified in the column header
According to PSIRT guidelines, we cannot comment on whether any specific security vulnerability affects DB2® until we publish a security bulletin with a fix.
Security Bulletins newest to oldest (Special Build download links are included in the Security Bulletin) | DB2 9.7 (EoS) | DB2 10.1 (EoS) | DB2 10.5 | DB2 11.1 |
Security Bulletin: Multiple buffer overflow vulnerabilities exist in IBM® Db2® leading to privilege escalation (CVE-2019-4322). | SB #38744 (v9.7 FP11) | SB #38745 (v10.1 FP6) | SB #38746 (v10.5 FP10) | SB #38747 (v11.1.4.4 iFix001) |
Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2019-4386). | N/A | N/A | N/A | SB #38747 (v11.1.4.4 iFix001) |
Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to potential arbitrary code execution as root (CVE-2019-4154). | SB #38744 (v9.7 FP11) | SB #38745 (v10.1 FP6) | SB #38746 (v10.5 FP10) | SB #38747 (v11.1.4.4 iFix001) |
Security Bulletin: IBM® Db2® does not explicitly forbid a weaker than expected 3DES cipher when configured to use SSL (CVE-2019-4102). | SB #38744 (v9.7 FP11) | SB #38745 (v10.1 FP6) | SB #38746 (v10.5 FP10) | SB #38747 (v11.1.4.4 iFix001) |
Security Bulletin: Under specialized conditions, IBM® Db2® is vulnerable to denial of service (CVE-2019-4101). | N/A | SB #38745 (v10.1 FP6) | SB #38746 (v10.5 FP10) | SB #38747 (v11.1.4.4 iFix001) |
Security Bulletin: IBM® Db2® is vulnerable to privilege escalation to root via malicious use of fenced user (CVE-2019-4057) | SB #38744 (v9.7 FP11) | SB #38745 (v10.1 FP6) | SB #38746 (v10.5 FP10) | SB #38747 (v11.1.4.4 iFix001) |
Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow which could allow a local malicious user to execute arbitrary code (CVE-2019-4014). | SB #38501 (v9.7 FP11) |
SB #38502 (v10.1 FP6) |
SB #38478 (v10.5 FP10) |
SB #38505 (v11.1.4.4 iFix 001) |
Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow which could allow a local malicious user to execute arbitrary code (CVE-2018-1936). | SB #38501 (v9.7 FP11) |
SB #38502 (v10.1 FP6) |
SB #38478 (v10.5 FP10) |
SB #38505 (v11.1.4.4 iFix 001) |
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (January 2019 CPU) | EoS | EoS | JDK Upgrade | JDK Upgrade |
Security Bulletin: IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path (CVE-2019-4094). | SB #38387 (v9.7 FP11) | SB #38388 (v10.1 FP6) | SB #38389 (v10.5 FP10) | V11.1.4.4 iFix001 |
Security Bulletin: Multiple buffer overflow vulnerabilities exist in IBM® Db2® leading to privilege escalation (CVE-2018-1922, CVE-2018-1923, CVE-2018-1978, CVE-2018-1980, CVE-2019-4015, CVE-2019-4016). | SB #38387 (v9.7 FP11) | SB #38388 (v10.1 FP6) | SB #38389 (v10.5 FP10) | V11.1.4.4 iFix001 |
Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM® Db2®. (October 2018 CPU) | EoS | EoS | JDK Upgrade | JDK Upgrade |
Security Bulletin: IBM® DB2® contains a denial of service vulnerability in scalar functions (CVE-2018-1977). | N/A | N/A | N/A | v11.1.4 FP4 |
Security Bulletin: IBM® Db2® LUW on AIX and Linux Affected by a Vulnerability in IBM® Spectrum Scale (CVE-2018-1723). | N/A | N/A | Spectrum Scale 4.1.1.17 efix 8 | v11.1.4 FP4 |
Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow leading to privilege escalation (CVE-2018-1897). | SB #38043 (v9.7 FP11) | SB #38065 (v10.1 FP6) | SB #38042 (v10.5 FP10) | v11.1.4 FP4 |
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (August 2018 CPU) | EoS | EoS | JDK Upgrade | v11.1.4 FP4 |
Security Bulletin: IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path (CVE-2018-1802). |
EoS SB #37995 (v9.7 FP11) |
EoS SB #37994 (v10.1 FP6) |
SB #37993 (v10.5 FP10) |
