Security Bulletin: IBM i is vulnerable to an authenticated administrator gaining elevated privileges due to improper SQL processing. (CVE-2023-23470)

Summary

IBM i is vulnerable to an authenticated administrator gaining elevated privileges due to improper SQL processing as described in the vulnerability details section. IBM i has addressed the vulnerability in the SQL processing as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2023-23470
**DESCRIPTION:**IBM i could allow an authenticated privileged administrator to gain elevated privileges in non-default configurations, as a result of improper SQL processing. By using a specially crafted SQL operation, the administrator could exploit the vulnerability to perform additional administrator operations.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244510 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i PTF numbers for IBM i base operating system contains the fix for the vulnerability.

IBM i Release| 5770-SS1
PTF Number| PTF Download Link
—|—|—
7.5| SI82753| <https://www.ibm.com/support/pages/ptf/SI82753&gt;
7.4| SI82754| <https://www.ibm.com/support/pages/ptf/SI82754&gt;
7.3| SI82755| <https://www.ibm.com/support/pages/ptf/SI82755&gt;
7.2| SI82756| <https://www.ibm.com/support/pages/ptf/SI82756&gt;

<https://www.ibm.com/support/fixcentral&gt;

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None