Security Bulletin: IBM Db2 Mirror for i is vulnerable to an attacker obtaining sensitive information due to a vulnerability in web browser clients (CVE-2023-47741).

Summary

IBM Db2 Mirror for i GUI is a web browser client interface implementation. The browser implementation could allow sensitive information including passwords to be left in memory which could be viewed using common tools for viewing process information on a PC (CVE-2023-47741). IBM Db2 Mirror for i has addressed this issue by reducing the amount of time the sensitive data is visible in memory as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2023-47741
**DESCRIPTION:**IBM i web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. A malicious actor with access to the victim’s PC could exploit this vulnerability to gain access to the IBM i operating system.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272532 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

The vulnerability can be fixed by applying a PTF to IBM i. Releases 7.5 and 7.4 of IBM Db2 Mirror for i are supported and will be fixed.

The PTF numbers containing the fix for this vulnerability are in the following table.

Affected Product(s)|Version(s)|5770-DBM PTF Number
for Remediation
—|—|—
IBM Db2 Mirror for i| 7.4| SI85393
IBM Db2 Mirror for i| 7.5| SI85394

<https://www.ibm.com/support/fixcentral&gt;

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None