Security Bulletin: Multiple vulnerabilities in IBM Db2 for Linux, UNIX and Windows affect Cloud Pak System (CVE-2022-22389, CVE-2022-22390)

Summary

IBM Db2 for Linux, UNIX and Windows is shipped with Cloud Pak System PSM and as PatternType (pType) . Cloud Pak System has addressed vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-22389
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may terminate abnormally when executing specially crafted SQL statements by an authenticated user. IBM X-Force ID: 2219740.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221970 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-22390
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an information disclosure caused by improper privilege management when table function is used. IBM X-Force ID: 221973.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221973 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

For unsupported version/release/platform IBM recommends upgrading to a fixed, supported version/release/platform of the product.

In response to Db2 vulnerabilities IBM Cloud Pak System support Db2 v11.5.0.8 with new Cloud Pak System v2.3.3.6 on Intel.

The recommended solution is to apply the fix as reported below as soon as practical.

For IBM Cloud Pak System V2.3.0.1, v2.3.3.0, v.2.3.3.1, v.2.3.3.2, v.2.3.3.3, v2.3.3.3 iFix 1, v2.3.3.4, v2.3.3.5

Upgrade to Cloud Pak System v2.3.3.6 available at FixCentral.

Information on upgrading can be found here: http://www.ibm.com/support/docview.wss?uid=ibm10887959.

Workarounds and Mitigations

None