Security Bulletin: IBM Informix Dynamic Server is affected by privilege escalation vulnerabilities

Summary

IBM Informix Dynamic Server has addressed the following vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-1630 DESCRIPTION: IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in onmode.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144430&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-1631 DESCRIPTION: IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in oninit mongohash.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144431&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-1632 DESCRIPTION: IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in IDS .infxdirs.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144432&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-1633 DESCRIPTION: IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in onsrvapd.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144434&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-1634 DESCRIPTION: IBM Informix Dynamic Server v12.10 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in infos.DBSERVERNAME.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144437&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-1635 DESCRIPTION: Stack-based buffer overflow in oninit in IBM Informix Dynamic Server 12.10 allows an authenticated user to execute predefined code with root privileges, such as escalating to a root shell.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144439&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-1636 DESCRIPTION: Stack-based buffer overflow in oninit in IBM Informix Dynamic Server 12.10 allows an authenticated user to execute predefined code with root privileges, such as escalating to a root shell.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144441&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2018-1796 DESCRIPTION: IBM Informix Dynamic Server could allow a local user to load malicious libraries and gain root privileges.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149426&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4253 DESCRIPTION: IBM Informix Dynamic Server could allow a local privileged Informix user to load a malicious shared library and gain root access privileges.

CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159941&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected IBM Informix Dynamic Server

|

Affected Versions

—|—
IBM Informix Dynamic Server on Linux platforms | 12.10.FC1 through 12.10.FC12

Remediation/Fixes

Upgrade Informix to 12.10.

Product

|

VRMF

|

Remediation / First Fix

—|—|—
IBM Informix Dynamic Server |

12.10.FC13

|

Fix Central