Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

2023-01-3018:40:51

www.ibm.com

ibm db2

cloud pak for data

vulnerability

upgrade

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.01 Low

EPSS

Percentile

83.4%

JSON

Summary

IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components.

Vulnerability Details

CVEID:CVE-2022-37599
**DESCRIPTION:**loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName.js script. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238443 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-37601
**DESCRIPTION:**webpack loader-utils could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parseQuery function in parseQuery.js. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238763 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-37603
**DESCRIPTION:**webpack loader-utils is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the interpolateName function in interpolateName.js. By sending a specially-crafted regex input using the url variable, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238766 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

All platforms of the following IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data refresh levels are affected:

Release	Version
IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

v3.5 through refresh 10
v4.0 through refresh 9
v4.5 through refresh 3
v4.6 through refresh 1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data release containing the fix for these issues. It can be applied to any affected fixpack and refresh level of the appropriate release.

Product	Fixed in Fix Pack	Instructions
IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data	v4.6.2	Db2 Warehouse: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=warehouse-upgrading

Db2: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=db2-upgrading

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm®_db2®_and_db2_warehouse®_on_cloud_pak_for_data_v3.5_through_refresh_10v4.0_through_refreshMatch1

CPENameOperatorVersion
ibm® db2® on cloud pak for data and db2 warehouse® on cloud pak for data v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresheq1

CPE	Name	Operator	Version
	ibm® db2® on cloud pak for data and db2 warehouse® on cloud pak for data v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh	eq	1