IBMB2E591E5ED5ABE4C60A5F4856AF04C0299F9839E9526D3F3660DADBBE5A36A24Security Bulletin: Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-43930, CVE-2014-3577, CVE-2022-43927, CVE-2022-43929)
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.004 Low
EPSS
Percentile
74.9%
Summary
IBM Db2 is shipped as a component of IBM Security Key Lifecycle Manager (SKLM/GKLM). Information about multiple security vulnerabilities affecting IBM Db2 has been published in a security bulletin.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
Principal Product and Version(s)
| Affected Supporting Product and Version
—|—
IBM Security Key Lifecycle Manager (SKLM) v3.0 | IBM Db2 11.1
IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | IBM Db2 11.1
IBM Security Key Lifecycle Manager (SKLM) v4.0 | IBM Db2 11.1
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | IBM Db2 11.5
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | IBM Db2 11.5
Remediation/Fixes
- IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) [Only Windows]
| Principal Product and Version(s) | Remediation/ Fixes |
|---|---|
| IBM Security Key Lifecycle Manager (SKLM) v3.0 | Windows |
| IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | Windows |
| IBM Security Key Lifecycle Manager (SKLM) v4.0 | Windows |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | Windows |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | Windows |
Please consult following security bulletins from IBM Db2 for more detail:
IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be
included in a log file. (CVE-2022-43930)
- IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577)
| Principal Product and Version(s) | Remediation/ Fixes |
|---|---|
| IBM Security Key Lifecycle Manager (SKLM) v3.0 | Not affected |
| IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | Not affected |
| IBM Security Key Lifecycle Manager (SKLM) v4.0 | Not affected |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | Not affected |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | Not affected |
Please consult following security bulletins from IBM Db2 for more detail:
IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577)
- IBM® Db2® is vulnerable to an information disclosure vulnerability due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927)
| Principal Product and Version(s) | Remediation/ Fixes |
|---|---|
| IBM Security Key Lifecycle Manager (SKLM) v3.0 | |
| AIX | |
| Linux | |
| Windows | |
| IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | |
| IBM Security Key Lifecycle Manager (SKLM) v4.0 | |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | AIX |
| Linux | |
| Windows | |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 |
Please consult following security bulletins from IBM Db2 for more detail:
- IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted ‘Load’ command. (CVE-2022-43929)
| Principal Product and Version(s) | Remediation/ Fixes |
|---|---|
| IBM Security Key Lifecycle Manager (SKLM) v3.0 | Not affected |
| IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | Not affected |
| IBM Security Key Lifecycle Manager (SKLM) v4.0 | Not affected |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | Not affected |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | Not affected |
Please consult following security bulletins from IBM Db2 for more detail:
Workarounds and Mitigations
None
Affected configurations
Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.004 Low
EPSS
Percentile
74.9%