Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST

Summary

IBM has released the below fix for IBM Db2® REST in response to multiple vulnerabilities found in multiple components. The vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2023-39323
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by improper enforcement of line directive restrictions in the “//go:cgo_” directives. By providing specially crafted input in the linker and compiler flags, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268524 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

1.0.0.121-amd64 to 1.0.0.291-amd64

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM® Db2® REST release containing the fix for these issues.

1.0.0.1158-amd64

latest-amd64

Follow the instructions below to download IBM Db2 REST from the IBM Cloud Container Registry.

<https://www.ibm.com/docs/en/db2/11.5?topic=endpoints-downloading-rest-service&gt;

Workarounds and Mitigations

None