IBM® Db2® Federated is affected by a vulnerability in the consumed open source presto-jdbc library that may lead to information disclosure.
**IBM X-Force ID:**268195
**DESCRIPTION:**Presto is vulnerable to server-side request forgery, caused by improper validating the nextUri parameter. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to obtain sensitive information and perform local port scan.
CVSS Base score: 7.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)
Affected Product(s) | Version(s) | Applicable Editions |
---|---|---|
IBM® Db2® |
11.5.9
|
Client
All platforms are affected.
Customers running any vulnerable fixpack level of an affected Program, V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V11.5.9. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.
Release | Fixed in fix pack | APAR | Download URL |
---|---|---|---|
V11.5 | TBD | DT256815 |
11.5.0 and 11.5.8 are not affected.
Special Build for V11.5.9:
AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Windows 32-bit, x86
Windows 64-bit, x86
IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.
On Linux and Unix systems, if you are not using Federation wrappers, you can remove the presto-jdbc jar file.
You can check if the jar file can be safely removed by running
SELECT SETTING FROM SYSIBM.SYSSERVEROPTIONS WHERE OPTION = ‘DRIVER_PACKAGE’;
If the presto-jdbc jar file is not listed in the result, you can remove the file.
CPE | Name | Operator | Version |
---|---|---|---|
db2 for linux, unix and windows | eq | 11.5 |