9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
The vulnerabilities have been addressed in the Open Source Apache Xerces-C XML parser for IBM Data Server Driver packages(DB2 Connect Instance less clients).
CVEID: CVE-2016-0729**
DESCRIPTION:** Apache Xerces-C XML Parser library is vulnerable to a denial of service, caused by improper bounds checking during processing and error reporting. By sending specially crafted input documents, an attacker could exploit this vulnerability to cause the library to crash or possibly execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111028> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
The V9.7, V10.1, V10.5, V11.1 versions of IBM Data Server Driver packages(DB2 Connect Instance less clients) are as follows:
IBM Data Server Driver Package
IBM Data Server Driver for ODBC and CLI
The recommended solution is to apply the appropriate fix for this vulnerability.
FIX:
The fix for driver package release V10.5 is in V10.5 FP8, available for download from Fix Central.
Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1 and V11.1 can download the special build containing the fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.7 FP11, DB2 V10.1 FP5 and DB2 V11.1 GA. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.
Refer to the following chart to determine how to proceed to obtain a needed fixpack or special build.
Release | Download URL |
---|---|
9.7 | Special Build for V9.7 FP11 |
IBM Data Server Driver Package
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-bit
Windows x86-32
Windows 64-bit, x86
IBM Data Server Driver for ODBC and CLI
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-bit
Windows x86-32
Windows 64-bit, x86
IBM Data Server Driver for ODBC and CLI (32-bit)
Solaris 64-bit, SPARC
Solaris 64-bit, x86
AIX 64-bit
Linux 64-bit, pSeries
Linux 64-bit, zSeries
HP-UX 64-bit
10.1| Special Build for V10.1 FP5
IBM Data Server Driver Package
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86
IBM Data Server Driver for ODBC and CLI
HP-UX 64-bit
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86
IBM Data Server Driver for ODBC and CLI (32-bit)
Solaris 64-bit, SPARC
Solaris 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
HP-UX 64-bit
10.5| 10.5 FP8 Fixpack
http://www.ibm.com/support/docview.wss?uid=swg24042680
11.1| Special Build for V11.1 GA
IBM Data Server Driver Package
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86
IBM Data Server Driver for ODBC and CLI
Linux 32-bit, x86
Linux 64-bit, x86
Linux 64-bit, pSeries
Linux 64-bit, zSeries
AIX 64-Bit
Windows 32-bit, x86
Windows 64-bit, x86
IBM Data Server Driver for ODBC and CLI (32-bit)
Linux 64-bit, zSeries
AIX 64-Bit
For platforms not listed above, contact Technical Support
None.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P