Lucene search

K
ibmIBM4A5587C36160A8E5AD6D30CB5EEBED106356E54E720A8AAE2158FE259FCF428A
HistoryJul 19, 2023 - 8:29 p.m.

Security Bulletin: IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to SnakeYaml [CVE-2022-1471]

2023-07-1920:29:29
www.ibm.com
32

0.008 Low

EPSS

Percentile

81.7%

Summary

SnakeYaml is a YAML Ainโ€™t Markup Language parser used by Db2 Web Query in the underlying WebFOCUS base product. SnakeYaml could allow arbitrary code execution as described in the vulnerability details section. Db2 Web Query has addressed the vulnerability as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2022-1471
**DESCRIPTION:**SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241118 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Db2 Web Query for i 2.3.0
IBM Db2 Web Query for i 2.4.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Release 2.3.0 and 2.4.0 are supported and can be fixed by applying Program Temporary Fixes (PTFs) to the IBM i.

The PTF numbers containing the fix for this vulnerability are in the following table.

IBM Db2 Web Query for i Release 5733WQX PTFs to apply for remediation IBM i Release 5733WQX Group PTF - Level to apply for remediation
2.3.0

| 7.5| SF99671 - 09
7.4| SF99654 - 09
7.3| SF99533 - 09
2.4.0|

SI83837

SI83838

| |

Important note:_
IBM recommends that all users running unsupported versions of affected products upgrade to a supported and fixed version of affected products._

Workarounds and Mitigations

None