Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities (CVE-2023-2454, CVE-2023-2455)

Summary

IBM Data Risk Manager (IDRM) 2.0.6.18, which is the only supported version, is affected by multiple vulnerabilities. The vulnerabilities have been addressed in the updated version of IDRM 2.0.6.19. Please see the remediation steps below to apply the fix. All customers are encouraged to act quickly to update their systems.

Vulnerability Details

CVEID:CVE-2023-2454
**DESCRIPTION:**PostgreSQL could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in CREATE SCHEMA … schema_element. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code as the bootstrap superuser on the system.
CVSS Base score: 6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256215 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-2455
**DESCRIPTION:**PostgreSQL could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with row security policies disregard user ID changes after inlining. By sending a specially crafted request, an attacker could exploit this vulnerability to allow incorrect policies to be applied.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256218 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

To obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.18, and then apply the latest FixPack 2.0.6.19.

Workarounds and Mitigations

None