IBM Cloud Pak System – Db2 Ptype is affected by vulnerabilities in Db2

Content

Vulnerability details

CVE-2019-4322: Multiple buffer overflow vulnerabilities exist in IBM Db2 leading to privilege escalation.
http://www.ibm.com/support/docview.wss?uid=ibm10884444

CVE-2019-4386: Security Bulletin: IBM Db2 is vulnerable to denial of service.
http://www.ibm.com/support/docview.wss?uid=ibm10886809

CVE-2019-4154: Security Bulletin: IBM Db2 is vulnerable to buffer overflow leading to potential arbitrary code execution as root.
http://www.ibm.com/support/docview.wss?uid=ibm10880737

CVE-2019-4102: Security Bulletin: IBM Db2 does not explicitly forbid a weaker than expected 3DES cipher when configured to use SSL.
http://www.ibm.com/support/docview.wss?uid=ibm10880743
Affected Db2 Releases: 9.7, 10.1, 10.5, 11.1

CVE-2019-4101: Security Bulletin: Under specialized conditions, IBM Db2 is vulnerable to denial of service.
http://www.ibm.com/support/docview.wss?uid=ibm10880741

CVE-2019-4057: Security Bulletin: IBM Db2 is vulnerable to privilege escalation to root via malicious use of fenced user.
http://www.ibm.com/support/docview.wss?uid=ibm10880735

Workaround

These vulnerabilities are addressed by Db2 V11.1.4.4 images that are bundled with IBM Cloud Pak System V2.3.0.1.

Db2 V10.5.0.10 that is bundled with IBM Cloud Pak System V2.3.0.1 does not include fixes for these vulnerabilities. You must apply the fixes from the following links.

• For LINUX:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_38746_DB2-linuxx64-universal_fixpack-10.5.0.10-FP010%3A979764964452684288&includeSupersedes=0

• For AIX:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_38746_DB2-aix64-universal_fixpack-10.5.0.10-FP010%3A195878873160068800&includeSupersedes=0