IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components.
CVEID:CVE-2022-37599
**DESCRIPTION:**loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName.js script. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238443 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-37601
**DESCRIPTION:**webpack loader-utils could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parseQuery function in parseQuery.js. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238763 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-37603
**DESCRIPTION:**webpack loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName function in interpolateName.js. By sending a specially-crafted regex input using the url variable, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238766 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
All platforms of the following IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data refresh levels are affected:
Release | Version |
---|---|
IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data |
v3.5 through refresh 10
v4.0 through refresh 9
v4.5 through refresh 3
v4.6 through refresh 1
IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data release containing the fix for these issues. It can be applied to any affected fixpack and refresh level of the appropriate release.
Product | Fixed in Fix Pack | Instructions |
---|---|---|
IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data | v4.6.2 | Db2 Warehouse: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=warehouse-upgrading |
Db2: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=db2-upgrading
None