Lucene search

IBM0C01C050966C4A75B9F43B273C47AA9DB6380C625E586B9AA67EEDB27618A33A

HistoryMay 30, 2023 - 4:16 p.m.

Security Bulletin: IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928)

2023-05-3016:16:40

www.ibm.com

ibm db2 mirror for i

java toolbox

sensitive information

vulnerability

fix

ptfs

ibm i

cve-2022-43928

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

29.3%

JSON

Summary

IBM Db2 Mirror for i setup and GUI use the IBM Toolbox for Java to access IBM i interfaces. IBM Toolbox for Java could allow sensitive information stored as Java strings to be obtained by an attacker as described in the vulnerability details section. IBM Db2 Mirror for i has addressed the vulnerability with a fix as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2022-43928
**DESCRIPTION:**The IBM Toolbox for Java could allow a user to obtain sensitive information, caused by utilizing a Java string for processing. Since Java strings are immutable, their contents exist in memory until garbage collected. This means sensitive data could be visible in memory over an indefinite amount of time. IBM has addressed this issue by reducing the amount of time the sensitive data is visible in memory.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241675 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Db2 Mirror for i	7.4
IBM Db2 Mirror for i	7.5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

The vulnerability can be fixed by applying PTFs to IBM i. Releases 7.5 and 7.4 of IBM Db2 Mirror for i are supported and will be fixed.

The PTF numbers containing the fixes for this vulnerability are in the following table. Installing all PTFs is required for complete remediation. IBM recommends installing the group PTF rather than the individual fixes.

Affected Product(s)|Version(s)|**Group PTF Number
and Minimum Level
for Remediation **|5770-DBM PTF Numbers
for Remediation|

5770-SS1 PTF Numbers
for Remediation

—|—|—|—|—
IBM Db2 Mirror for i| 7.4|

IBM Db2 Mirror for i| 7.5|

<https://www.ibm.com/support/fixcentral>

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmdb2_mirror_for_iMatch7.4

ibmdb2_mirror_for_iMatch7.5

ibmiMatch7.4

ibmiMatch7.5

ibmplanning_analyticsMatch7.5

ibmplanning_analyticsMatch7.4

CPENameOperatorVersion
ibm db2 mirror for ieq7.4
ibm db2 mirror for ieq7.5
ibm ieq7.4
ibm ieq7.5
ibm i 7.5 preventative service planningeq7.5
ibm i 7.4 preventative service planningeq7.4

Name	Operator	Version
ibm db2 mirror for i	eq	7.4
ibm db2 mirror for i	eq	7.5
ibm i	eq	7.4
ibm i	eq	7.5
ibm i 7.5 preventative service planning	eq	7.5
ibm i 7.4 preventative service planning	eq	7.4

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

29.3%

JSON

Related for 0C01C050966C4A75B9F43B273C47AA9DB6380C625E586B9AA67EEDB27618A33A