Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST

Summary

IBM has released the below fix for IBM Db2® REST in response to multiple vulnerabilities found in Golang

Vulnerability Details

CVEID:CVE-2022-41717
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when handling HTTP/2 requests in the Go server. By sending a specially-crafted keys, a remote attacker could exploit this vulnerability to cause excessive memory growth, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241875 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-41716
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by improper checking for invalid environment variable values in syscall.StartProcess and os/exec.Cmd. By using a specially-crafted environment variable value, an attacker could exploit this vulnerability to set a value for a different environment variable.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240206 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

All platforms of the following IBM® Db2® REST levels are affected:

1.0.0.121-amd64-1.0.0.230-amd64

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM® Db2® REST release containing the fix for these issues.

1.0.0.240-amd64

1.0.0.246-amd64

latest-amd64

Follow the instructions below to download IBM Db2 REST from the IBM Cloud Container Registry.

<https://www.ibm.com/docs/en/db2/11.5?topic=endpoints-downloading-rest-service&gt;

Workarounds and Mitigations

None