Security Bulletin: Security vulnerabilities have been identified in DB2 which is shipped with IBM Performance Management products

Summary

DB2 is shipped with IBM Performance Management products. Some of the information about security vulnerabilities affecting DB2 has been published in security bulletins.

Vulnerability Details

CVEID: CVE-2017-1520**
DESCRIPTION:** IBM DB2 9.7, 10,1, 10.5, and 11.1 is vulnerable to an unauthorized command that allows the database to be activated when authentication type is CLIENT. IBM X-Force ID: 129830.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/129830&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-1519**
DESCRIPTION:** IBM DB2 10.5 and 11.1 contains a denial of service vulnerability. A remote user can cause disruption of service for DB2 Connect Server setup with a particular configuration. IBM X-Force ID: 129829.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/129829&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-1434**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) under unusual circumstances, could expose highly sensitive information in the error log to a local user.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/127806&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-1452**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user to obtain elevated privilege and overwrite DB2 files. IBM X-Force ID: 128180.
CVSS Base Score: 6.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128180&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-1438**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128057.
CVSS Base Score: 6.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128057&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-1451**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128178.
CVSS Base Score: 6.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128178&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-1439**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128058.
CVSS Base Score: 6.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128058&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Details of the following vulnerabilities are published in security bulletins:

• Privilege escalation vulnerability affects IBM® DB2® LUW (CVE-2017-1134)
• IBM® DB2® LUW on AIX and Linux Affected by vulnerabilities in zlib (CVE-2016-9840, CVE-2016-9841)
• IBM® DB2® LUW’s Command Line Processor Contains Buffer Overflow Vulnerability (CVE-2017-1297)
• Buffer overflow vulnerability in IBM® DB2® LUW (CVE-2017-1105)

Affected Products and Versions

IBM Cloud Application Performance Management, Base Private 8.1.4
IBM Cloud Application Performance Management, Advanced Private 8.1.4

IBM Monitoring 8.1.3

IBM Application Diagnostics 8.1.3

IBM Application Performance Management 8.1.3

IBM Application Performance Management Advanced 8.1.3

Remediation/Fixes

Product

| Product
VRMF| Remediation
—|—|—
IBM Cloud Application Performance Management, Base Private

IBM Cloud Application Performance Management, Advanced Private

| 8.1.4

_ _
_ _| The vulnerability can be remediated by applying DB2 V10.5 FP9, which is available for download from Fix Central, to your DB2 server. For information about applying DB2 V10.5 FP9 to your DB2 server, see the DB2 for Linux, Unix, and Windows 10.5.0 Knowledge Center.

To use DB2 V10.5 FP9 with your IBM Performance Management product, after you install the Performance Management server, apply the following 8.1.4.0-IBM-APM-SERVER-1F0002 server patch to the system where the Performance Management server is installed:
http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003632

You can apply 8.1.4.0-IBM-APM-SERVER-1F0002 either before or after you install the DB2 fix pack.
IBM Monitoring

IBM Application Diagnostics

IBM Application Performance Management

IBM Application Performance Management Advanced

| 8.1.3

_ _
_ _| The vulnerability can be remediated by applying the following 8.1.3.0-IBM-IPM-SERVER-IF0011 server patch to the system where the Performance Management server is installed: http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003678

Workarounds and Mitigations

None.