IBMC1737B6CC6FCBCCD57D09103DF74E79FD61E5F4103BFC5C89E08D9D0DE7D63BASecurity Bulletin: Db2 vulnerability affects the IBM Spectrum Protect Server (CVE-2018-1448)
EPSS
Percentile
5.1%
Summary
The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by an IBM Db2 vulnerability that could allow a local user to overwrite arbitrary files owned by the Db2 instance owner.
UPDATED 1/16/2019: Changed “First Fixing VRM Level” in Remediation/Fixes table for 8.1 from 8.1.6 to 8.1.6.100.
UPDATED 6/28/2019: Added fix for 7.1.
Vulnerability Details
CVEID: CVE-2018-1448 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes Db2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the Db2 instance owner. IBM X-Force ID: 140043.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140043> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Affected Products and Versions
This vulnerability affects the IBM Spectrum Protect (formerly Tivoli Storage Manager) Server levels:
- 8.1.0.0 through 8.1.5.x.
- 7.1.0.0 through 7.1.9.200
Remediation/Fixes
IBM Spectrum Protect
Server Release | First Fixing
VRM Level | Platform | Link to Fix
—|—|—|—
8.1 | 8.1.6.100 | AIX
Linux
Windows |
<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/server>
7.1
|
7.1.9.300
|
AIX
HP-UX
Linux
Solaris
Windows
|
<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/server/>
.
Workarounds and Mitigations
None
Related
