IBMB65C06C7068AC6E71615EA733D9D2A922C3C2C4CBE41D43E75002BCEB948E319Security Bulletin: Infosphere BigInsights is affected by multiple IBM DB2 advisories (CVE-2014-8910, CVE-2015-1883, CVE-2015-1922, CVE-2015-1935).
8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:P/I:P/A:C
Summary
Security Bulletin: Infosphere BigInsights is affected by multiple IBM DB2 advisories (CVE-2014-8910, CVE-2015-1883, CVE-2015-1922, CVE-2015-1935). The vulnerabilities exist in the Big SQL server component included in BigInsights.
Vulnerability Details
CVEID: CVE-2014-8910**
DESCRIPTION:** IBM DB2 contains a file disclosure vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted XML statement to view text files owned by the DB2 instance owner.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99251 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVEID: CVE-2015-1883**
DESCRIPTION:** IBM DB2 contains a file disclosure vulnerability. A remote, authenticated DB2 user with elevated privilege could exploit this vulnerability by manipulating a auto maintenance policies stored procedure to view any files owned by the DB2 fenced user on Unix/Linux or Windows administrator on Windows.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101239 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVEID: CVE-2015-1922**
DESCRIPTION:** IBM DB2 contains an illegal data access vulnerability. DB2 Data Movement feature does not perform sufficient privilege checking which allows a user with elevated privilege to delete rows from a table.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID: CVE-2015-1935**
DESCRIPTION:** IBM DB2 LUW contains a denial of service vulnerability in scalar function that may cause the DB2 server to terminate abnormally.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102979 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Affected Products and Versions
IBM InfoSphere BigInsights: 3.0, 3.0.0.1, 3.0.0.2, 4.0, 4.1
Remediation/Fixes
For all the affected versions, apply the interim fix available from Fix Central.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm db2 big sql | eq | 3.0 | |
| ibm db2 big sql | eq | 3.0.0.2 | |
| ibm db2 big sql | eq | 4.0.0 | |
| ibm db2 big sql | eq | 3.0.0.1 | |
| ibm db2 big sql | eq | 4.1.0 |
Related
8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:P/I:P/A:C