Security Bulletin: IBM Data Virtualization on Cloud Pak for Data is vulnerable to OpenSSH vulnerability CVE-2024-6387

Summary

IBM Data Virtualization on Cloud Pak for Data embeds a variant of the IBM Db2 database server that runs in MPP mode. For MPP functionality such as scale-out, internally the server uses the secure shell (SSH) protocol for inter-pod communication. SSH protocol is not exposed to external users or processes. Data Virtualization uses OpenSSH packages for SSH. OpenSSH is vulnerable to CVE-2024-6387, which can allow a remote attacker to run arbitrary code as a privileged user on the system by using a specially crafted request.

Vulnerability Details

CVEID:CVE-2024-6387
**DESCRIPTION:**OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Affected Product

|

Data Virtualization Version

|

Cloud Pak for Data Version

|

Fixes

—|—|—|—

IBM Data Virtualization on Cloud Pak for Data

|

3.0.0

|

5.0.0

|

Follow the instructions to apply the patch and update the affected images.

Use the following patched image digest values :

1. For db2u.watsonquery image:

sha256:b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e

2. For db2u.dv.utils image:

sha256:2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe

Important:

• The Data Virtualization instance is restarted during the process. Schedule some downtime for the Data Virtualization instance when you plan to complete these steps.
• You do not have to apply the patch to all Data Virtualization instances at the same time. However, it is strongly recommended that you apply this patch to all Data Virtualization instances as soon as possible to address the vulnerability.

Before you begin:

• If you use a private container registry to host the IBM Cloud Pak for Data software images, you must mirror the patch images from the IBM Entitled Registry. For more information, see Preparing to run IBM Cloud Pak for Data installs from a private container registry.

To apply the patch, complete steps A and B:

A. Create a new section in the db2u-release ConfigMap:

This new section has the same value as the 12.1.0.0 section, other than the digest values for the**db2u.watsonquery anddb2u.dv.dvutils **images.

1. To check which namespace the db2u-release ConfigMap is in, run the following command:

oc get configmap -A | grep db2u-release

2. Specify the namespace as the value for DB2U_OPERATOR_NAMESPACE:

DB2U_OPERATOR_NAMESPACE=[add the operator namespace value here]

oc project ${DB2U_OPERATOR_NAMESPACE}

oc edit configmap db2u-release

3. Copy the 12.1.0.0 section and add a new section after it. Name the new section12.1.0.0-sb1_._Add a comma “,“ to separate12.1.0.0and12.1.0.0-sb1sections. Don’t change the existing**12.1.0.0 **section.

4. In the 12.1.0.0-sb1 section, make the following changes:

i. Change “watsonquery”: icr.io/db2u/db2u.watsonquery@sha256:c69dcfe77773bfe9ddd83ea6436f036ed329a7dbe8bcd05f56a0699debfc3eaa to “watsonquery”: icr.io/db2u/db2u.watsonquery@sha256:b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e

ii. Change “dvutils”: icr.io/db2u/db2u.dv.utils@sha256:4b58edae6e92f43c7977ae10ddad4bba89053b96df4f9b4590dbdeca15ac6dbd to “dvutils”: icr.io/db2u/db2u.dv.utils@sha256:2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe

Note: The new12.1.0.0-sb1section must include all listed images from the12.1.0.0section. The only difference between12.1.0.0-sb1and12.1.0.0 is the digest value of icr.io/db2u/db2u.watsonquery and icr.io/db2u/db2u.dv.utils images.

B. Update Db2uCluster db2u-dv custom resource (CR):

Complete the following steps for each Data Virtualization instance.

1. Update the DV_INSTANCE_NAMESPACE value with the namespace of the Data Virtualization instance that you are patching.

DV_INSTANCE_NAMESPACE=[add the Data Virtualization instance namespace value here]

echo ${DV_INSTANCE_NAMESPACE}

Check the value of DV_INSTANCE_NAMESPACE and verify that you are operating on the correct Data Virtualization instance before proceeding.

oc project ${DV_INSTANCE_NAMESPACE}

oc get db2ucluster db2u-dv -o yaml | grep -i 12.1.0.0 | grep -v “-”

Ensure that the line or lines that are displayed include only the version 12.1.0.0.

2. Update Db2uCluster db2u-dv custom resource CR with the new version and the upgrade/bigsql annotation:

oc project ${DV_INSTANCE_NAMESPACE}

oc patch db2ucluster db2u-dv --type merge -p ‘{“spec”:{“version”:“12.1.0.0-sb1”}}’

oc annotate db2ucluster db2u-dv “upgrade/bigsql”=“”

3. Wait for the Data Virtualization head pod (c-db2u-dv-db2u-0), Data Virtualization worker pods (c-db2u-dv-db2u-X and where X would be 1-n for each of the worker pods), Data Virtualization utils pod (c-db2u-dv-dvutils-0) pod to restart. Check the time the pods have been running to ensure that the pods were restarted after you completed the previous steps:

oc get pods | grep -e c-db2u-dv-db2u -e c-db2u-dv-dvutils

4. Verify that the c-db2u-dv-db2u statefulset has the new digest value:

oc get sts c-db2u-dv-db2u -o yaml | grep -i b96d31600bf67cd144aa01d1ce94c1efe9eec3174962bf6911dd0d32e2061b1e

5. Verify that the c-db2u-dv-dvutils statefulset has the new digest value:

oc get sts c-db2u-dv-dvutils -o yaml | grep -i 2747bc535d7071539913cf650e90dd61079397a367dcc94e1f4a407592f56abe

6. After the Data Virtualization head, worker and dvutils pods restart successfully, run the following command to remove the upgrade/bigsql annotation:

oc annotate db2ucluster db2u-dv “upgrade/bigsql”-

The patch is now applied. The patch updates the OpenSSH package in the affected images to an OpenSSH version with a fix for CVE-2024-6387**. **

End of document

Workarounds and Mitigations

None