Security Bulletin: Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM WebSphere Remote Server

Summary

IBM Db2 is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM Db2 have been published in a security bulletin CVE-2015-8383, CVE-2015-8381, CVE-2015-8386, CVE-2015-8388, CVE-2015-8385, CVE-2015-8387, CVE-2015-8391, CVE-2015-8390, CVE-2015-8393, CVE-2015-8395, CVE-2015-8394, CVE-2015-2328, CVE-2015-2327, CVE-2020-14155, CVE-2015-8392, CVE-2023-29258, CVE-2023-45178, CVE-2023-46167, CVE-2023-47701, CVE-2023-43020, CVE-2018-25032, CVE-2002-0059, CVE-2022-37434, CVE-2023-40692, CVE-2023-40687, CVE-2023-38727, CVE-2023-38003, CVE-2023-1370, CVE-2022-3171, CVE-2022-3509, CVE-2023-43642, CVE-2023-34462, CVE-2023-32731, CVE-2022-3510

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
IBM WebSphere Remote Server	8.5, 9.0, 9.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now. Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM Db2 which is shipped with IBM WebSphere Remote Server.

Principal Product and Version(s)

|

Affected Supporting Product and Version

|

Affected Supporting Product Security Bulletin

—|—|—

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

10.5, 11.1, 11.5

|

IBM® Db2® is vulnerable to privilege escalation with DATAACCESS. (CVE-2023-38003)

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

10.5, 11.1, 11.5

|

IBM® Db2® is vulnerable to denial of service with a specially crafted SQL statement. (CVE-2023-38727)

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

10.5, 11.1, 11.5

|

IBM® Db2® is vulnerable to denial of service with a specially crafted RUNSTATS command. (CVE-2023-40687)

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

10.5, 11.1, 11.5

|

IBM® Db2® is vulnerable to denial of service under extreme stress conditions. (CVE-2023-40692)

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

10.5, 11.1, 11.5

|

IBM® Db2® is affected by multiple vulnerabilities in the open source zlib library.

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

10.5, 11.1, 11.5

|

IBM® Db2® is vulnerable to denial of service with a specially crafted query. (CVE-2023-43020)

IBM WebSphere Remote Server
9.0, 9.1

|

IBM Db2

11.1, 11.5

|

Multiple vulnerabilities in open source libraries affect IBM® Db2® Federated.

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

10.5, 11.1, 11.5

|

IBM® Db2® could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query. (CVE-2023-47701)

IBM WebSphere Remote Server
9.0, 9.1

|

IBM Db2

11.5

|

IBM® Db2® federated server is vulnerable to a denial of service when a specially crafted cursor is used. (CVE-2023-46167)

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

11.5

|

IBM® Db2® is vulnerable to a denial of service when a specially crafted request is used via CLI. (CVE-2023-45178)

IBM WebSphere Remote Server
9.0, 9.1

|

IBM Db2

11.1, 11.5

|

IBM® Db2® is vulnerable to a denial of service through a specially crafted federated query on specific federation objects. (CVE-2023-29258)

IBM WebSphere Remote Server
8.5, 9.0, 9.1

|

IBM Db2

10.5, 11.1, 11.5

|

IBM® Db2® is affected by multiple vulnerabilities in the consumed PCRE library.

Workarounds and Mitigations

None