—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2231
IBM Db2 multiple vulnerabilities (CVE-2020-4945,
CVE-2021-20579, CVE-2020-4885)
24 June 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: IBM DB2
Publisher: IBM
Operating System: Linux variants
AIX
HP-UX
Solaris
Windows
Impact/Access: Overwrite Arbitrary Files — Existing Account
Access Confidential Data — Existing Account
Unauthorised Access — Existing Account
Reduced Security — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20579 CVE-2020-4945 CVE-2020-4885
Original Bulletin:
https://www.ibm.com/support/pages/node/6466367
https://www.ibm.com/support/pages/node/6466369
https://www.ibm.com/support/pages/node/6466363
Comment: This bulletin contains three (3) IBM security advisories.
– ————————–BEGIN INCLUDED TEXT——————–
IBM Db2 could allow an authenticated user to overwrite arbirary files due to
improper group permissions. (CVE-2020-4945)
Document Information
Document number : 6466367
Modified date : 23 June 2021
Product : DB2 for Linux- UNIX and Windows
Software version : 11.5
Operating system(s): AIX
Linux
Summary
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow
an authenticated user to overwrite arbirary files due to improper group
permissions.
Vulnerability Details
CVEID: CVE-2020-4945
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server)
could allow an authenticated user to overwrite arbirary files due to improper
group permissions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
191945 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
All fix pack levels of IBM Db2 V11.5 edition on Linux and Unix platforms are
affected. Windows is not impacted.
All other versions are not impacted.
Remediation/Fixes
Customers running any vulnerable fixpack level of an affected Program, V11.5,
can download the build containing the fix for this issue from Fix Central. This
special build is available based on the most recent fixpack level for the
impacted release: V11.5.5 FP1. This can be applied to any affected fixpack
level of the appropriate release to remediate this vulnerability.
+——-+—————-+——-+——————————————–+
|Release|Fixed in fix |APAR |Download URL |
| |pack | | |
+——-+—————-+——-+——————————————–+
|V11.5 |11.5.6 |IT34964|https://www.ibm.com/support/pages/node/ |
| | | |6465915 |
| | | | |
| | | | |
| | | | |
+——-+—————-+——-+——————————————–+
Workarounds and Mitigations
None
Acknowledgement
This vulnerability was reported to IBM by DBSec Labs
Change History
23 Jun 2021: Initial Publication
– ——————————————————————————–
IBM Db2 is vulnerable to an information disclosure (CVE-2021-20579)
Document Information
Document number : 6466369
Modified date : 23 June 2021
Product : DB2 for Linux- UNIX and Windows
Software version : 9.7,10.1,10.5,11.1,11.5
Operating system(s): AIX
Linux
HP-UX
Solaris
Windows
Summary
IBM Db2 is vulnerable to an information disclosure as it could allow a user who
can create a view or inline SQL function to obtain sensitive information when
AUTO_REVAL is set to DEFFERED_FORCE.
Vulnerability Details
CVEID: CVE-2021-20579
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server)
could allow a user who can create a view or inline SQL function to obtain
sensitive information when AUTO_REVAL is set to DEFFERED_FORCE.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199283 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on
all platforms are affected.
Remediation/Fixes
Customers running any vulnerable fixpack level of an affected Program, V9.7,
V10.1, V10.5, V11.1 and V11.5, can download the special build containing the
interim fix for this issue from Fix Central. These special builds are available
based on the most recent fixpack level for each impacted release: V9.7 FP11,
V10.1 FP6, V10.5 FP11, V11.1 FP6, and V11.5.5. They can be applied to any
affected fixpack level of the appropriate release to remediate this
vulnerability.
