CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.0%
Db2 Web Query uses the IBM Toolbox for Java to access IBM i interfaces. IBM Toolbox for Java could allow sensitive information stored as Java strings to be obtained by an attacker as described in the vulnerability details section. Db2 Web Query has addressed the vulnerability with a fix as described in the remediation/fixes section.
CVEID:CVE-2022-43928
**DESCRIPTION:**The IBM Toolbox for Java could allow a user to obtain sensitive information, caused by utilizing a Java string for processing. Since Java strings are immutable, their contents exist in memory until garbage collected. This means sensitive data could be visible in memory over an indefinite amount of time. IBM has addressed this issue by reducing the amount of time the sensitive data is visible in memory.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241675 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Db2 Web Query for i |
2.3.0
IBM Db2 Web Query for i|
2.4.0
IBM strongly recommends addressing the vulnerability now.
To remediate this problem you must apply PTFs to IBM Db2 Web Query for i (5733WQX) and must apply the latest level of the group PTF for IBM HTTP Server for i (5770DG1). Future Group PTFs for IBM HTTP Server for i will also contain the fixes for the vulnerability.
The PTF numbers containing the fix for this vulnerability are in the following table.
IBM Db2 Web Query for i Release | 5733WQX PTFs to apply for remediation | IBM i Release | 5770DG1 Group PTF - Level to apply for remediation |
---|---|---|---|
2.3.0 |
| 7.5| SF99952 - 06
7.4| SF99662 - 26
7.3| SF99722 - 43
2.4.0|
| 7.5| SF99952 - 06
7.4| SF99662 - 26
Important note:_
IBM recommends that all users running unsupported versions of affected products upgrade to a supported and fixed version of affected products._
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ibm_i_7.5_preventative_service_planning | 7.5 | cpe:2.3:a:ibm:ibm_i_7.5_preventative_service_planning:7.5:*:*:*:*:*:*:* |
ibm | planning_analytics | 7.4 | cpe:2.3:a:ibm:planning_analytics:7.4:*:*:*:*:*:*:* |
ibm | db2_mirror_for_i | 2.4.0 | cpe:2.3:a:ibm:db2_mirror_for_i:2.4.0:*:*:*:*:*:*:* |
ibm | db2_mirror_for_i | 2.3.0 | cpe:2.3:a:ibm:db2_mirror_for_i:2.3.0:*:*:*:*:*:*:* |
ibm | i | 7.5 | cpe:2.3:o:ibm:i:7.5:*:*:*:*:*:*:* |
ibm | i | 7.4 | cpe:2.3:o:ibm:i:7.4:*:*:*:*:*:*:* |
ibm | i | 7.3 | cpe:2.3:o:ibm:i:7.3:*:*:*:*:*:*:* |
ibm | planning_analytics | 7.3 | cpe:2.3:a:ibm:planning_analytics:7.3:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.0%