Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM0EE09B7EB7702170D95421E24B37FF3DD1538C056EA0EA2EDFE386FA1CFE89C0
HistoryMar 26, 2019 - 5:30 p.m.

Security Bulletin: Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product

2019-03-2617:30:01
www.ibm.com
21

0.003 Low

EPSS

Percentile

71.0%

JSON

Summary

DB2 contains several vulnerabilities which can affect the IBM Performance Management product. Some of the information about security vulnerabilities affecting DB2 has been published in security bulletins.

Vulnerability Details

CVEID: CVE-2018-1857 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a user to bypass FGAC control and gain access to data they shouldn’t be able to see.
CVSS Base Score: 4.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151155&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1799 DESCRIPTION: IBM DB2 could allow a local unprivileged user to overwrite files on the system which could cause damage to the database.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149429&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-1780 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148803&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1781 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148804&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1834 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) contains a vulnerability that could allow a local user to escalate their privileges to root through a symbolic link attack.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150511&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1802 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) binaries load shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149640&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1656 DESCRIPTION: The IBM Java Runtime Environment’s Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144882&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-2973 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/146835&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-12539 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148389&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Details of these vulnerabilities can be found in the following security bulletins:

Security Bulletin: IBM Db2’s RCAC rules are not being enforced by CTAS sub-select statements (CVE-2018-1857)
Security Bulletin: IBM Db2 is affected by multiple privilege escalation vulnerabilities (CVE-2018-1799, CVE-2018-1780, CVE-2018-1781, CVE-2018-1834)
Security Bulletin: IBM Db2 is vulnerable to privilege escalation via loading libraries from an untrusted path (CVE-2018-1802)
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Db2

Affected Products and Versions

IBM Cloud Application Performance Management, Base Private 8.1.4
IBM Cloud Application Performance Management, Advanced Private 8.1.4

IBM Monitoring , 8.1.3

IBM Application Diagnostics, 8.1.3

IBM Application Performance Management, 8.1.3

IBM Application Performance Management Advanced, 8.1.3

Remediation/Fixes

Product Product VRMF Remediation

IBM Cloud Application Performance Management Base Private

IBM Cloud Application Performance Management Advanced Private

| 8.1.4 |

The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V10.5, or V11.1 server. The fixes can be accessed from the following security bulletins:
Security Bulletin: IBM Db2’s RCAC rules are not being enforced by CTAS sub-select statements (CVE-2018-1857)
Security Bulletin: IBM Db2 is affected by multiple privilege escalation vulnerabilities (CVE-2018-1799, CVE-2018-1780, CVE-2018-1781, CVE-2018-1834)
Security Bulletin: IBM Db2 is vulnerable to privilege escalation via loading libraries from an untrusted path (CVE-2018-1802)
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Db2

To use your updated DB2 V10.5, or V11.1 server with your IBM Cloud Application Performance Management product, apply the 8.1.4.0-IBM-APM-SERVER-IF0004 or later server patch to the system where the Cloud APM server is installed. Interim fixes for the Cloud APM server version 8.1.4 are available to download from IBM Fix Central at this link:
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.4.0&platform=All&function=all

IBM Monitoring

IBM Application Diagnostics

IBM Application Performance Management

IBM Application Performance Management Advanced

| 8.1.3 | The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V10.5 server. The fixes can be accessed from the following security bulletins:
Security Bulletin: IBM Db2 is affected by multiple privilege escalation vulnerabilities (CVE-2018-1799, CVE-2018-1780, CVE-2018-1781, CVE-2018-1834)
Security Bulletin: IBM Db2 is vulnerable to privilege escalation via loading libraries from an untrusted path (CVE-2018-1802)
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Db2

To use your updated DB2 V10.5 server with your IBM Cloud Application Performance Management product, apply the 8.1.3.0-IBM-IPM-SERVER-IF0011 or later server patch to the system where the APM server is installed. Interim fixes for the APM server version 8.1.3 are available to download from IBM Fix Central at this link: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.3.0&platform=All&function=all

Workarounds and Mitigations

None

Related

ibm 120
nessus 15
openvas 9
redhat 6
aix 1
nvd 9
cvelist 9
redhatcve 3
veracode 3
cve 9
prion 9
osv 1
ubuntucve 2
debiancve 1
alpinelinux 1
f5 1
ibm
ibm
Security Bulletin: IBM® Db2® is affected by multiple privilege escalation vulnerabilities (CVE-2018-1799, CVE-2018-1780, CVE-2018-1781, CVE-2018-1834).
2020-03-06 19:01:46
Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM Maximo Asset Management
2018-12-06 13:25:01
Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java affect Rational Build Forge (CVE-2018-1656; CVE-2018-2973; CVE-2018-12539)
2018-12-14 04:00:02
nessus
nessus
SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:2649-2)
2018-10-22 00:00:00
RHEL 7 : java-1.7.1-ibm (RHSA-2018:2569)
2018-08-28 00:00:00
SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2018:2574-1)
2018-09-04 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:2649-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:2649-2)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:2583-1)
2021-06-09 00:00:00
redhat
redhat
(RHSA-2018:2576) Important: java-1.7.1-ibm security update
2018-08-28 19:07:03
(RHSA-2018:2712) Moderate: java-1.7.1-ibm security update
2018-09-17 14:42:53
(RHSA-2018:2569) Important: java-1.7.1-ibm security update
2018-08-27 14:10:03
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2018-09-19 08:42:00
nvd
nvd
CVE-2018-12539
2018-08-14 19:29:00
CVE-2018-1780
2018-11-09 01:29:00
CVE-2018-1802
2018-11-09 01:29:00
cvelist
cvelist
CVE-2018-12539
2018-08-14 19:00:00
CVE-2018-1857
2018-11-05 00:00:00
CVE-2018-1781
2018-11-05 00:00:00
redhatcve
redhatcve
CVE-2018-12539
2019-10-10 23:34:49
CVE-2018-1656
2018-08-17 20:49:15
CVE-2018-2973
2019-10-29 10:27:49
veracode
veracode
Arbitrary Code Execution
2019-01-15 09:24:36
Directory Traversal
2019-05-16 03:24:18
Authorization Bypass
2019-05-16 03:24:20
cve
cve
CVE-2018-1780
2018-11-09 01:29:00
CVE-2018-12539
2018-08-14 19:29:00
CVE-2018-1781
2018-11-09 01:29:00
prion
prion
Buffer overflow
2018-11-09 01:29:00
Code injection
2018-11-09 01:29:00
Default configuration
2018-08-14 19:29:00
osv
osv
CVE-2018-12539
2018-08-14 19:29:00
ubuntucve
ubuntucve
CVE-2018-1656
2018-08-20 00:00:00
CVE-2018-2973
2018-07-18 00:00:00
debiancve
debiancve
CVE-2018-2973
2018-07-18 13:29:03
alpinelinux
alpinelinux
CVE-2018-2973
2018-07-18 13:29:03
f5
f5
K000134764 : Java SE vulnerabilities CVE-2018-2941 and CVE-2018-2973
2023-05-24 00:00:00

0.003 Low

EPSS

Percentile

71.0%

JSON
Related for 0EE09B7EB7702170D95421E24B37FF3DD1538C056EA0EA2EDFE386FA1CFE89C0
ibm120nessus15openvas9redhat6aix1nvd9cvelist9redhatcve3veracode3cve9prion9osv1ubuntucve2debiancve1alpinelinux1f51