Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse® on Cloud Pak for Data

Summary

IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-45283
**DESCRIPTION:**Golang Go could allow a remote attacker to traverse directories on the system, caused by the failure to recognize paths with a ??\ prefix as a Root Local Device path prefix in the filepath and safefilepath package. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-45284
**DESCRIPTION:**Golang Go could provide weaker than expected security, caused by the failure to correctly detect reserved device names in some cases by the IsLocal function in the filepath package. An attacker could exploit this vulnerability to report “COM1”, and reserved names “COM” and “LPT” followed by superscript 1, 2, or 3 as local.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-45285
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw when using go get to fetch a module with the “.git” suffix. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the insecure “git://” protocol, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273323 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-39326
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the net/http package. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to read many more bytes from the network than are in the body, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273322 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-43816
**DESCRIPTION:**containerd could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw in the backing container runtime interface (CRI) implementation. By sending a specially-crafted relabel request to match the container process label through the use of specially-configured bind mounts in a hostPath volume, an authenticated attacker could exploit this vulnerability to gain elevates privileges for the container, granting full read/write access over the affected files and directories.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216854 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2023-25153
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a memory exhaustion flaw when importing an OCI image. By using a specially-crafted image with a large file, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247777 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-25173
**DESCRIPTION:**containerd could allow a local authenticated attacker to bypass security restrictions, caused by improper setup for supplementary groups inside a container. By sending a specially-crafted request using supplementary group access, an attacker could exploit this vulnerability to bypass primary group restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247778 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2021-41103
**DESCRIPTION:**containerd could allow a local authenticated attacker to traverse directories on the system, caused by improper restricted permissions on container root and plugin directories. An attacker could send a specially-crafted request containing “dot dot” sequences (/…/) to view directory contents and execute programs.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2021-32760
**DESCRIPTION:**Containerd could allow a remote attacker to gain elevated privileges on the system, caused by improper file permissions. By pulling and extracting a specially-crafted container image, an attacker could exploit this vulnerability to perform Unix file permission changes for existing files in the host’s filesystem.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205942 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-23471
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a flaw in the CRI implementation. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to exhaust memory on the host, and results in a denial of service condition.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-23648
**DESCRIPTION:**containerd could allow a remote attacker to obtain sensitive information, caused by a flaw in the CRI implementation. By using a specially-crafted image configuration, an attacker could exploit this vulnerability to access to read-only copies of arbitrary files and directories on the host system, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220823 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-31030
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a flaw in the CRI implementation. By sending a specially-crafted request using the ExecSync API, a local authenticated attacker could exploit this vulnerability to cause containerd to consume all available memory on the computer, and results in a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228282 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-42969
**DESCRIPTION:**pytest-dev py is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw by the InfoSvnCommand argument. By sending a specially-crafted regex info data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-26136
**DESCRIPTION:**Salesforce tough-cookie could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259555 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-2253
**DESCRIPTION:**Distribution is vulnerable to a denial of service, caused by improper input validation by the /v2/_catalog endpoint. By sending a specially crafted /v2/_catalog API endpoint request request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254846 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2017-11468
**DESCRIPTION:**Docker Registry is vulnerable to a denial of service, caused by the failure to restrict content sizes. An attacker could exploit this vulnerability to cause memory consumption.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/129343 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-26159
**DESCRIPTION:**follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2023-29827
**DESCRIPTION:**Node.js ejs module could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a server-side template injection flaw. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-28155
**DESCRIPTION:**Node.js Request module is vulnerable to server-side request forgery, caused by a cross-protocol redirect bypass flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250386 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2023-27561
**DESCRIPTION:**Open Container Initiative runc could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper access control in libcontainer/rootfs_linux.go. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to run custom images.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249173 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-43784
**DESCRIPTION:**Open Container Initiative runc could allow a remote authenticated attacker to bypass security restrictions, caused by an integer overflow in netlink bytemsg length field. By sending a specially-crafted request, an attacker could exploit this vulnerability to override netlink-based container configuration to disable namespace protections entirely.
CVSS Base score: 6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214558 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L)

CVEID:CVE-2023-25809
**DESCRIPTION:**runc is vulnerable to a denial of service, caused by improper access control in the /sys/fs/cgroup endpoint. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 2.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251498 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L)

CVEID:CVE-2023-28642
**DESCRIPTION:**runc could allow a remote attacker to bypass security restrictions, caused by a symbolic link following vulnerability. By creating a symbolic link inside a container to the /proc directory, an attacker could exploit this vulnerability to bypass AppArmor and SELinux protections.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251539 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)

CVEID:CVE-2022-29162
**DESCRIPTION:**Open Container Initiative runc could allow a local attacker to gain elevated privileges on the system, caused by an issue with runc exec --cap executed processes with non-empty inheritable Linux process capabilities. By executing specially-crafted programs, an attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226393 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-28840
**DESCRIPTION:**Moby is vulnerable to a denial of service, caused by an unprotected alternate channel within encrypted overlay networks. By sending a specially crafted request to inject arbitrary Ethernet frames into the encrypted overlay network, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251927 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L)

CVEID:CVE-2023-28841
**DESCRIPTION:**Moby could allow a remote attacker to obtain sensitive information, caused by the missing of encrypted sensitive data within the overlay network driver. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID:CVE-2023-28842
**DESCRIPTION:**Moby could allow a remote attacker to bypass security restrictions, caused by an unprotected alternate channel within encrypted overlay networks. By sending a specially crafted request, an attacker could exploit this vulnerability to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing these vulnerabilities now by upgrading to the latest IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data release containing the fix for these issues. These builds are available based on the most recent refresh level of Cloud Pak for Data v4.8 release. It can be applied to any affected fixpack and refresh level of the appropriate release. Please note: It is strongly recommended to upgrade to Cloud Pak for Data 4.8.4.

Db2 Warehouse: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=warehouse-upgrading&gt;

Db2: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=db2-upgrading&gt;

Workarounds and Mitigations

None