Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM7BC47A37CB063B866958DEDF63C8A2C39EEA14B3F2C2DF994F5D5314EDEE59C3
HistoryDec 13, 2021 - 4:47 p.m.

Security Bulletin: DB2 bundled with IBM i2 Analyze is affected by multiple vulnerabilities (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926)

2021-12-1316:47:46
www.ibm.com
6
ibm i2 analyze
db2
vulnerabilities
cve-2021-38931
cve-2021-29678
cve-2021-20373
cve-2021-39002
cve-2021-38926

EPSS

0.001

Percentile

46.4%

JSON

Summary

IBM i2 Analyze bundles DB2. IBM DB2 has issued fixes for multiple security vulnerabilities.

Vulnerability Details

CVEID:CVE-2021-38931
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from. IBM X-Force ID: 210418.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210418 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-29678
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user with DBADM authority to access other databases and read or modify files. IBM X-Force ID: 199914.
CVSS Base score: 8.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199914 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

CVEID:CVE-2021-20373
**DESCRIPTION:**IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195521 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-39002
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213217 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-38926
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to gain privileges due to allowing modification of columns of existing tasks. IBM X-Force ID: 210321.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210321 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM i2 Analyze IBM i2 Analyze 4.3.1
IBM i2 Analyze IBM i2 Analyze 4.3.0
IBM i2 Analyze IBM i2 Analyze 4.3.2

Remediation/Fixes

If using DB2, please refer to the following DB2 Security Bulletins and follow the remediation guidance they outline

Security Bulletin: IBM® Db2® is vulnerable to an Information Disclosure as a user with DBADM authority is able to access other databases and read or modify files (CVE-2021-29678)
<https://www.ibm.com/support/pages/node/6523806&gt;
Affected Db2 releases: V9.7, V10.1, V10.5, V11.1, V11.5

Security Bulletin: IBM® Db2® may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373)
<https://www.ibm.com/support/pages/node/6523804&gt;
Affected Db2 releases: V9.7, V10.1, V10.5, V11.1, V11.5

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as it uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. (CVE-2021-39002)
<https://www.ibm.com/support/pages/node/6523802&gt;
Affected Db2 releases: V9.7, V10.1, V10.5, V11.1, V11.5

Security Bulletin: IBM® Db2® could allow a local user elevated privileges due to allowing modification of columns of existing tasks (CVE-2021-38926)
<https://www.ibm.com/support/pages/node/6523808&gt;
Affected Db2 releases: V9.7, V10.1, V10.5, V11.1, V11.5

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from. (CVE-2021-38931)
<https://www.ibm.com/support/pages/node/6523810&gt;
Affected Db2 releases: V11.1, V11.5

Workarounds and Mitigations

None

Related

ibm 22
nessus 8
prion 5
cve 5
cnvd 5
cvelist 5
nvd 5
ibm
ibm
Security Bulletin: Multiple vulnerabilities found in IBM DB2 which is shipped with IBM® Intelligent Operations Center(CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926)
2022-09-08 06:57:06
Security Bulletin: Multiple vulnerabilities in IBM Db2 affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition
2021-12-23 16:29:36
Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2®
2022-01-19 21:32:21
nessus
nessus
IBM DB2 9.7 < 9.7 FP11 40985 / 10.1 < 10.1 FP6 40986 / 10.5 < 10.5 FP11 40988 / 11.1 < 11.1.4 FP6 41025 / 11.5 < 11.5.7 Information Disclosure (Windows)
2022-02-08 00:00:00
IBM DB2 9.7 < 9.7.0 FP11 40985 / 10.1 < 10.1.0 FP6 40986 / 10.5 < 10.5.0 FP11 40988 / 11.1 < 11.1.4 FP6 40997 / 11.5 < 11.5.7 Information Disclosure (Unix)
2022-02-08 00:00:00
IBM DB2 11.1 < 11.1.4 FP 6 41025 / 11.5 < 11.5.7 Information Disclosure (Windows)
2022-01-28 00:00:00
prion
prion
Code injection
2021-12-09 17:15:00
Design/Logic Flaw
2021-12-09 17:15:00
Information disclosure
2021-12-09 17:15:00
cve
cve
CVE-2021-38926
2021-12-09 17:15:07
CVE-2021-29678
2021-12-09 17:15:07
CVE-2021-38931
2021-12-09 17:15:07
cnvd
cnvd
IBM Db2 Information Disclosure Vulnerability (CNVD-2022-08971)
2021-12-13 00:00:00
IBM Db2 Access Control Error Vulnerability
2021-12-12 00:00:00
IBM Db2 Information Disclosure Vulnerability (CNVD-2022-08972)
2021-12-10 00:00:00
cvelist
cvelist
CVE-2021-38926
2021-12-09 17:00:27
CVE-2021-29678
2021-12-09 17:00:26
CVE-2021-38931
2021-12-09 17:00:29
nvd
nvd
CVE-2021-39002
2021-12-09 17:15:07
CVE-2021-38926
2021-12-09 17:15:07
CVE-2021-38931
2021-12-09 17:15:07

EPSS

0.001

Percentile

46.4%

JSON
Related for 7BC47A37CB063B866958DEDF63C8A2C39EEA14B3F2C2DF994F5D5314EDEE59C3
ibm22nessus8prion5cve5cnvd5cvelist5nvd5