+——-+————–+——-+———————————————-+
|Release|Fixed in fix |APAR |Download URL |
| |pack | | |
+——-+————–+——-+———————————————-+
|V9.7 |TBD |IT36720|Special Build for V9.7 FP11: |
| | | | |
| | | |AIX 64-bit |
| | | |HP-UX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER big endian |
| | | |Linux 64-bit, System z, System z9 or zSeries |
| | | |Solaris 64-bit, SPARC |
| | | |Solaris 64-bit, x86-64 |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+——-+————–+——-+———————————————-+
|V10.1 |TBD |IT36719|Special Build for V10.1 FP6: |
| | | | |
| | | |AIX 64-bit |
| | | |HP-UX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER big endian |
| | | |Linux 64-bit, System z, System z9 or zSeries |
| | | |Solaris 64-bit, SPARC |
| | | |Solaris 64-bit, x86-64 |
| | | |Windows 32-bit, x86 (Links will be updated |
| | | |when available.) |
| | | |Windows 64-bit, x86 (Links will be updated |
| | | |when available.) |
+——-+————–+——-+———————————————-+
|V10.5 |TBD |IT36718|Special Build for V10.5 FP11: |
| | | | |
| | | |AIX 64-bit |
| | | |HP-UX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER big endian |
| | | |Linux 64-bit, POWER little endian |
| | | |Linux 64-bit, System z, System z9 or zSeries |
| | | |Solaris 64-bit, SPARC |
| | | |Solaris 64-bit, x86-64 |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
| | | |Inspur |
+——-+————–+——-+———————————————-+
|V11.1 |TBD |IT36717|Special Build for V11.1 FP6: |
| | | | |
| | | |AIX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER little endian |
| | | |Linux 64-bit, System z, System z9 or zSeries |
| | | |Solaris 64-bit, SPARC |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+——-+————–+——-+———————————————-+
|V11.5 |V11.5.6 |IT36475|https://www.ibm.com/support/pages/node/6465915|
+——-+————–+——-+———————————————-+
Workarounds and Mitigations
None
Acknowledgement
Change History
23 Jun 2021: Initial Publication
– ——————————————————————————–
IBM Db2 could allow a local user to access and change the configuration of
DB2 due to a race condition via a symbolic link. (CVE-2020-4885)
Document Information
Document number : 6466363
Modified date : 23 June 2021
Product : DB2 for Linux- UNIX and Windows
Software version : 11.5
Operating system(s): AIX
Linux
Summary
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a
local user to access and change the configuration of DB2 due to a race
condition via a symbolic link.
Vulnerability Details
CVEID: CVE-2020-4885
DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server)
could allow a local user to access and change the configuration of DB2 due to a
race condition of a symbolic link,.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
190909 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
All fix pack levels of IBM Db2 V11.5 edition on Linux and Unix platforms are
affected. Windows is not impacted.
All other versions are not impacted.
Remediation/Fixes
Customers running any vulnerable fixpack level of an affected Program, V11.5
can download the special build containing the interim fix for this issue from
Fix Central. This special build is available based on the most recent fixpack
level for the impacted release: V11.5.5 FP1. This can be applied to any
affected fixpack level of the appropriate release to remediate this
vulnerability.
+——-+—————-+——-+——————————————–+
|Release|Fixed in fix |APAR |Download URL |
| |pack | | |
+——-+—————-+——-+——————————————–+
|V11.5 |11.5.6 |IT34966|https://www.ibm.com/support/pages/node/ |
| | | |6465915 |
| | | | |
| | | | |
| | | | |
+——-+—————-+——-+——————————————–+
Workarounds and Mitigations
None
Acknowledgement
This Vulnerability was found by Eddie Zhu
Change History
23 Jun 2021: Initial Publication
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYNQF8+NLKJtyKPYoAQgmcxAAhf6L3aafCda06jy8vMW9aOhNh2glggXT
xhQh7femfpqCJ8huVFUPvHi2poIPuImNkLDqAoZk7DdiXHaPO+zvXVIfYmk5KPEL
CusIwPOw0cfUsl4cjcwV0kEE05U4IuZ1hMb5kZJsYdlhYYRZcfZpCMsYM6avDTwG
hipF17bzchJE39giUCdjbRqHGfv173nUWTMjXv5guDJD1TVJO5GNhnVGbL2Fj3u2
JD+5xnxxWDvH25xOALqEvnkIiUqW2zu+nYaDU+5fqo43Pf4U2UvRNKBnUVADOGjD
7uaUVYUV+Rlxy1cyLkyzCOKZnTf1DLMJXYOoeGMLYdR9/IiBl5xuNdSSVtmsP6T/
38QJnME2NWYFHz+rLWyMS7l5PGfFSz1nfq2bnTr82AYiEd0kihLBZSpht3//XE4t
CpQKRTJ0kIZvv3Lrxc0u/MRQ2rL4VzwTkfS1VpIQwzRMge9Vbq8J/6RLt+JKoDSZ
HHThImlwg71eorsbt3+hBDYrt67ecjOipn6K6fjPMRxCZJ2s3AIZwuAYwH4jC3r/
70QDsvPR07naCrYpKC546T3HOiPJEhc4XeIhlGSHB0QHquijqXwrpd6STrG9erUG
eu9Aul7jCX5J5fEnKrXBxF5pJcyKaNcZ6W8bNJFH0+V47kovzKuZTD2XJ80mAk8r
sskaFuXfUeQ=
=wYa/
—–END PGP SIGNATURE—–
The post ESB-2021.2231 – [Win][Linux][HP-UX][Solaris][AIX] IBM DB2: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2021/06/24/esb-2021-2231-winlinuxhp-uxsolarisaix-ibm-db2-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-2231-winlinuxhp-uxsolarisaix-ibm-db2-multiple-vulnerabilities
No comments:
Post a Comment