7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
Unsafe deserialization in DB2 JDBC driver
The Db2 JDBC driver deserializes the contents of /tmp/connlicj.bin (default path, this is configurable), which leads to object injection and potentially arbitrary code execution depending on the classpath.
CVEID:CVE-2017-1677
**DESCRIPTION:*IBM Data Server Driver for JDBC and SQLJ deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133999> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
DB2Connect 9.5
DB2Connect 9.7
DB2Connect 10.1
DB2Connect 10.5
DB2Connect 11.1
Product
|
VRMF
|
APAR
|
Remediation / First Fix
—|—|—|—
DB2Connect | V11.1 M2FP2 SB | IT23592 | JCC version 3.72.41/4.23.48
See workaround or contact support
DB2Connect | V10.5 FP9 SB | IT23591 | JCC version 3.69.75/4.19.76
See workaround or contact support
DB2Connect | V10.1 FP6 SB | IT23590 | JCC version 3.65.138/4.15.147
See workaround or contact support
DB2Connect | V9.7 FP11 SB | IT23575 | JCC version 3.64.142/4.14.147
See workaround or contact support
DB2Connect | V9.5 FP10 SB | IT23575 | JCC version 3.64.142/4.14.147
See workaround or contact support
Workaround is to Set db2.jcc.outputDirectory property to a secure location so that driver will write the cache file to the configured location which can not accessed without proper authentication.
Or use the above Special build drivers.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P