v11.1.4.4 OR SB #37992 (v11.1.3.3 iFix002) |
Security Bulletin: IBM® Db2® is affected by multiple privilege escalation vulnerabilities (CVE-2018-1799, CVE-2018-1780, CVE-2018-1781, CVE-2018-1834). |
EoS SB #37995 (v9.7 FP11) |
EoS SB #37994 (v10.1 FP6) |
SB #37993 (v10.5 FP10) |
v11.1.4.4 OR SB #37992 (v11.1.3.3 iFIx002) |
Security Bulletin: IBM® Db2®'s RCAC rules are not being enforced by CTAS sub-select statements (CVE-2018-1857) | EoS | N/A | N/A |
v11.1.4.4 OR SB #37992 (v11.1.3.3 iFix002) |
Vulnerabilities in GSKit affect IBM Spectrum Scale used by DB2® pureScale™ (CVE-2018-1431, CVE-2018-1447, CVE-2017-3732, CVE-2016-0705). | EoS | EoS |
|
v11.1.4.4 and Spectrum Scale Update |
Privilege escalation in IBM® DB2® tool db2cacpy (CVE-2018-1685). |
EoS
IT25816 in SB #37945 (v9.7 FP11)
|
EoS IT25815 in SB #37946 (v10.5 FP6) |
IT25814 in SB #37836 (v10.5 FP10) | IT25466 in SB #37835 (v11.1.3.3 iFix002) |
Security Bulletin: Buffer overflow in IBM® DB2® tool db2licm (CVE-2018-1710). | Not Vulnerable |
EoS IT25820 in |
IT25719 in SB #37836 (v10.5 FP10) | IT25819 in SB #37835 (v11.1.3.3 iFix002) |
Security Bulletin: Privilege escalation vulnerability affects IBM® DB2® Administrative Task Scheduler (CVE-2018-1711) | EoS IT25824 in SB #37945 (v9.7 FP11) |
EoS IT25825 in SB #37946 (v10.1 FP 6) |
IT25826 in SB #37836 (v10.5 FP10) |
v11.1.4.4 OR IT25813 in SB #37835 (v11.1.3.3 iFix002) |
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (CVE-2018-2783, CVE-2018-2794) | EoS | EoS |
|
v11.1.4 FP4 |
Vulnerability in OpenSSL affects FlashCopy Manager shipped with IBM® Db2® LUW (CVE-2017-3738, CVE-2017-3737) | EoS | EoS |
|
v11.1.4 FP4 OR FCM upgrade |
Privilege escalation in IBM DB2 via loading libraries from untrusted path (CVE-2018-1487) |
EoS IT24477 in SB #37642 (v9.7 FP11) |
EoS
IT24476 in SB #37641 (v10.1 FP6)
|
IT24475 in SB #37640 (v10.5 FP9) |
v11.1.3 FP3 iFix002 OR IT24474 in SB #37639 (v11.1.3.3 iFix001) |
Multiple untrusted search path vulnerabilities in the IBM DB2 DAS component on Windows (CVE-2018-1458) |
EoS IT24826 in SB #37642 (v9.7 FP11) |
EoS
IT24825 in SB #37641 (v10.1 FP6)
|
v10.5 FP10
OR
SB #37640 (v10.5 FP9)
|
v11.1.3 FP3 iFix002 OR IT24823 in SB #37639 (v11.1.3.3 iFix001) |
Security Bulletin: Format string vulnerability in IBM DB2 tool db2support (CVE-2018-1566) |
EoS IT24463 in SB #37642 (v9.7 FP11) |
EoS
IT24462 in SB #37641(v10.1 FP6)
|
v10.5 FP10
OR
IT24461 in SB #37640 (v10.5 FP9)
|
v11.1.3 FP3 iFix002 OR IT24283 in SB #37639 (v11.1.3.3 iFix001) |
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® DB2®. (CVE-2018-2579, CVE-2018-2678, CVE-2018-2618, CVE-2018-2602) |
EoS (Manually upgrade IBM JDK)
|
EoS
(Manually upgrade IBM JDK)
|
v10.5 FP10
|
V11.1.3 FP4
|
Security Bulletin: IBM® DB2® is vulnerable to buffer overflow (CVE-2018-1459) |
IT24466 in Special Build #37477 (v9.7 FP11)
|
IT24465 in Special Build #37478 (v10.1 FP6)
|
v10.5 FP10
OR
IT24464 in Special Build #37479 (v10.5 FP9)
|
IT24311 in v11.1.3.3 iFix001
|
Security Bulletin: Multiple vulnerabilities affect db2exmig and db2exfmt tools shipped with IBM® Db2® (CVE-2018-1544, CVE-2018-1565) |
IT24804 in Special Build #37477 (v9.7 FP11)
|
IT24803 in Special Build #37478 (v10.1 FP6)
|
v10.5 FP10
OR
SB #37479 (v10.5 FP9)
|
IT24799 in v11.1.3.3 iFix001
|
Security Bulletin: Buffer overflow in the db2convert tool shipped with IBM® DB2® (CVE-2018-1515) |
Not vulnerable
|
Not vulnerable
|
IT24645 in Special Build #37479
|
IT24642 in v11.1.3.3 iFix001
|
Security Bulletin: Buffer overflow in IBM® DB2® tool db2licm (CVE-2018-1488) |
Not vulnerable
|
Not vulnerable
|
IT24478 in Special Build #37479
