Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME4BB1C9864E55C3788F8468CF0650AF9A1C7F22B51FCC15A54CBB981D2F9E368
HistoryJun 28, 2019 - 10:00 p.m.

Security Bulletin: Multiple Db2 vulnerabilities affect the IBM Spectrum Protect Server

2019-06-2822:00:01
www.ibm.com
11

0.001 Low

EPSS

Percentile

21.2%

JSON

Summary

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by multiple IBM Db2 vulnerabilities that could allow local users to overwrite files owned by the Db2 instance owner, execution of arbitrary code on the system, or an elevation of privileges.
UPDATED 1/16/2019: Changed “Affected Products and Versions” and “Remediation/Fixes”.
UPDATED 2/25/2019: Added 8.1.7 fix to Remediation/Fixes
UPDATED 6/28/2019: Added 7.1 fix

Vulnerability Details

CVEID: CVE-2018-1452 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-Force ID: 140047.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140047&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

CVEID: CVE-2018-1451 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-Force ID: 140046.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140046&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

CVEID: CVE-2018-1449 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-Force ID: 140044.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140044&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

CVEID: CVE-2018-1450 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-ForceID: 140045.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140045&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

CVEID: CVE-2018-1459 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to stack based buffer overflow, caused by improper bounds checking which could lead an attacker to execute arbitrary code. IBM X-Force ID: 140210.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140210&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1565 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to overflow a buffer which may result in a privilege scalation to the DB2 instance owner. IBM X-Force ID: 143022.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143022&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1515 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 and 11.1, under specific or unusual conditions, could allow a local user to overflow a buffer which may result in a privilege scalation to the DB2 instance owner. IBM X-Force ID: 141624.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141624&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1488 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-Force ID: 140973.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140973&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1544 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to overflow a buffer which may result in a privilege scalation to the DB2 instance owner. IBM X-Force ID: 142648.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142648&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1566 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to execute arbitrary code due to a format string error. IBM X-Force ID: 143023.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143023&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1487 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5 and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. IBM X-Force ID: 140972.
CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140972&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

These vulnerabilities affect the following IBM Spectrum Protect (formerly Tivoli Storage Manager) Server levels:

  • 8.1.0.0 through 8.1.6.0 (all CVEs except CVE-2018-1487 and CVE-2018-1566)
    8.1.0.0 through 8.1.6.100 (CVE-2018-1487 and CVE-1566)
  • 7.1.0.0 through 7.1.9.200

Remediation/Fixes

IBM Spectrum Protect
Server Release | First Fixing
VRM Level | Platform | Link to Fix
—|—|—|—
8.1 | 8.1.6.100 | AIX
Linux
Windows |

8.1.6.100 fixes all CVEs EXCEPT CVE-2018-1487 and CVE-2018-1566. 8.1.6.100 is available using the following link:

<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/server/&gt;

8.1

|

8.1.7

| AIX
Linux
Windows |

<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v8r1/&gt;

7.1

|

7.1.9.300

|

AIX
HP-UX
Linux

Solaris

Windows

|

<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/server/&gt;

Workarounds and Mitigations

None

Related

ibm 9
nvd 11
cve 11
cvelist 11
prion 11
freebsd 1
nessus 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product
2018-08-29 23:25:25
Security Bulletin: IBM® Db2® is affected by multiple file overwrite vulnerabilities (CVE-2018-1450, CVE-2018-1449, CVE-2018-1451, CVE-2018-1452)
2018-07-11 18:55:57
Security Bulletin: Multiple vulnerabilities affect db2exmig and db2exfmt tools shipped with IBM® Db2® (CVE-2018-1544, CVE-2018-1565)
2018-07-11 17:25:03
nvd
nvd
CVE-2018-1566
2018-07-10 16:29:00
CVE-2018-1450
2018-05-25 14:29:00
CVE-2018-1565
2018-05-25 14:29:00
cve
cve
CVE-2018-1450
2018-05-25 14:29:00
CVE-2018-1566
2018-07-10 16:29:00
CVE-2018-1449
2018-05-25 14:29:00
cvelist
cvelist
CVE-2018-1450
2018-05-22 00:00:00
CVE-2018-1566
2018-07-06 00:00:00
CVE-2018-1449
2018-05-22 00:00:00
prion
prion
Design/Logic Flaw
2018-05-25 14:29:00
Design/Logic Flaw
2018-05-25 14:29:00
Stack overflow
2018-05-25 14:29:00
freebsd
freebsd
FreeBSD -- Unauthenticated EAPOL-Key Decryption Vulnerability
2018-08-14 00:00:00
nessus
nessus
FreeBSD : FreeBSD -- Unauthenticated EAPOL-Key Decryption Vulnerability (45671c0e-a652-11e8-805b-a4badb2f4699)
2018-08-23 00:00:00

0.001 Low

EPSS

Percentile

21.2%

JSON
Related for E4BB1C9864E55C3788F8468CF0650AF9A1C7F22B51FCC15A54CBB981D2F9E368
ibm9nvd11cve11cvelist11prion11freebsd1nessus1