CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
73.8%
IBM Data Virtualization on Cloud Pak for Data embeds a variant of the IBM Db2 database server that runs in MPP mode. For MPP functionality such as scale-out, internally the server uses the secure shell (SSH) protocol for inter-pod communication. SSH protocol is not exposed to external users or processes. Data Virtualization uses OpenSSH packages for SSH. OpenSSH is vulnerable to CVE-2024-6387, which can allow a remote attacker to run arbitrary code as a privileged user on the system by using a specially crafted request.
CVEID:CVE-2024-6387
**DESCRIPTION:**OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Data Virtualization Version(s) | Cloud Pak for Data Version(s) |
---|---|---|
IBM Data Virtualization on Cloud Pak for Data | 3.0.0 | 5.0.0 |
IBM strongly recommends addressing the vulnerability now.
Affected Product
|
Data Virtualization Version
|
Cloud Pak for Data Version
|
Fixes
—|—|—|—
IBM Data Virtualization on Cloud Pak for Data
|
3.0.0
|
5.0.0
|
Follow the instructions to apply the patch and update the affected images.
Use the following patched image digest values :
1. For db2u.watsonquery image:
sha256:b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e
2. For db2u.dv.utils image:
sha256:2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe
Important:
Before you begin:
To apply the patch, complete steps A and B:
A. Create a new section in the db2u-release ConfigMap:
This new section has the same value as the 12.1.0.0 section, other than the digest values for the**db2u.watsonquery anddb2u.dv.dvutils **images.
1. To check which namespace the db2u-release ConfigMap is in, run the following command:
oc get configmap -A | grep db2u-release
2. Specify the namespace as the value for DB2U_OPERATOR_NAMESPACE:
DB2U_OPERATOR_NAMESPACE=[add the operator namespace value here]
oc project ${DB2U_OPERATOR_NAMESPACE}
oc edit configmap db2u-release
3. Copy the 12.1.0.0 section and add a new section after it. Name the new section12.1.0.0-sb1_._Add a comma “,“ to separate12.1.0.0and12.1.0.0-sb1sections. Don’t change the existing**12.1.0.0 **section.
4. In the 12.1.0.0-sb1 section, make the following changes:
i. Change “watsonquery”: icr.io/db2u/db2u.watsonquery@sha256:c69dcfe77773bfe9ddd83ea6436f036ed329a7dbe8bcd05f56a0699debfc3eaa to “watsonquery”: icr.io/db2u/db2u.watsonquery@sha256:b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e
ii. Change “dvutils”: icr.io/db2u/db2u.dv.utils@sha256:4b58edae6e92f43c7977ae10ddad4bba89053b96df4f9b4590dbdeca15ac6dbd to “dvutils”: icr.io/db2u/db2u.dv.utils@sha256:2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe
Note: The new12.1.0.0-sb1section must include all listed images from the12.1.0.0section. The only difference between12.1.0.0-sb1and12.1.0.0 is the digest value of icr.io/db2u/db2u.watsonquery and icr.io/db2u/db2u.dv.utils images.
B. Update Db2uCluster db2u-dv custom resource (CR):
Complete the following steps for each Data Virtualization instance.
1. Update the DV_INSTANCE_NAMESPACE value with the namespace of the Data Virtualization instance that you are patching.
DV_INSTANCE_NAMESPACE=[add the Data Virtualization instance namespace value here]
echo ${DV_INSTANCE_NAMESPACE}
Check the value of DV_INSTANCE_NAMESPACE and verify that you are operating on the correct Data Virtualization instance before proceeding.
oc project ${DV_INSTANCE_NAMESPACE}
oc get db2ucluster db2u-dv -o yaml | grep -i 12.1.0.0 | grep -v “-”
Ensure that the line or lines that are displayed include only the version 12.1.0.0.
2. Update Db2uCluster db2u-dv custom resource CR with the new version and the upgrade/bigsql annotation:
oc project ${DV_INSTANCE_NAMESPACE}
oc patch db2ucluster db2u-dv --type merge -p ‘{“spec”:{“version”:“12.1.0.0-sb1”}}’
oc annotate db2ucluster db2u-dv “upgrade/bigsql”=“”
3. Wait for the Data Virtualization head pod (c-db2u-dv-db2u-0), Data Virtualization worker pods (c-db2u-dv-db2u-X and where X would be 1-n for each of the worker pods), Data Virtualization utils pod (c-db2u-dv-dvutils-0) pod to restart. Check the time the pods have been running to ensure that the pods were restarted after you completed the previous steps:
oc get pods | grep -e c-db2u-dv-db2u -e c-db2u-dv-dvutils
4. Verify that the c-db2u-dv-db2u statefulset has the new digest value:
oc get sts c-db2u-dv-db2u -o yaml | grep -i b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e
5. Verify that the c-db2u-dv-dvutils statefulset has the new digest value:
oc get sts c-db2u-dv-dvutils -o yaml | grep -i 2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe
6. After the Data Virtualization head, worker and dvutils pods restart successfully, run the following command to remove the upgrade/bigsql annotation:
oc annotate db2ucluster db2u-dv “upgrade/bigsql”-
The patch is now applied. The patch updates the OpenSSH package in the affected images to an OpenSSH version with a fix for CVE-2024-6387**. **
End of document
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | data_virtualization_on_cloud_pak_for_data | 3.0.0 | cpe:2.3:a:ibm:data_virtualization_on_cloud_pak_for_data:3.0.0:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
73.8%