Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9.

Summary

IBM DB2 is shipped with IBM License Metric Tool.
Information about a security vulnerabilities affecting IBM DB2 has been published in a security bulletin.

Vulnerability Details

CVEID: CVE-2019-4322 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/161202&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4102 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158092&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2019-4057 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow malicious user with access to the DB2 instance account to leverage a fenced execution process to execute arbitrary code as root.
CVSS Base Score: 6.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156567&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4101 DESCRIPTION: DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a denial of service. Users that have both EXECUTE on PD_GET_DIAG_HIST and access to the diagnostic directory on the DB2 server can cause the instance to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158091&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-4154 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158519&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM License Metric Tool v9.x

Remediation/Fixes

Refer to the following security bulletins for vulnerabilities details and information about fixes:

<https://www-01.ibm.com/support/docview.wss?uid=ibm10884444&gt;

<https://www-01.ibm.com/support/docview.wss?uid=ibm10880743&gt;

<https://www-01.ibm.com/support/docview.wss?uid=ibm10880735&gt;

<https://www-01.ibm.com/support/docview.wss?uid=ibm10880741&gt;

<https://www-01.ibm.com/support/docview.wss?uid=ibm10880737&gt;

Workarounds and Mitigations

None