Security Bulletin: Multiple vulnerabilities in IBM Db2 affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition

Summary

IBM Db2 is vulnerable to information disclosure vulnerabilities. IBM DB2 has issued fixes for multiple security vulnerabilities.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

Consult the following security bulletins for IBM DB2 vulnerability details and information about fixes.

Security Bulletin: IBM® Db2® is vulnerable to an Information Disclosure as a user with DBADM authority is able to access other databases and read or modify files (CVE-2021-29678)
<https://www.ibm.com/support/pages/node/6523806&gt;
Affected Db2 releases: V9.7, V10.1, V10.5, V11.1, V11.5

Security Bulletin: IBM® Db2® may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373)
<https://www.ibm.com/support/pages/node/6523804&gt;
Affected Db2 releases: V9.7, V10.1, V10.5, V11.1, V11.5

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as it uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. (CVE-2021-39002)
<https://www.ibm.com/support/pages/node/6523802&gt;
Affected Db2 releases: V9.7, V10.1, V10.5, V11.1, V11.5

Security Bulletin: IBM® Db2® could allow a local user elevated privileges due to allowing modification of columns of existing tasks (CVE-2021-38926)
<https://www.ibm.com/support/pages/node/6523808&gt;
Affected Db2 releases: V9.7, V10.1, V10.5, V11.1, V11.5

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from. (CVE-2021-38931)
<https://www.ibm.com/support/pages/node/6523810&gt;
Affected Db2 releases: V11.1, V11.5

Workarounds and Mitigations

None