Security Bulletin: IBM Db2 and IBM Java SDK used by IBM Security Verify Governance - Identity Manager have multiple vulnerabilities

Summary

Information about security vulnerabilities affecting IBM DB2 and IBM Java has been published in security bulletins. IBM Security Verify Governance - Identity Manager ships with IBM DB2 and IBM Java SDK.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Verify Governance Identity Manager Container	ISVG 10.0.2
IBM Security Verify Governance, Identity Manager software component	ISVG 10.0.2

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Principal Product and Version(s)

|

Affected Supporting Product and Version(s)

|

Affected Supporting Product Security Bulletin

—|—|—

ISVG 10.0.2

|

Db2 v11.1, V11.5

|

Security: IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted ‘Load’ command. (CVE-2022-43929)
<https://www.ibm.com/support/pages/node/6953763&gt;

ISVG 10.0.2

|

Db2 v10.5, V11.1, V11.5

|

Security: IBM® Db2® is vulnerable to an information disclosure vulnerability due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927)
<https://www.ibm.com/support/pages/node/6953759&gt;

ISVG 10.0.2

|

Db2 v10.5, V11.1, V11.5

|

Security: IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577)
<https://www.ibm.com/support/pages/node/6953757&gt;

ISVG 10.0.2

|

Db2 v10.5, V11.1, V11.5 [Windows only]

|

Security: IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930)
<https://www.ibm.com/support/pages/node/6953755&gt;

ISVG 10.0.2

|

Db2 v11.5

|

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when a statement is run on columnar tables under specific conditions (CVE-2023-50308)
<https://www.ibm.com/support/pages/node/7105506&gt;

ISVG 10.0.2

|

Db2 v11.5

|

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when a specially crafted cursor is used. (CVE-2023-45193)
<https://www.ibm.com/support/pages/node/7105501&gt;

ISVG 10.0.2

|

Db2 v11.5

|

Security Bulletin: IBM® Db2® Federated is affected by a vulnerability in the consumed open source presto-jdbc library that may lead to information disclosure
<https://www.ibm.com/support/pages/node/7105499&gt;

ISVG 10.0.2

|

Db2 v11.5

|

Security Bulletin: IBM® Db2® is vulnerable to an insecure cryptographic algorithm and to information disclosure in stack trace under exceptional conditions. (CVE-2023-47152)
<https://www.ibm.com/support/pages/node/7105605&gt;

Security Bulletin: IBM® Db2® is vulnerable to denial of service with a specially crafted query (CVE-2023-47141)
<https://www.ibm.com/support/pages/node/7105497&gt;

ISVG 10.0.2

|

Db2 v10.5, 11.1, 11.5

|

Security Bulletin: IBM® Db2® is vulnerable to denial of service with a specially crafted query (CVE-2023-47158)
<https://www.ibm.com/support/pages/node/7105496&gt;

Security Bulletin: IBM® Db2® is vulnerable to a privilege escalation to SYSTEM user via MSI repair functionality on Windows (CVE-2023-47145)
<https://www.ibm.com/support/pages/node/7105500&gt;

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when using a specially crafted query (CVE-2023-47747)
<https://www.ibm.com/support/pages/node/7105502&gt;

Security Bulletin: IBM® Db2® is vulnerable to remote code execution caused by installing like-named jar files across multiple databases. (CVE-2023-27859)
<https://www.ibm.com/support/pages/node/7105503&gt;

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when a specially crafted query is used (CVE-2023-47746)
<https://www.ibm.com/support/pages/node/7105505&gt;

ISVG 10.0.2

|

Db2 v10.5, 11.1, 11.5

|

Security Bulletin: IBM® Db2® is vulnerable to denial of service with a specially crafted query (CVE-2023-47158)
<https://www.ibm.com/support/pages/node/7105496&gt;

Security Bulletin: IBM® Db2® is vulnerable to a privilege escalation to SYSTEM user via MSI repair functionality on Windows (CVE-2023-47145)
<https://www.ibm.com/support/pages/node/7105500&gt;

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when using a specially crafted query (CVE-2023-47747)
<https://www.ibm.com/support/pages/node/7105502&gt;

Security Bulletin: IBM® Db2® is vulnerable to remote code execution caused by installing like-named jar files across multiple databases. (CVE-2023-27859)
<https://www.ibm.com/support/pages/node/7105503&gt;

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when a specially crafted query is used (CVE-2023-47746)
<https://www.ibm.com/support/pages/node/7105505&gt;

ISVG 10.0.2

|

Db2 v11.5

|

Security Bulletin: IBM® Db2® is vulnerable to an insecure cryptographic algorithm and to information disclosure in stack trace under exceptional conditions. (CVE-2023-47152)
<https://www.ibm.com/support/pages/node/7105605&gt;

Security Bulletin: IBM® Db2® is vulnerable to denial of service with a specially crafted query (CVE-2023-47141)
<https://www.ibm.com/support/pages/node/7105497&gt;

Security Bulletin: IBM® Db2® Federated is affected by a vulnerability in the consumed open source presto-jdbc library that may lead to information disclosure
<https://www.ibm.com/support/pages/node/7105499&gt;

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when a specially crafted cursor is used. (CVE-2023-45193)
<https://www.ibm.com/support/pages/node/7105501&gt;

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when a statement is run on columnar tables under specific conditions (CVE-2023-50308)
<https://www.ibm.com/support/pages/node/7105506&gt;

ISVG 10.0.2

|

Db2 V10.5, V11.1, V11.5

|

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (Oct 2023 CPU)
<https://www.ibm.com/support/pages/node/7105239&gt;

Workarounds and Mitigations

None