Security Bulletin: Multiple security vulnerabilities have been identified in IBM DB2 shipped with IBM Maximo Asset Management (CVE-2021-20579, CVE-2020-4945, CVE-2021-29777, CVE-2020-4885, CVE-2021-29703)

Summary

IBM DB2 is shipped as a component of IBM Maximo Asset Management. Information about the security vulnerability affecting IBM DB2 has been published in a security bulletin.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

This vulnerability affects the following versions of the IBM Maximo Asset Management core product. Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.

Maximo Asset Management core product versions affected:

• To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version.

Please consult the Product Coexistence Matrix for a list of supported product combinations.

Remediation/Fixes

Please consult the following security bulletin for vulnerability details and information about fixes:

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server terminates abnormally when executing a specially crafted SELECT statement. (CVE-2021-29703)

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure (CVE-2021-20579)

Security Bulletin: Under special circumstances, Db2 is vulnerable to a denial of service during drop table (CVE-2021-29777)

Security Bulletin: IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885)

Security Bulletin: IBM® Db2® could allow an authenticated user to overwrite arbitrary files due to improper group permissions. (CVE-2020-4945)

Workarounds and Mitigations

None