Lucene search

IBMF5CEE80851D753C5EAC13F1158D594124CC123CE04877AF01B19DD983486A8CB

HistoryApr 25, 2023 - 10:38 p.m.

Security Bulletin: Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM WebSphere Remote Server

2023-04-2522:38:42

www.ibm.com

ibm db2

ibm websphere

remote server

cve-2023-29257

cve-2023-29255

cve-2023-27555

cve-2023-26021

cve-2023-25930

cve-2023-26022

cve-2023-27559

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.003

Percentile

71.5%

JSON

Summary

IBM Db2 is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM Db2 have been published in a security bulletin CVE-2023-29257, CVE-2023-29255, CVE-2023-27555, CVE-2023-26021, CVE-2023-25930, CVE-2023-26022, CVE-2023-27559.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
IBM WebSphere Remote Server	8.5, 9.0

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM Db2 which is shipped with IBM WebSphere Remote Server.

Principal Product and Version(s)

Affected Supporting Product and Version

Affected Supporting Product Security Bulletin

—|—|—

IBM WebSphere Remote Server
8.5, 9.0

IBM Db2

10.5, 11.1, 11.5

IBM Db2 is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559)

IBM WebSphere Remote Server
8.5, 9.0

IBM Db2

V10.5, V11.1, V11.5

IBM Db2 is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022)

IBM WebSphere Remote Server
8.5, 9.0

IBM Db2

V10.5, V11.1, V11.5

IBM Db2 is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930)

IBM WebSphere Remote Server
9.0

IBM Db2

11.1, 11.5

IBM Db2 is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021)

IBM WebSphere Remote Server
9.0

IBM Db2

11.5

IBM Db2 is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555)

IBM WebSphere Remote Server
8.5, 9.0

IBM Db2

10.5, 11.1, 11.5

IBM Db2 is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255)

IBM WebSphere Remote Server

8.5, 9.0

IBM Db2

10.5, 11.1, 11.5

IBM Db2 is vulnerable to remote code execution as a database administrator of one database may execute code or read/write files from another database within the same instance. (CVE-2023-29257)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmwebsphere_remote_serverMatch8.5

ibmwebsphere_remote_serverMatch9.0

VendorProductVersionCPE
ibmwebsphere_remote_server8.5cpe:2.3:a:ibm:websphere_remote_server:8.5:*:*:*:*:*:*:*
ibmwebsphere_remote_server9.0cpe:2.3:a:ibm:websphere_remote_server:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	websphere_remote_server	8.5	cpe:2.3:a:ibm:websphere_remote_server:8.5:::::::*
ibm	websphere_remote_server	9.0	cpe:2.3:a:ibm:websphere_remote_server:9.0:::::::*