Security Bulletin: Multiple vulnerabilities found in Db2® affect IBM Cloud Pak System Software and Cloud Pak System Software Suite

Summary

IBM Db2® is shipped with IBM Cloud Pak System Software and Cloud Pak System Software Suite. IBM Db2 is a component of Platform System Manager, and Db2 pattern type (pType). Multiple vulnerabilities have been found in Db2® that affect Cloud Pak System Software and Cloud Pak System Software Suite. IBM Cloud Pak System has released a fix in response to vulnerabilities in Db2 with Cloud Pak System v2.3.3.4 update to Db2 v11.5.7 and add support to Db2 Advanced Edition.

Vulnerability Details

CVEID:CVE-2020-4976
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and write specific files due to weak file permissions. IBM X-Force ID: 192469.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-29752
**DESCRIPTION:**IBM Db2 11.2 and 11.5 contains an information disclosure vulnerability, exposing remote storage credentials to privileged users under specific conditions. IBM X-Fporce ID: 201780.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201780 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-29763
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. IBM X-Force ID: 202267.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202267 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-29825
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. IBM X-Force ID: 204470.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204470 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-5024
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated attacker to cause a denial of service due a hang in the SSL handshake response. IBM X-Force ID: 193660.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193660 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-5025
**DESCRIPTION:**IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 db2fm is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 193661.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193661 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-29777
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5, under specific circumstance of a table being dropped while being accessed in another session, could allow an authenticated user to cause a denial of srevice IBM X-Force ID: 203031.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203031 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-20579
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user who can create a view or inline SQL function to obtain sensitive information when AUTO_REVAL is set to DEFFERED_FORCE. IBM X-Force ID: 199283.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199283 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-29703
**DESCRIPTION:**Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server terminates abnormally when executing a specially crafted SELECT statement. IBM X-Force ID: 200659.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200659 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-4885
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190909 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2020-4945
**DESCRIPTION:**IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user to overwrite arbirary files due to improper group permissions. IBM X-Force ID: 191945.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191945 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Main Product(s) Version(s)

|

Affected Supporting Product version(s)

—|—

IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite V2.3.2.0, V2.3.3.0, V2.3.3.1, V2.3.3.2, V2.3.3.3

|

IBM Db2 LUW V11.5

IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite V2.3.0.1, V2.3.1.1

|

IBM Db2 LUW V11.1 -

Notice Db2 Linux, Unix, and Windows, and Db2 Connect v11.1 is end of support by April 30, 2022 as per IBM Withdrawal Announcement 920-049.

Remediation/Fixes

For all minor release version that are end of support and unsupported releases the recommendation is to upgrade to latest fixed release.

Multiple vulnerabilities have been identified in DB2 which is shipped with Cloud Pak System components. IBM Cloud Pak System has released a fix with IBM Cloud Pak System Software v2.3.3.4 update DB2 Platform System Manager and pType 1.2.17 update to DB2 v11.5.7. Additionally IBM Cloud Pak System v2.3.3.4 ships with support for DB2 Advanced Edition.

Consult the following security bulletins for IBM Db2 for vulnerability details and information about fixes.

Security : IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024)
<https://www.ibm.com/support/pages/node/6427861&gt;

Security : IBM® Db2® db2fm is vulnerable to a buffer overflow (CVE-2020-5025)
<https://www.ibm.com/support/pages/node/6427855&gt;

Security : Under special circumstances, Db2 is vulnerable to a denial of service during drop table (CVE-2021-29777)
<https://www.ibm.com/support/pages/node/6466373&gt;

Security: IBM® Db2® is vulnerable to an information disclosure (CVE-2021-20579)
<https://www.ibm.com/support/pages/node/6466369&gt;

Security : IBM® Db2® is vulnerable to a denial of service as the server terminates abnormally when executing a specially crafted SELECT statement. (CVE-2021-29703)
<https://www.ibm.com/support/pages/node/6466371&gt;

Security: Multiple vulnerabilities in dependent libraries affect IBM® Db2® leading to denial of service or privilege escalation.
<https://www.ibm.com/support/pages/node/6466365&gt;

Security : IBM® Db2® could allow a local user to access and change the configuration of DB2 due to a race condition via a symbolic link. (CVE-2020-4885)
<https://www.ibm.com/support/pages/node/6466363&gt;

Security: IBM® Db2® could allow an authenticated user to overwrite arbirary files due to improper group permissions. (CVE-2020-4945)
<https://www.ibm.com/support/pages/node/6466367&gt;

Security: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976)
<https://www.ibm.com/support/pages/node/6489495&gt;

Security: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752)
<https://www.ibm.com/support/pages/node/6489489&gt;

Security: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory and cause a denial of service. (CVE-2021-29763)
<https://www.ibm.com/support/pages/node/6489493&gt;

Security: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825)
<https://www.ibm.com/support/pages/node/6489499&gt;

Multiple vulnerabilities have been identified in DB2 which is shipped with Cloud Pak System components. IBM Cloud Pak System has released a fix with IBM Cloud Pak System Software v2.3.3.4 update DB2 Platform System Manager and pType 1.2.17 update to DB2 v11.5.7.IBM Cloud Pak System v2.3.3.4 ships with support for DB2 Advanced Edition.

The fix requires minimum fix pack level Cloud Pak System v.2.3.3.0 and Db2 v.11.5.0.0.

For Cloud Pak System V2.3.0.1, V2.3.1.1, V2.3.2.0

Upgrade to minimal fix pack levels as required by the fix and then apply the fix.

For Cloud Pak System V.2.3.3.0, V.2.3.3.1, V.2.3.3.2, V2.3.3.3, V2.3.3.3 interim Fix1,

• Upgrade to IBM Cloud Pak System V.2.3.3.4 Platform System Manager update to DB2 v11.5.7.

Information on upgrading here:http://www.ibm.com/support/docview.wss?uid=ibm10887959.

Workarounds and Mitigations

None