IBMDA83455908E4D9CD54178057885C06975C6754D3776949CDE7E241DD630C92FFSecurity Bulletin: IBM Informix JDBC Driver Is Vulnerable to Remote Code Execution (CVE-2023-27866)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.5%
Summary
IBM Informix JDBC Driver is susceptible to remote code execution attack. This vulnerability is addressed.
Vulnerability Details
CVEID:CVE-2023-27866
**DESCRIPTION:**IBM Informix JDBC Driver is susceptible to remote code execution attack via JNDI injection when driver code or the application using the driver do not verify supplied LDAP URL in Connect String.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249511 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Informix JDBC | 4.10.x |
| Informix JDBC | 4.50.x |
Remediation/Fixes
Customers running any vulnerable fixpack level of an affected Program can download a fix from Fix Central.
- Update to Informix JDBC 4.50.10
- Update to Informix JDBC.4.10.JC16
Visit the following URL -
https://www.ibm.com/resources/mrs/assets?source=ifxids
Workarounds and Mitigations
None.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| informix tools | eq | 4.10. | |
| informix tools | eq | 4.50. | |
| informix tools | eq | 4.50 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.5%