IBM Db2 is shipped as a component of IBM Cloud Pak System and IBM Cloud Pak System Software Suite. Db2 is shipped as a component in Platform System Manager, as DB2 ptype and PureScale. Vulnerabilities have been identified in IBM Db2 and information about fixes are published in security bulletins.
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Principal Product and Version(s) | ** Supporting Product and Version(s)** |
---|---|
IBM Cloud Pak System V2.2.5 - V2.2.6 | DB2 V10.5, V11.1 |
IBM Cloud Pak System V2.3.0.1, V2.3.1.1 | DB2 V10.5, V11.1 |
IBM Cloud Pak System V2.3.2.0 | DB2 V11.5 |
Consult the following security bulletins for IBM Db2 for vulnerability details and information about fixes.
Security: IBM® Db2® is vulnerable to privilege escalation (CVE-2020-4230)
<https://www.ibm.com/support/pages/node/2878809>
Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135)
<https://www.ibm.com/support/pages/node/2876307>
Security: Multiple buffer overflow vulnerabilities exist in IBM® Db2® leading to privilege escalation (CVE-2020-4204)
<https://www.ibm.com/support/pages/node/2875875>
Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200)
<https://www.ibm.com/support/pages/node/2875251>
Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4161)
<https://www.ibm.com/support/pages/node/2874621>
For IBM Cloud Pak System v.2.3.0.1, v.2.3.1.1, v.2.3.2.0
upgrade to IBM Cloud Pak System v2.3.3.0, Platform System Manager provide update to DB2 v11.5 mod0 fp0.
Information on upgrading can be found here:http://www.ibm.com/support/docview.wss?uid=ibm10887959.
Consult table below for CVEs, apply fix to update DB2 fix packs in virtual system database patterns, refer to
<https://www.ibm.com/support/knowledgecenter/SSZQFR_2.3.2.0/iwd/mpt_vsys_db2_fixpack_top.html>
Customers are advised to patch the DB2 instances using ICPS -> Deployed Instance -> Manage -> Operations -> “Apply Fixpack” functionality. Follow the instructions below:
- Download the fixes as per DB2 support documentation and
- Rename and upload special fixes as Fixpacks based on ICPS DB2 fixpack naming convention -> <https://www.ibm.com/support/knowledgecenter/SSCR9A_2.3.1.0/doc/iwd/mpt_vsys_db2_fixpack_upload.html>
- Apply these fixes to from ICPS -> Deployed Instance -> Manage -> Operations -> “Apply Fixpack”
_ _
If you are running DB2 PureScale follow the instructions as per documentation below:
For purescale 11.1 <https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.qb.server.doc/doc/t0061542.html>
For purescale 10.5 https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.l…
CVSS
|
Platform
|
*DB2 V 10.5
|
DB2 V 11.1
|
DB2 V 11.5
—|—|—|—|—
CVE-2020-4230
|
AIX
|
NA
|
|
Linux
|
NA
|
|
CVE-2020-4135
|
AIX
|
|
|
Linux
|
|
|
CVE-2020-4204
|
AIX
|
|
|
Linux
|
|
|
CVE-2020-4200
|
AIX
|
|
|
Linux
|
|
|
CVE-2020-4161
|
AIX
|
NA
|
NA
|
Linux
|
NA
|
NA
|
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud pak system | eq | 2.2 | |
ibm cloud pak system | eq | 2.3 |