Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD06BB65B378775FCD30B451ABB3A165FCA9EBA10784E5D1AF02A688737BDC5E7
HistoryJun 17, 2018 - 3:49 p.m.

Security Bulletin: Multiple DB2 vulnerabilities affect IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1434, CVE-2017-1438, CVE-2017-1439, CVE-2017-1451, CVE-2017-1452)

2018-06-1715:49:27
www.ibm.com
10

0.0004 Low

EPSS

Percentile

5.1%

JSON

Summary

IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by multiple IBM DB2 vulnerabilities that could allow exposure of sensitive information to the local user or elevation of privileges.

Vulnerability Details

CVEID: CVE-2017-1434**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) under unusual circumstances, could expose highly sensitive information in the error log to a local user.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127806 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-1438**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128057 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-1439**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128058 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-1451**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128178 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-1452**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user to obtain elevated privilege and overwrite DB2 files.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128180 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects the following IBM Spectrum Protect (formerly Tivoli Storage Manager) Server levels:

  • 8.1.0.0 through 8.1.3.x
  • 7.1.0.0 through 7.1.8.x
  • 6.3 and below all levels (these releases are EOS)
    Note that 6.4 shipped with 6.3 servers.

_ _

Remediation/Fixes

IBM Spectrum Protect (Tivoli Storage Manager) Server Release

| First Fixing
VRM
Level|**_

Platform_|Link to Fix / Fix Availability Target**
—|—|—|—
8.1| 8.1.4| AIX
Linux
Windows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v8r1/&gt;
Note 8.1.5 also contains the fix and may be used.
7.1| 7.1.9| AIX
HP-UX
Linux
Solaris
Windows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v7r1/&gt;
6.3 and below|
|
| 6.3 and below are EOS. Customers on these releases can upgrade the server to a fixed level (8.1.4 or 7.1.9).
Note that 6.4 shipped with 6.3 servers.

Workarounds and Mitigations

None

Related

openvas 2
nessus 2
ibm 7
cvelist 5
nvd 5
cve 5
prion 5
openvas
openvas
IBM Db2 Multiple Privilege Escalation Vulnerabilities
2017-09-14 00:00:00
IBM Db2 'db2diag.log' Information Disclosure Vulnerability
2017-09-14 00:00:00
nessus
nessus
IBM DB2 9.7 < FP11 Special Build 36826 / 10.1 < FP6 Special Build 36827 / 10.5 < FP8 Special Build 36828 / 11.1.2.2 < FP2 Special Build 36792 Multiple Vulnerabilities (UNIX)
2017-09-15 00:00:00
IBM DB2 10.5 < FP8 Special Build 36828 / 11.1.2.2 < FP2 Special Build 36792 Multiple Vulnerabilities (Windows)
2017-09-15 00:00:00
ibm
ibm
Security Bulletin: BigInsights is affected by multiple vulnerabilities in Db2
2020-07-18 23:17:55
Security Bulletin: Privilege escalation vulnerabilities affect IBM® Db2® (CVE-2017-1439, CVE-2017-1451)
2018-07-11 19:16:38
Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM Predictive Maintenance and Quality
2018-06-15 23:49:11
cvelist
cvelist
CVE-2017-1451
2017-09-07 00:00:00
CVE-2017-1452
2017-09-07 00:00:00
CVE-2017-1434
2017-09-07 00:00:00
nvd
nvd
CVE-2017-1451
2017-09-12 21:29:00
CVE-2017-1452
2017-09-12 21:29:00
CVE-2017-1434
2017-09-12 21:29:00
cve
cve
CVE-2017-1451
2017-09-12 21:29:00
CVE-2017-1434
2017-09-12 21:29:00
CVE-2017-1452
2017-09-12 21:29:00
prion
prion
Design/Logic Flaw
2017-09-12 21:29:00
Design/Logic Flaw
2017-09-12 21:29:00
Privilege escalation
2017-09-12 21:29:00

0.0004 Low

EPSS

Percentile

5.1%

JSON
Related for D06BB65B378775FCD30B451ABB3A165FCA9EBA10784E5D1AF02A688737BDC5E7
openvas2nessus2ibm7cvelist5nvd5cve5prion5