Lucene search

K
ibmIBM61A5F49C98ED0E931A594A7EF3775FE9DE4B809DC8B14E360291F73CF105BD40
HistoryDec 20, 2023 - 8:04 p.m.

Security Bulletin: Multiple vulnerabilities in open source libraries affect IBM® Db2® Federated.

2023-12-2020:04:44
www.ibm.com
16
ibm db2 federated
multiple vulnerabilities
open source libraries
december 01 2023
cve-2022-1471
snakeyaml
arbitrary code execution
cve-2022-25857
java package org.yaml:snakeyam
denial of service
cve-2022-41854
improper input validation
cve-2022-38752
stack-overflow
yaml files
cve-2022-38750
cve-2022-38749

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.021

Percentile

89.4%

Summary

Multiple vulnerabilities in open source libraries affect IBM® Db2® Federated. These vulnerabilities were fixed in the images published on December 01, 2023 but the CVEs were not included in the bulletin.

Vulnerability Details

**CVEID:**CVE-2022-1471 DESCRIPTION: SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241118 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

**CVEID:**CVE-2022-25857 DESCRIPTION: Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation for collections. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234864 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2022-41854 DESCRIPTION: snakeYAML is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially-crafted YAML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240890 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2022-38752 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2022-38750 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235312 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2022-38749 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235313 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2022-38751 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235311 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s) Applicable Editions
IBM® Db2® 11.1.4.x Server
IBM® Db2® 11.5.x Server

All platforms are affected.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Release Fixed in fix pack APAR Download URL
V11.1 TBD DT239700 Special Build for V11.1.4 FP7: AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Solaris 64-bit, SPARC
Windows 32-bit, x86
Windows 64-bit, x86
V11.5 TBD DT239700 Special Build for V11.5.0: AIX 64-bit (for OS7.1)
Special Build for V11.5.8: AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Windows 32-bit, x86
Windows 64-bit, x86
V11.5.9:
https://www.ibm.com/support/pages/node/7071342

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmdb2_for_linux\,_unix_and_windowsMatch11.5
OR
ibmdb2_for_linux\,_unix_and_windowsMatch11.1
VendorProductVersionCPE
ibmdb2_for_linux\,_unix_and_windows11.5cpe:2.3:a:ibm:db2_for_linux\,_unix_and_windows:11.5:*:*:*:*:*:*:*
ibmdb2_for_linux\,_unix_and_windows11.1cpe:2.3:a:ibm:db2_for_linux\,_unix_and_windows:11.1:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.021

Percentile

89.4%