Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM5EAA84917056EE81AB3BD28C34B35A8D21285B015168F950DDAA2108E582B1B5
HistoryMar 31, 2020 - 9:48 p.m.

Security Bulletin: Multiple Db2 vulnerabilities affect the IBM Spectrum Protect Server (CVE-2019-4057, CVE-2019-4101, CVE-2019-4154, CVE-2019-4386, CVE-2019-4322)

2020-03-3121:48:22
www.ibm.com
4

0.001 Low

EPSS

Percentile

45.9%

JSON

Summary

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by multiple IBM Db2 vulnerabilities such as buffer overflow and denial of service. UPDATED: 3/31/2020 to add 7.1 fix.

Vulnerability Details

CVEID:CVE-2019-4057
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow malicious user with access to the DB2 instance account to leverage a fenced execution process to execute arbitrary code as root. IBM X-Force ID: 156567.
CVSS Base score: 6.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156567 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-4101
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1, 10.5, and 11.1 is vulnerable to a denial of service. Users that have both EXECUTE on PD_GET_DIAG_HIST and access to the diagnostic directory on the DB2 server can cause the instance to crash. IBM X-Force ID: 158091.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158091 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-4154
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-Force ID: 158519.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158519 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-4386
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow an authenticated user to execute a function that would cause the server to crash. IBM X-Force ID: 162714.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162174 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-4322
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-Force ID: 161202.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161202 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Protect (formerly Tivoli Storage Manager) Server 8.1.0.000-8.1.8.xxx
IBM Spectrum Protect (formerly Tivoli Storage Manager Server 7.1.0.000-7.1.9.xxx

Remediation/Fixes

Spectrum Protect Server Release First Fixing VRM Level Platform Link to Fix
8.1 8.1.9 AIX
Linux
Windows <https://www.ibm.com/support/docview.wss?uid=ibm11106253&gt;
7.1 7.1.10 AIX
HP-UX
Linux
Solaris
Windows <https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v7r1/&gt;

Workarounds and Mitigations

None

Related

ibm 12
nessus 4
prion 5
cve 5
cvelist 5
nvd 5
ibm
ibm
Security Bulletin: IBM Security Key Lifecycle Manager uses Components with Known Vulnerabilities (CVE-2019-4322 CVE-2019-4386 CVE-2019-4154 CVE-2019-4102 CVE-2019-4101 CVE-2019-4057)
2019-09-19 21:48:41
Security vulnerabilities have been identified in IBM DB2 shipped with IBM Maximo Asset Management (CVE-2019-4322, CVE-2019-4102, CVE-2019-4057, CVE-2019-4101, CVE-2019-4386, CVE-2019-4154)
2019-07-12 15:30:02
Security Bulletin: [All] IBM DB2 (Publicly disclosed vulnerability) shipped with IBM Maximo APM - Predictive Maintenance Insights On-Premise
2019-07-22 04:30:01
nessus
nessus
IBM DB2 9.7 < FP11 Special Build 38744 / 10.1 < FP6 Special Build 38745 / 10.5 < FP10 Special Build 38746 / 11.1 < M4FP5 Buffer Overflow Vulnerability (UNIX)
2019-07-12 00:00:00
IBM DB2 9.7 < FP11 Special Build 38744 / 10.1 < FP6 Special Build 38745 / 10.5 < FP10 Special Build 38746 / 11.1.4 < FP4a Special Build 38747 Buffer Overflow Vulnerability (Windows)
2019-07-12 00:00:00
IBM DB2 9.7 < FP11 39672 / 10.1 < FP6 39678 / 10.5 < FP10 39688 / 11.1.4 < FP5 39693 / 11.5 < FP0 39711 Multiple Vulnerabilities (UNIX)
2020-02-28 00:00:00
prion
prion
Code injection
2019-07-01 15:15:00
Buffer overflow
2019-07-01 15:15:00
Design/Logic Flaw
2019-07-01 15:15:00
cve
cve
CVE-2019-4386
2019-07-01 15:15:13
CVE-2019-4322
2019-07-01 15:15:12
CVE-2019-4101
2019-07-01 15:15:12
cvelist
cvelist
CVE-2019-4386
2019-06-27 00:00:00
CVE-2019-4322
2019-06-27 00:00:00
CVE-2019-4057
2019-06-27 00:00:00
nvd
nvd
CVE-2019-4386
2019-07-01 15:15:13
CVE-2019-4057
2019-07-01 15:15:11
CVE-2019-4322
2019-07-01 15:15:12

0.001 Low

EPSS

Percentile

45.9%

JSON
Related for 5EAA84917056EE81AB3BD28C34B35A8D21285B015168F950DDAA2108E582B1B5
ibm12nessus4prion5cve5cvelist5nvd5