There are multiple vulnerabiltities in the IBM® Db2® that is shipped with IBM Security Key Lifecycle Manager. These issues were disclosed as part of the IBM® Db2® updates published. These may affect some configurations of IBM Security Key Lifecycle Manager.
Please consult the security bulletin:
Security Bulletin: IBM® Db2® performs unsafe deserialization in DB2 JDBC driver (CVE-2017-1677).
Security Bulletin: Buffer overflow vulnerability in IBM® DB2® LUW (CVE-2017-1105)
for vulnerability details and information about fixes.
CVEID: CVE-2017-1297 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125159 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID: CVE-2017-1677 DESCRIPTION: IBM Data Server Driver for JDBC and SQLJ deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133999 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-1105 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow that could allow a local user to overwrite DB2 files or cause a denial of service.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
Principal Product and Version(s) | Affected CVE-ID | **Affected Supporting Product , Version ** |
---|---|---|
IBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms | CVE-2017-1297 | |
CVE-2017-1677 | ||
CVE-2017-1105 | IBM® Db2® Workgroup Server Edition, version 10.1 | |
IBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms | CVE-2017-1297 | |
CVE-2017-1677 | ||
CVE-2017-1105 | IBM® Db2® Workgroup Server Edition, Version 10.5.0.6 | |
IBM Security Key Lifecycle Manager (SKLM) v2.7 on distributed platforms | CVE-2017-1297 | |
CVE-2017-1677 | ||
CVE-2017-1105 | IBM® Db2® Advanced Workgroup Server Edition, Version 11.1 | |
IBM Security Key Lifecycle Manager (SKLM) v3.0 on distributed platforms | CVE-2017-1677 | |
IBM® Db2® Advanced Workgroup Server Edition, Version 11.1.2.2 |