Lucene search

IBMC9E55CB2DDB37C3FA9A1624CECDDE0509E2F2B1793F0D6F552257066E8594505

HistorySep 11, 2020 - 12:42 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Db2 affect IBM Cloud Pak System and IBM Cloud Pak System Software Suite

2020-09-1112:42:50

www.ibm.com

0.002 Low

EPSS

Percentile

52.8%

JSON

Summary

IBM Db2 is shipped as a component of IBM Cloud Pak System and IBM Cloud Pak System Software Suite. Db2 is shipped as a component in Platform System Manager, as DB2 ptype and PureScale. Vulnerabilities have been identified in IBM Db2 and information about fixes are published in security bulletins.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Principal Product and Version(s)	Supporting Product and Version(s)
IBM Cloud Pak System V2.2.5 - V2.2.6	DB2 V10.5, V11.1
IBM Cloud Pak System V2.3.0.1, V2.3.1.1	DB2 V10.5, V11.1
IBM Cloud Pak System V2.3.2.0	DB2 V11.5

Remediation/Fixes

Consult the following security bulletins for IBM Db2 for vulnerability details and information about fixes.

Security: IBM® Db2® is vulnerable to privilege escalation (CVE-2020-4230)
<https://www.ibm.com/support/pages/node/2878809>

Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135)
<https://www.ibm.com/support/pages/node/2876307>

Security: Multiple buffer overflow vulnerabilities exist in IBM® Db2® leading to privilege escalation (CVE-2020-4204)
<https://www.ibm.com/support/pages/node/2875875>

Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200)
<https://www.ibm.com/support/pages/node/2875251>

Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4161)
<https://www.ibm.com/support/pages/node/2874621>

For IBM Cloud Pak System v.2.3.0.1, v.2.3.1.1, v.2.3.2.0

upgrade to IBM Cloud Pak System v2.3.3.0, Platform System Manager provide update to DB2 v11.5 mod0 fp0.

Information on upgrading can be found here:http://www.ibm.com/support/docview.wss?uid=ibm10887959.

Workarounds and Mitigations

Consult table below for CVEs, apply fix to update DB2 fix packs in virtual system database patterns, refer to

<https://www.ibm.com/support/knowledgecenter/SSZQFR_2.3.2.0/iwd/mpt_vsys_db2_fixpack_top.html>

Customers are advised to patch the DB2 instances using ICPS -> Deployed Instance -> Manage -> Operations -> “Apply Fixpack” functionality. Follow the instructions below:

- Download the fixes as per DB2 support documentation and

- Rename and upload special fixes as Fixpacks based on ICPS DB2 fixpack naming convention -> <https://www.ibm.com/support/knowledgecenter/SSCR9A_2.3.1.0/doc/iwd/mpt_vsys_db2_fixpack_upload.html>

- Apply these fixes to from ICPS -> Deployed Instance -> Manage -> Operations -> “Apply Fixpack”

<https://www.ibm.com/support/knowledgecenter/SSCR9A_2.3.1.0/doc/iwd/mpt_vsys_db2_fixpack_apply.html>

_ _

If you are running DB2 PureScale follow the instructions as per documentation below:

For purescale 11.1 <https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.qb.server.doc/doc/t0061542.html>
For purescale 10.5 https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.l…

CVSS

Platform

*DB2 V 10.5

DB2 V 11.1

DB2 V 11.5

—|—|—|—|—

CVE-2020-4230

AIX

Linux

CVE-2020-4135

AIX

Linux

CVE-2020-4204

AIX

Linux

CVE-2020-4200

AIX

Linux

CVE-2020-4161

AIX

Special_39711

Linux

Special_39711

CPENameOperatorVersion
ibm cloud pak systemeq2.2
ibm cloud pak systemeq2.3

CPE	Name	Operator	Version
	ibm cloud pak system	eq	2.2
	ibm cloud pak system	eq	2.3

0.002 Low

EPSS

Percentile

52.8%

JSON

Related for C9E55CB2DDB37C3FA9A1624CECDDE0509E2F2B1793F0D6F552257066E8594505