Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMAF9D8CDAB04D4941DD93AC22CF1D3AC19622A3D58ED78F4B3E896A3705E98BBA
HistoryJan 08, 2024 - 2:00 p.m.

Security Bulletin: IBM® Db2® Federated is affected by a vulnerability in the consumed open source presto-jdbc library that may lead to information disclosure

2024-01-0814:00:09
www.ibm.com
17
ibm db2
federated
open source presto-jdbc
vulnerability
information disclosure
fixpack
download url
security bulletin

5.8 Medium

AI Score

Confidence

High

JSON

Summary

IBM® Db2® Federated is affected by a vulnerability in the consumed open source presto-jdbc library that may lead to information disclosure.

Vulnerability Details

**IBM X-Force ID:**268195
**DESCRIPTION:**Presto is vulnerable to server-side request forgery, caused by improper validating the nextUri parameter. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to obtain sensitive information and perform local port scan.
CVSS Base score: 7.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s) Applicable Editions
IBM® Db2®

11.5.9

|

Client

All platforms are affected.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V11.5.9. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Release Fixed in fix pack APAR Download URL
V11.5 TBD DT256815

11.5.0 and 11.5.8 are not affected.

Special Build for V11.5.9:

AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Windows 32-bit, x86
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Workarounds and Mitigations

On Linux and Unix systems, if you are not using Federation wrappers, you can remove the presto-jdbc jar file.

You can check if the jar file can be safely removed by running

SELECT SETTING FROM SYSIBM.SYSSERVEROPTIONS WHERE OPTION = ‘DRIVER_PACKAGE’;

If the presto-jdbc jar file is not listed in the result, you can remove the file.

Affected configurations

Vulners
Node
ibmdb2Match11.5unix
CPENameOperatorVersion
db2 for linux, unix and windowseq11.5

5.8 Medium

AI Score

Confidence

High

JSON