Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM79E57D1810864FB88AE402B0D0FBC2C3D47A6CACCE26265703FEBCAF055E5EA0
HistoryNov 05, 2019 - 10:46 p.m.

Security Bulletin: Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product

2019-11-0522:46:42
www.ibm.com
8

0.002 Low

EPSS

Percentile

60.3%

JSON

Summary

DB2 contains several vulnerabilities which can affect the IBM Performance Management product. Some of the information about security vulnerabilities affecting DB2 has been published in security bulletins.

Vulnerability Details

CVEID: CVE-2019-4057 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow malicious user with access to the DB2 instance account to leverage a fenced execution process to execute arbitrary code as root.
CVSS Base Score: 6.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156567&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4101 DESCRIPTION: DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a denial of service. Users that have both EXECUTE on PD_GET_DIAG_HIST and access to the diagnostic directory on the DB2 server can cause the instance to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158091&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-4102 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158092&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2019-4154 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158519&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4386 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to execute a function that would cause the server to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162174&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-4322 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/161202&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Details of these vulnerabilities can be found in the following security bulletins:

Security Bulletin: Multiple buffer overflow vulnerabilities exist in IBM Db2 leading to privilege escalation (CVE-2019-4322).
Security Bulletin: IBM Db2 is vulnerable to denial of service (CVE-2019-4386).
Security Bulletin: IBM Db2 is vulnerable to buffer overflow leading to potential arbitrary code execution as root (CVE-2019-4154).
Security Bulletin: IBM Db2 does not explicitly forbid a weaker than expected 3DES cipher when configured to use SSL (CVE-2019-4102).
Security Bulletin: Under specialized conditions, IBM Db2 is vulnerable to denial of service (CVE-2019-4101).
Security Bulletin: IBM Db2 is vulnerable to privilege escalation to root via malicious use of fenced user (CVE-2019-4057).

Affected Products and Versions

IBM Cloud Application Performance Management, Base Private 8.1.4
IBM Cloud Application Performance Management, Advanced Private 8.1.4

IBM Monitoring , 8.1.3

IBM Application Diagnostics, 8.1.3

IBM Application Performance Management, 8.1.3

IBM Application Performance Management Advanced, 8.1.3

Remediation/Fixes

Product Product VRMF Remediation

IBM Cloud Application Performance Management Base Private

IBM Cloud Application Performance Management Advanced Private

| 8.1.4 |

The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V10.5, or V11.1 server. The fixes can be accessed from the following security bulletins:Security Bulletin: Multiple buffer overflow vulnerabilities exist in IBM Db2 leading to privilege escalation (CVE-2019-4322).
Security Bulletin: IBM Db2 is vulnerable to denial of service (CVE-2019-4386).
Security Bulletin: IBM Db2 is vulnerable to buffer overflow leading to potential arbitrary code execution as root (CVE-2019-4154).
Security Bulletin: IBM Db2 does not explicitly forbid a weaker than expected 3DES cipher when configured to use SSL (CVE-2019-4102).
Security Bulletin: Under specialized conditions, IBM Db2 is vulnerable to denial of service (CVE-2019-4101).
Security Bulletin: IBM Db2 is vulnerable to privilege escalation to root via malicious use of fenced user (CVE-2019-4057).

To use your updated DB2 V10.5, or V11.1 server with your IBM Cloud Application Performance Management product, apply the 8.1.4.0-IBM-APM-SERVER-IF0004 or later server patch to the system where the Cloud APM server is installed. Interim fixes for the Cloud APM server version 8.1.4 are available to download from IBM Fix Central at this link:
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.4.0&platform=All&function=all

IBM Monitoring

IBM Application Diagnostics

IBM Application Performance Management

IBM Application Performance Management Advanced

| 8.1.3 |

The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V10.5 server. The fixes can be accessed from the following security bulletins:

Security Bulletin: Multiple buffer overflow vulnerabilities exist in IBM Db2 leading to privilege escalation (CVE-2019-4322).
Security Bulletin: IBM Db2 is vulnerable to buffer overflow leading to potential arbitrary code execution as root (CVE-2019-4154).
Security Bulletin: IBM Db2 does not explicitly forbid a weaker than expected 3DES cipher when configured to use SSL (CVE-2019-4102).
Security Bulletin: Under specialized conditions, IBM Db2 is vulnerable to denial of service (CVE-2019-4101).
Security Bulletin: IBM Db2 is vulnerable to privilege escalation to root via malicious use of fenced user (CVE-2019-4057).

To use your updated DB2 V10.5 server with your IBM Cloud Application Performance Management product, apply the 8.1.3.0-IBM-IPM-SERVER-IF0011 or later server patch to the system where the APM server is installed. Interim fixes for the APM server version 8.1.3 are available to download from IBM Fix Central at this link: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Performance%20Management%20family&product=ibm/Tivoli/IBM+Application+Performance+Management+Advanced&release=8.1.3.0&platform=All&function=all

Workarounds and Mitigations

None

Related

ibm 13
nessus 4
prion 6
nvd 6
cve 6
cvelist 6
ibm
ibm
Security Bulletin: IBM Security Key Lifecycle Manager uses Components with Known Vulnerabilities (CVE-2019-4322 CVE-2019-4386 CVE-2019-4154 CVE-2019-4102 CVE-2019-4101 CVE-2019-4057)
2019-09-19 21:48:41
Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with Predictive Maintenance and Quality
2019-07-22 04:25:01
Security vulnerabilities have been identified in IBM DB2 shipped with IBM Maximo Asset Management (CVE-2019-4322, CVE-2019-4102, CVE-2019-4057, CVE-2019-4101, CVE-2019-4386, CVE-2019-4154)
2019-07-12 15:30:02
nessus
nessus
IBM DB2 9.7 < FP11 Special Build 38744 / 10.1 < FP6 Special Build 38745 / 10.5 < FP10 Special Build 38746 / 11.1 < M4FP5 Buffer Overflow Vulnerability (UNIX)
2019-07-12 00:00:00
IBM DB2 9.7 < FP11 Special Build 38744 / 10.1 < FP6 Special Build 38745 / 10.5 < FP10 Special Build 38746 / 11.1.4 < FP4a Special Build 38747 Buffer Overflow Vulnerability (Windows)
2019-07-12 00:00:00
IBM DB2 9.7 < FP11 39672 / 10.1 < FP6 39678 / 10.5 < FP10 39688 / 11.1.4 < FP5 39693 / 11.5 < FP0 39711 Multiple Vulnerabilities (UNIX)
2020-02-28 00:00:00
prion
prion
Code injection
2019-07-01 15:15:00
Buffer overflow
2019-07-01 15:15:00
Design/Logic Flaw
2019-07-01 15:15:00
nvd
nvd
CVE-2019-4386
2019-07-01 15:15:13
CVE-2019-4102
2019-07-01 15:15:12
CVE-2019-4154
2019-07-01 15:15:12
cve
cve
CVE-2019-4386
2019-07-01 15:15:13
CVE-2019-4102
2019-07-01 15:15:12
CVE-2019-4322
2019-07-01 15:15:12
cvelist
cvelist
CVE-2019-4386
2019-06-27 00:00:00
CVE-2019-4322
2019-06-27 00:00:00
CVE-2019-4102
2019-06-27 00:00:00

0.002 Low

EPSS

Percentile

60.3%

JSON
Related for 79E57D1810864FB88AE402B0D0FBC2C3D47A6CACCE26265703FEBCAF055E5EA0
ibm13nessus4prion6nvd6cve6cvelist6