|
IT24473 in v11.1.3.3 iFix001
|
Security Bulletin: IBM® Db2® is affected by multiple file overwrite vulnerabilities (CVE-2018-1450, CVE-2018-1449, CVE-2018-1451, CVE-2018-1452) |
IT24217 Special Build #37477
|
IT24216 Special Build #37478
|
IT24215 Special Build #37479
|
IT24171 in v11.1.3.3 iFix001
|
Security Bulletin: IBM® Db2® is affected by a vulnerability in IBM Spectrum Scale (CVE-2017-1654) |
EoS
|
EoS
|
V10.5 FP9 Spectrum Scale V4.1.1.11 efix9 |
V11.1.1 FP3 Spectrum Scale V4.1.1.17 efix3 |
Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the GSKit library (CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426, CVE-2018-1447) | IT24060 Special Build #37314 (see Security Bulletin) |
IT24061 Special Build #37313 (see Security Bulletin) |
IT24058 Special Build #37311 (see Security Bulletin) |
IT24059 in v11.1 M3 FP3 |
Security Bulletin: IBM® Db2® vulnerability allows local user to overwrite Db2 files (CVE-2018-1448) | IT24214 Special Build #37314 (see Security Bulletin) |
IT24213 Special Build #37313 (see Security Bulletin) |
IT24212 Special Build #37311 (see Security Bulletin) |
IT24170 in v11.1 M3 FP3 |
The Db2 JDBC driver deserializes an object unsafely potentially leading to arbitrary code execution (CVE-2017-1677) | IT23799 Special Build #37314 (see Security Bulletin) |
IT23798 Special Build #37313 (see Security Bulletin) |
IT23797 Special Build #37311 (see Security Bulletin) |
IT23794 in v11.1 M3 FP3 |
Security Bulletin: Under specific circumstances IBM® Db2® installation creates users with a weak password hashing algorithm (CVE-2017-1571) | IT22411 Special Build #37314 (see Security Bulletin) |
IT22413 Special Build #37313 (see Security Bulletin) |
IT22414 Special Build #37311 (see Security Bulletin) |
IT22415 in v11.1 M3 FP3 |
Security Bulletin: : Security vulnerabilities have been identified in Tivoli Storage FlashCopy Manager shipped with IBM Db2. |
N/A
|
IT18997 (fixed in next release) | IT20495 in V10.5 FP9 | V11.1.3 FP3 Solution in PPA (see Security Bulletin) |
Security Bulletin: Privilege escalation vulnerabilities affect IBM® Db2® (CVE-2017-1439, CVE-2017-1451) | IT21396 Special Build #36826 (see Security Bulletin) | IT21395 Special Build #36827 (see Security Bulletin) | IT21394 in V10.5 FP9 or FP8 Special Build #36828 |
IT21364 V11.1.3 or v11.1 FP2 Special Build #36792 (see Security Bulletin) |
Security Bulletin: Privilege escalation vulnerabilities affect IBM® Db2® (CVE-2017-1438) | IT21143 Special Build #36826 (see Security Bulletin) | IT21163 Special Build #36827 (see Security Bulletin) | IT21164 in V10.5 FP9 or FP8 Special Build #36828 |
IT21140 v11.1.3 or v11.1 FP2 Special Build #36792(see Security Bulletin) |
Security Bulletin: IBM® Db2® vulnerability allows local user to overwrite Db2 files. (CVE-2017-1452) | IT21465 Special Build #36826 (see Security Bulletin) | IT21464 Special Build #36827 (see Security Bulletin) | IT21463 in V10.5 FP9 or FP8 Special Build #36828 |
IT21458 v11.1 FP3 or v11.1 FP2 Special Build #36792 (see Security Bulletin) |
Security Bulletin: IBM® Db2® sensitive information exposure in the error log (CVE-2017-1434). |
N/A
|
N/A
|
N/A
|
IT21347 v11.1 FP3 or v11.1 FP2 Special Build #36792(see Security Bulletin) |
Security Bulletin: IBM® Db2® is affected by denial of service vulnerability in the Db2 Connect Server (CVE-2017-1519) |
N/A
|
N/A
|
IT21454 in V10.5 FP9 or FP8 Special Build #36828 |
IT21455 v11.1 FP3 or v11.1 FP2 Special Build #36792 (see Security Bulletin) |
