Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMBC4C83E9DE85A093DE4FFB38A17CC37C8F8A47F066E137D4F56A945A4570878B
HistoryDec 20, 2023 - 8:15 p.m.

Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the consumed PCRE library.

2023-12-2020:15:48
www.ibm.com
16
ibm db2
pcre library
vulnerabilities
buffer overflow
execute arbitrary code

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.059 Low

EPSS

Percentile

93.5%

JSON

Summary

IBM® Db2® is affected by multiple vulnerabilities in the consumed PCRE library.

Vulnerability Details

CVEID:CVE-2015-8383
**DESCRIPTION:**PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of certain repeated conditional groups. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108464 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8381
**DESCRIPTION:**PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of patterns with certain group references by the compile_regex function. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108466 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8386
**DESCRIPTION:**PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of the interaction of lookbehind assertions and mutually recursive subpatterns. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8388
**DESCRIPTION:**PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling ofpattern and related patterns with an unmatched closing parenthesis. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8385
**DESCRIPTION:**PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of pattern and related patterns with certain forward references. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8387
**DESCRIPTION:**PCRE could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow when subroutine calls are mishandled. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8391
**DESCRIPTION:**PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of certain nesting by the pcre_compile function. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108456 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8390
**DESCRIPTION:**PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of substrings in character classes. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108457 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8393
**DESCRIPTION:**PCRE could allow a remote attacker to obtain sensitive information, caused by the mishandling of the -q option for binary files by pcregrep. An attacker could exploit this vulnerability using a specially crafted file to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108454 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2015-8395
**DESCRIPTION:**PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of certain references. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108452 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8394
**DESCRIPTION:**PCRE could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of digits. An attacker could exploit this vulnerability using a specially crafted regular expression to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108453 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-2328
**DESCRIPTION:**PCRE is vulnerable to a denial of service, caused by the improper handling of patterns with certain internal recursive back references. A remote attacker could exploit this vulnerability using a specially crafted regular expression to cause a segmentation fault.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/109276 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2015-2327
**DESCRIPTION:**PCRE is vulnerable to a denial of service, caused by the improper handling of patterns with certain recursion. A remote attacker could exploit this vulnerability using a specially crafted regular expression to cause a segmentation fault.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/109275 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-14155
**DESCRIPTION:**PCRE could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in libpcre. By sending a request with a large number, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183499 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-8392
**DESCRIPTION:**PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of certain instances of the (?| substring. By using a specially crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/108455 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s) Applicable Editions
IBM® Db2®

10.5.0.x

|

Client and Server

IBM® Db2®|

11.1.4.x

| Client and Server
IBM® Db2®|

11.5.x

| Client and Server

Linux, Unix platforms are affected. Windows platform is not affected.
Earlier releases (10.1, 9.7 etc.) may also be affected, but they are no longer supported.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Release Fixed in fix pack APAR Download URL
V10.5 TBD DT242834

Special Build for V10.5 FP11:

AIX 64-bit
HP-UX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ big endian
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Solaris 64-bit, SPARC
Solaris 64-bit, x86-64

V11.1| TBD| DT242834|

Special Build for V11.1.4 FP7:

AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Solaris 64-bit, SPARC

V11.5| TBD| DT242834|

Special Build for V11.5.0:

AIX 64-bit (for OS7.1)

Special Build for V11.5.8:

AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®

V11.5.9:
<https://www.ibm.com/support/pages/node/7071342&gt;

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmdb2Match11.5unix
OR
ibmdb2Match11.1unix
OR
ibmdb2Match10.5unix

