Lucene search

K

IBM70D23E0E814BCC07751291B0F9D1450627FE0983182E4B947F4EEF9061F1890B

HistoryJul 10, 2024 - 7:05 a.m.

Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager

2024-07-1007:05:57

www.ibm.com

9

ibm db2

security guardium key lifecycle manager

vulnerabilities

security bulletin

remediation

open source zlib

commons-compress library

denial of service

cve-2023-45853

cve-2023-29267

cve-2024-25710

cve-2024-26308

cve-2023-45178

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

50.6%

Summary

IBM Db2 is shipped as a component of IBM Security Key Lifecycle Manager (SKLM/GKLM). Information about multiple security vulnerabilities affecting IBM Db2 has been published in a security bulletin.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Guardium Key Lifecycle Manager	4.0, 4.1, 4.1.1, 4.2, 4.2.1

Principal Product and Version(s)

| Affected Supporting Product and Version
—|—
IBM Security Key Lifecycle Manager (SKLM) v4.0 | IBM Db2 11.1.4.4
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | IBM Db2 11.5.4
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | IBM Db2 11.5.8
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2 | IBM Db2 11.5.8
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1 | IBM Db2 11.5.9

Remediation/Fixes

Security Bulletin: IBM® Db2® is affected by a vulnerability in the open source zlib library. (CVE-2023-45853)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® is affected by a vulnerability in the open source zlib library. (CVE-2023-45853)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

2)Security Bulletin: IBM® Db2® is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. (CVE-2023-29267)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. (CVE-2023-29267)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

3)Security Bulletin: IBM® Db2® federated server is affected by vulnerabilities in the open source commons-compress library. (CVE-2024-25710, CVE-2024-26308)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® federated server is affected by vulnerabilities in the open source commons-compress library. (CVE-2024-25710, CVE-2024-26308)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

4)Security Bulletin: IBM® Db2® is vulnerable to a denial of service when a specially crafted request is used via CLI. (CVE-2023-45178)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when a specially crafted request is used via CLI. (CVE-2023-45178)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

5)Security Bulletin: IBM® Db2® is vulnerable to a denial of service with a specially crafted query under certain conditions. (CVE-2024-28762)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® is vulnerable to a denial of service with a specially crafted query under certain conditions. (CVE-2024-28762)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

6)Security Bulletin: IBM® Db2® NSE (Net Search Extender) is affected by a vulnerability in the open source Expat library. (CVE-2024-28757)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® NSE (Net Search Extender) is affected by a vulnerability in the open source Expat library. (CVE-2024-28757)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

7)Security Bulletin: IBM® Db2® federated server is affected by a vulnerability in the open source netty-codec-http library. (CVE-2024-29025)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® federated server is affected by a vulnerability in the open source netty-codec-http library. (CVE-2024-29025)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

8)Security Bulletin: IBM® Db2® federated server is affected by vulnerabilities in the open source commons-configuration2 library. (CVE-2024-29131, CVE-2024-29133)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® federated server is affected by vulnerabilities in the open source commons-configuration2 library. (CVE-2024-29131, CVE-2024-29133)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

9)Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted statement. (CVE-2024-31880)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted statement. (CVE-2024-31880)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

10)Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted query on certain columnar tables. (CVE-2024-31881)

Principal Product and Version(s)	Remediation/ Fixes
IBM Security Key Lifecycle Manager (SKLM) v4.0

Please consult following security bulletins from IBM Db2 for more detail:

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted query on certain columnar tables. (CVE-2024-31881)

IBM Security Key Lifecycle Manager (SKLM) v4.1
IBM Security Key Lifecycle Manager (SKLM) v4.1.1
IBM Security Key Lifecycle Manager (SKLM) v4.2
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.2.1

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_guardium_key_lifecycle_managerMatch4.0

OR

ibmsecurity_guardium_key_lifecycle_managerMatch4.1

OR

ibmsecurity_guardium_key_lifecycle_managerMatch4.1.1

OR

ibmsecurity_guardium_key_lifecycle_managerMatch4.2

OR

ibmsecurity_guardium_key_lifecycle_managerMatch4.2.1

VendorProductVersionCPE
ibmsecurity_guardium_key_lifecycle_manager4.0cpe:2.3:a:ibm:security_guardium_key_lifecycle_manager:4.0:*:*:*:*:*:*:*
ibmsecurity_guardium_key_lifecycle_manager4.1cpe:2.3:a:ibm:security_guardium_key_lifecycle_manager:4.1:*:*:*:*:*:*:*
ibmsecurity_guardium_key_lifecycle_manager4.1.1cpe:2.3:a:ibm:security_guardium_key_lifecycle_manager:4.1.1:*:*:*:*:*:*:*
ibmsecurity_guardium_key_lifecycle_manager4.2cpe:2.3:a:ibm:security_guardium_key_lifecycle_manager:4.2:*:*:*:*:*:*:*
ibmsecurity_guardium_key_lifecycle_manager4.2.1cpe:2.3:a:ibm:security_guardium_key_lifecycle_manager:4.2.1:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

50.6%

Related for 70D23E0E814BCC07751291B0F9D1450627FE0983182E4B947F4EEF9061F1890B

ibm61 nessus12 osv44 openvas12 fedora2 redhat7 nvd8 cvelist8 cve8 vulnrichment6 prion2 cnvd2 atlassian2 redhatcve4 debiancve4 veracode4 cgr4 wolfi3 github3 ubuntucve2 githubexploit1