IBM0CD64969CBA259BD68B0DCA6AFC479A611A9138F0031151318D4B23F3F25F52ESecurity Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics (CVE-2018-1980,CVE-2019-4094,CVE-2018-1922,CVE-2018-1978,CVE-2018-1923,CVE-2019-4016,CVE-2019-4015)
0.001 Low
EPSS
Percentile
32.2%
Summary
IBM® DB2® is shipped as a component of IBM PureData System for Operational Analytics. Information about security vulnerabilities affecting IBM DB2 have been published in a security bulletin.
Vulnerability Details
CVEID:CVE-2018-1980
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-ForceID: 154078.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154078 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-4094
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to root by loading a malicious shared library. IBM X-Force ID: 158014.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158014 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2018-1922
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution. IBM X-Force ID: 152858.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152858 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2018-1978
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-ForceID: 154069.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154069 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2018-1923
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution. IBM X-Force ID: 152859.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152859 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-4016
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-ForceID: 155894.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155894 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-4015
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-ForceID: 155893…
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155893 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM PureData System for Operational Analytics V1.1 (A1801)
Remediation/Fixes
Determine the appliance fixpack level as root on the management server using the appl_ls_cat command.
$ appl_ls_cat -i
NAME VERSION STATUS DESCRIPTION
bwr3 4.0.8.0 Committed Updates for IBM_PureData_System_for_Operational_Analytics
Determine the version of Db2 used on the core nodes in the appliance. The command below shows that Version 10.5.0.11 is installed. The number of hosts, Db2 version and instance name are customer dependent. The appliance supports Db2 10.5 or Db2 11.1 and the default instance owner is bcuaix. The command below shows that the instance is used Db2 10.5.0.11.
$ dsh -n ${BCUALL} ‘/usr/local/bin/db2ls -c | grep -v “#” | cut -d: -f 1 | head -1 | while read p;do $p/bin/db2greg -dump | grep “^I”;done’| dshbak -c
HOSTS -------------------------------------------------------------------------
host02, host04, host05, hostflash06
-------------------------------------------------------------------------------
I,DB2,10.5.0.11,bcuaix,/db2home/bcuaix/sqllib,1,0,/usr/IBM/dwe/db2/V10.5.0.11…2,
Login as the instance owner to any of the host servers. The following command will show the build number installed.
$ db2level
DB21085I This instance or install (instance name, where applicable: “bcuaix”)
uses “64” bits and DB2 code release “SQL1005B” with level identifier
“060C010E”.
Informational tokens are “DB2 v10.5.0.11”, “special_40479”, “IP24071_40479”,
and Fix Pack “11”.
Product is installed at “/usr/IBM/dwe/db2/V10.5.0.11…2”.
Use the table below to determine how to download the Db2 Fixpack or Special Build and then refer to the appliance technote <https://www.ibm.com/support/pages/installing-db2-fix-pack-ibm-puredata-system-operational-analytics> for instructions on how to apply the Db2 Fixpack or Special Build on the appliance. Contact IBM Support for any questions or concerns related to this update. The number in brackets will match version returned by the appl_ls_conf command. IBM strongly recommends applying the latest available appliance fixpack and migrating to the latest available Db2 level supported on the appliance.
| Current V1.1 Fixpack Level | Remediation Options |
|---|---|
| V1.1 GA [ 4.0.4.x ] |
Update to V1.1 FP4
or
DB2 Version 10.5 Fix Pack 11 for Linux, UNIX, and Windows
Db2 Version 11.1 Mod4 Fix Pack4 iFix001 for Linux, UNIX, and Windows
V1.1 FP1 [ 4.0.5.x ]|
Update to V1.1 FP4
or
DB2 Version 10.5 Fix Pack 11 for Linux, UNIX, and Windows
Db2 Version 11.1 Mod4 Fix Pack4 iFix001 for Linux, UNIX, and Windows
V1.1 FP2 [ 4.0.6.x ]|
Update to V1.1 FP4
or
DB2 Version 10.5 Fix Pack 11 for Linux, UNIX, and Windows
Db2 Version 11.1 Mod4 Fix Pack4 iFix001 for Linux, UNIX, and Windows
V1.1 FP3 [ 4.0.7.x ]|
Update to V1.1 FP4
or
DB2 Version 10.5 Fix Pack 11 for Linux, UNIX, and Windows
Db2 Version 11.1 Mod4 Fix Pack4 iFix001 for Linux, UNIX, and Windows
V1.1 FP4 [ 4.0.8.x ]|
Validated stack is not vulnerable at this level.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| puredata system for operational analytics a1801 | eq | 1.1 |
Related
0.001 Low
EPSS
Percentile
32.2%