Security Bulletin: IBM® Db2® is vulnerable to an unauthorized command that allows the database to be activated when authentication type is CLIENT (CVE-2017-1520) | IT21974 Special Build #36826 (see Security Bulletin) | IT21973 Special Build #36827 (see Security Bulletin) | IT21462 in V10.5 FP9 or FP8 Special Build #36828 |
IT21459 v11.1 FP3 or v11.1 FP2 Special Build #36792 (see Security Bulletin) |
Security Bulletin: IBM® DB2® LUW's Command Line Processor Contains Buffer Overflow Vulnerability (CVE-2017-1297). | IT20570 Special Build #36621 (see Security Bulletin) |
IT20571 Special Build #36610 (see Security Bulletin) |
IT20498 in V10.5 FP9 or FP8 Special Build #36605 |
IT20562 in V11.1 FP2 |
Security Bulletin: IBM® DB2® LUW on AIX and Linux Affected by vulnerabilities in zlib (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843). | IT9129 Special Build #36621(see Security Bulletin) |
IT20564 Special Build #36610 (see Security Bulletin) |
IT20565 in V10.5 FP9 or FP8 Special Build #36605 |
IT20566 in V11.1 FP2 |
Security Bulletin: Buffer overflow vulnerability in IBM® DB2® LUW (CVE-2017-1105) | IT20567 Special Build (see Security Bulletin) |
IT20568 Special Build (see Security Bulletin) |
IT20461 in V10.5 FP9 |
IT20463 in V11.1 FP2 |
Security Bulletin: Privilege escalation vulnerability affects IBM® DB2® LUW (CVE-2017-1134) |
N/A
|
IT20569 see Security Bulletin | IT20460 in V10.5 FP9 | IT20462 in V11.1 FP2 |
Security Bulletin: Information Disclosure vulnerability affects IBM® DB2® LUW (CVE-2017-1150) |
N/A
|
IT15485 in V10.1 FP6 | IT19399 in V10.5 FP9 | IT19400 in V11.1 FP2 |
Security Bulletin: IBM® DB2® LUW is vulnerable to Sweet32 Birthday Attack (CVE-2016-2183) | IT17531 Have remediation (see Security Bulletin) | IT17645 in V10.1 FP6 | IT17646 in V10.5 FP9 Have remediation | IT17467 in V11.1 FP2 |
Security Bulletin: IBM® DB2® LUW on AIX and Linux Affected by a Vulnerability in GPFS (CVE-2016-2119) | N/A |
N/A
|
T17644 in V10.5 FP9 | IT17530 in V11.1 FP1 |
Security Bulletin: Local escalation of privilege vulnerability in IBM® DB2® (CVE-2016-5995) | IT17010 Special Build (see Security Bulletin) | IT17011 in V10.1 FP6 | IT16921 in V10.5 FP8 | IT17012 in V11.1 FP1 |
Security Bulletin: IBM® DB2® LUW on AIX and Linux Affected by Multiple Vulnerabilities in GPFS (CVE-2016-2984, CVE-2016-2985) | IT17531 Special Build (see Security Bulletin) | IT17645 in V10.1 FP6 | IT17646 in V10.5 FP9 | IT17647 in V11.1.1 FP1 |
Security Bulletin: Vulnerabilty in XMLC affects IBM® DB2® LUW (CVE-2016-0729, CVE-2016-4463) |
N/A
|
N/A
|
IT17644 in V10.5 FP9 | IT17530 in V11.1.1 FP1 |
Security Bulletin: Local escalation of privilege vulnerability in IBM® DB2® (CVE-2016-5995) | IT17010 Special Build (see Security Bulletin) | IT17011 in V10.1 FP6 | IT16921 in V10.5 FP8 | IT17012 in V11.1.1 FP1 |
Security Bulletin: IBM® DB2® LUW on AIX and Linux Affected by Multiple Vulnerabilities in GPFS (CVE-2016-2984, CVE-2016-2985) |
N/A
|
IT16321 in V10.1 FP6 | IT16323 in V10.5 FP8 | IT16324 in V11.1.1 FP1 |
Security Bulletin: Vulnerabilty in XMLC affects IBM® DB2® LUW (CVE-2016-0729, CVE-2016-4463) | IT15576 Special Build (see Security Bulletin) | IT15577 in V10.1 FP6 | IT15578 in V10.5 FP8 | IT15579 in V11.1.1 FP1 |
Vulnerabilities in Flexera InstallShield and InstallAnywhere affect IBM Data Server Driver packages (CVE-2016-2542, CVE-2016-4560) | IT14993 in V9.7 FP11 (no Special Build) | IT14999 in V10.1 FP6 | IT15000 in V10.5 FP8 | Fixed in GA |
Security Bulletin: IBM® DB2® LUW on AIX and Linux Affected by Multiple Vulnerabilities in GPFS |
N/A
|
IT16321 in V10.1 FP6 | IT16323 in V10.5 FP8 | IT16324 |
Related Information
Was this topic helpful?
Document Information
Modified date:
20 November 2024
UID
swg21984819