Related

nessus 42
ibm 15
openwrt 1
fedora 3
f5 4
freebsd 1
symantec 1
gentoo 1
ubuntu 1
openvas 21
redhat 1
rosalinux 1
centos 1
oraclelinux 1
amazon 5
debiancve 15
prion 16
nvd 15
cve 15
cvelist 15
ubuntucve 12
veracode 8
cbl_mariner 1
alpinelinux 1
redhatcve 1
osv 1
nessus
nessus
PHP 5.6.x < 5.6.18 Multiple Vulnerabilities
2019-01-09 00:00:00
Fedora 22 : pcre-8.38-1.fc22 (2015-eb896290d3)
2016-03-04 00:00:00
Tenable SecurityCenter < 5.3.0 Multiple Vulnerabilities (TNS-2016-04)
2016-09-06 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities with the open source Perl Compatible Regular Expression (PCRE) libraries used in IBM Aspera Shares Application
2018-06-15 07:08:32
Security Bulletin: Multiple vulnerabilities Perl Compatible Regular Expression (PCRE) libraries - IBM Aspera Shares Application
2019-07-10 10:10:01
Security Bulletin:Multiple vulnerabilities in PCRE affect IBM Tivoli Network Manager IP Edition.
2018-06-17 15:15:49
openwrt
openwrt
pcre: Security update (18 CVEs)
2016-01-28 12:40:02
fedora
fedora
[SECURITY] Fedora 22 Update: pcre-8.38-1.fc22
2016-01-04 19:59:47
[SECURITY] Fedora 22 Update: mingw-pcre-8.38-1.fc22
2016-02-17 04:25:54
[SECURITY] Fedora 23 Update: mingw-pcre-8.38-1.fc23
2016-02-17 04:01:55
f5
f5
SOL20225390 - Multiple PCRE vulnerabilities
2016-02-04 00:00:00
K20225390 : Multiple PCRE vulnerabilities
2016-02-04 00:00:00
K05428062 : pcregrep in PCRE vulnerability CVE-2015-8393
2016-02-08 00:00:00
freebsd
freebsd
php -- multiple vulnerabilities
2016-02-04 00:00:00
symantec
symantec
SA128 : Multiple PCRE Vulnerabilities
2016-07-07 08:00:00
gentoo
gentoo
libpcre: Multiple Vulnerabilities
2016-07-09 00:00:00
ubuntu
ubuntu
PCRE vulnerabilities
2016-03-29 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for pcre (EulerOS-SA-2019-1558)
2020-01-23 00:00:00
Ubuntu: Security Advisory (USN-2943-1)
2016-04-11 00:00:00
SUSE: Security Advisory (SUSE-SU-2016:3161-1)
2021-04-19 00:00:00
redhat
redhat
(RHSA-2016:1025) Important: pcre security update
2016-05-11 11:17:05
rosalinux
rosalinux
Advisory ROSA-SA-2021-1947
2021-07-02 17:40:57
centos
centos
pcre security update
2016-05-13 00:44:08
oraclelinux
oraclelinux
pcre security update
2016-05-11 00:00:00
amazon
amazon
Medium: pcre
2023-06-05 16:39:00
Medium: glib2
2023-06-21 19:11:00
Medium: glib2
2023-06-21 19:11:00
debiancve
debiancve
CVE-2015-8395
2015-12-02 01:59:19
CVE-2015-8384
2015-12-02 01:59:08
CVE-2015-8392
2015-12-02 01:59:16
prion
prion
Buffer overflow
2015-12-02 01:59:00
Buffer overflow
2015-12-02 01:59:00
Design/Logic Flaw
2015-12-02 01:59:00
nvd
nvd
CVE-2015-8392
2015-12-02 01:59:16
CVE-2015-8384
2015-12-02 01:59:08
CVE-2015-8395
2015-12-02 01:59:19
cve
cve
CVE-2015-8395
2015-12-02 01:59:19
CVE-2015-8384
2015-12-02 01:59:08
CVE-2015-8392
2015-12-02 01:59:16
cvelist
cvelist
CVE-2015-8384
2015-12-02 01:00:00
CVE-2015-8392
2015-12-02 01:00:00
CVE-2015-8395
2015-12-02 01:00:00
ubuntucve
ubuntucve
CVE-2015-8392
2015-12-01 00:00:00
CVE-2015-8395
2015-12-01 00:00:00
CVE-2015-8387
2015-12-01 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:34:19
Denial Of Service (DoS)
2019-05-02 05:34:18
Denial Of Service (DoS)
2019-05-02 05:34:19
cbl_mariner
cbl_mariner
CVE-2020-14155 affecting package pcre 8.42-4
2020-11-30 19:30:42
alpinelinux
alpinelinux
CVE-2020-14155
2020-06-15 17:15:10
redhatcve
redhatcve
CVE-2020-14155
2020-06-18 11:25:08
osv
osv
CVE-2020-14155
2020-06-15 17:15:10

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.059 Low

EPSS

Percentile

93.5%

JSON
Related for BC4C83E9DE85A093DE4FFB38A17CC37C8F8A47F066E137D4F56A945A4570878B
nessus42ibm15openwrt1fedora3f54freebsd1symantec1gentoo1ubuntu1openvas21redhat1rosalinux1centos1oraclelinux1amazon5debiancve15prion16nvd15cve15cvelist15ubuntucve12veracode8cbl_mariner1alpinelinux1redhatcve1osv1