Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

Summary

IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components.

Vulnerability Details

CVEID:CVE-2022-37599
**DESCRIPTION:**loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName.js script. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238443 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-37601
**DESCRIPTION:**webpack loader-utils could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parseQuery function in parseQuery.js. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238763 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-37603
**DESCRIPTION:**webpack loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName function in interpolateName.js. By sending a specially-crafted regex input using the url variable, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238766 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

All platforms of the following IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data refresh levels are affected:

v3.5 through refresh 10
v4.0 through refresh 9
v4.5 through refresh 3
v4.6 through refresh 1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data release containing the fix for these issues. It can be applied to any affected fixpack and refresh level of the appropriate release.

Db2: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=db2-upgrading

Workarounds and Mitigations

None