Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM1A39EF19FFB4B8B5263EDFF9ADE0EC34321B727F917F59ABD275F55CAC5CF4BD
HistoryOct 06, 2023 - 3:18 p.m.

Security Bulletin: A vulnerability in libqb affects IBM® Db2® High-Availability deployments using Pacemaker (CVE-2023-39976)

2023-10-0615:18:50
www.ibm.com
21
vulnerability
libqb
ibm db2
high-availability
pacemaker
buffer overflow
remote code execution
fixed
fix pack
v11.5.7
v11.5.8
linux

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

45.4%

JSON

Summary

A vulnerability in libqb affects IBM® Db2® High-Availability deployments using Pacemaker.

Vulnerability Details

CVEID:CVE-2023-39976
**DESCRIPTION:**ClusterLabs libqb is vulnerable to a buffer overflow, caused by improper bounds checking by the qb_vsnprintf_serialize function in log_blackbox.c. By sending a specially crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263116 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s) Applicable Editions
IBM® Db2®

11.5.x

|

Server

Linux platforms is affected. Unix, Windows are not affected.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Release Fixed in fix pack APAR Download URL
V11.5 TBD DT236965

Special Build for V11.5.7:

Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®

Special Build for V11.5.8:

Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Workarounds and Mitigations

None.

Affected configurations

Vulners
Node
ibmdb2_for_linux\,_unix_and_windowsMatch11.5
VendorProductVersionCPE
ibmdb2_for_linux\,_unix_and_windows11.5cpe:2.3:a:ibm:db2_for_linux\,_unix_and_windows:11.5:*:*:*:*:*:*:*

Related

prion 1
fedora 1
openvas 6
ibm 9
nessus 13
oraclelinux 1
osv 3
cvelist 1
debiancve 1
ubuntu 1
redhatcve 1
redhat 3
mageia 1
nvd 1
veracode 1
ubuntucve 1
almalinux 1
cve 1
prion
prion
Buffer overflow
2023-08-08 06:15:00
fedora
fedora
[SECURITY] Fedora 38 Update: libqb-2.0.8-1.fc38
2023-08-24 01:32:17
openvas
openvas
openSUSE: Security Advisory for libqb (SUSE-SU-2023:3897-1)
2024-03-04 00:00:00
Fedora: Security Advisory for libqb (FEDORA-2023-5a717dd33d)
2023-08-25 00:00:00
Mageia: Security Advisory (MGASA-2023-0339)
2023-12-05 00:00:00
ibm
ibm
Security Bulletin: IBM MQ is vulnerable to an issue in libqb (CVE-2023-39976)
2024-02-29 21:58:56
Security Bulletin: Multiple security vulnerabilities have been identified in IBM MQ which is shipped with IBM Intelligent Operations Center(CVE-2023-4218, CVE-2023-44487, CVE-2023-39976, CVE-2024-25016)
2024-03-28 06:46:02
Security Bulletin: Multiple Vulnerabilities have been identified in IBM MQ shipped with IBM WebSphere Remote Server
2024-03-19 19:39:27
nessus
nessus
Fedora 38 : libqb (2023-5a717dd33d)
2023-08-24 00:00:00
RHEL 7 : libqb (Unpatched Vulnerability)
2024-05-11 00:00:00
RHEL 9 : libqb (RHSA-2023:7376)
2023-11-21 00:00:00
oraclelinux
oraclelinux
libqb security update
2023-11-11 00:00:00
osv
osv
CVE-2023-39976
2023-08-08 06:15:46
Moderate: libqb security update
2023-11-07 00:00:00
libqb vulnerability
2023-08-28 16:44:34
cvelist
cvelist
CVE-2023-39976
2023-08-08 00:00:00
debiancve
debiancve
CVE-2023-39976
2023-08-08 06:15:46
ubuntu
ubuntu
Libqb vulnerability
2023-08-28 00:00:00
redhatcve
redhatcve
CVE-2023-39976
2023-08-21 06:48:58
redhat
redhat
(RHSA-2023:5597) Moderate: libqb security update
2023-10-10 14:19:58
(RHSA-2023:6578) Moderate: libqb security update
2023-11-07 06:08:58
(RHSA-2023:7376) Moderate: libqb security update
2023-11-21 08:14:04
mageia
mageia
Updated libqb packages fix a security vulnerability
2023-12-04 23:37:23
nvd
nvd
CVE-2023-39976
2023-08-08 06:15:46
veracode
veracode
Buffer Overflow
2023-08-09 11:57:46
ubuntucve
ubuntucve
CVE-2023-39976
2023-08-08 00:00:00
almalinux
almalinux
Moderate: libqb security update
2023-11-07 00:00:00
cve
cve
CVE-2023-39976
2023-08-08 06:15:46

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

45.4%

JSON
Related for 1A39EF19FFB4B8B5263EDFF9ADE0EC34321B727F917F59ABD275F55CAC5CF4BD
prion1fedora1openvas6ibm9nessus13oraclelinux1osv3cvelist1debiancve1ubuntu1redhatcve1redhat3mageia1nvd1veracode1ubuntucve1almalinux1cve1