Release Notes
Abstract
IBM Cloud Pak System bundles Db2 V10.5.0.10 and Db2 V11.1.4.4. There are vulnerabilities reported in these DB2 components.
Content
Vulnerability details
CVE-2019-4322: Multiple buffer overflow vulnerabilities exist in IBM Db2 leading to privilege escalation.
http://www.ibm.com/support/docview.wss?uid=ibm10884444
CVE-2019-4386: Security Bulletin: IBM Db2 is vulnerable to denial of service.
http://www.ibm.com/support/docview.wss?uid=ibm10886809
CVE-2019-4154: Security Bulletin: IBM Db2 is vulnerable to buffer overflow leading to potential arbitrary code execution as root.
http://www.ibm.com/support/docview.wss?uid=ibm10880737
CVE-2019-4102: Security Bulletin: IBM Db2 does not explicitly forbid a weaker than expected 3DES cipher when configured to use SSL.
http://www.ibm.com/support/docview.wss?uid=ibm10880743
Affected Db2 Releases: 9.7, 10.1, 10.5, 11.1
CVE-2019-4101: Security Bulletin: Under specialized conditions, IBM Db2 is vulnerable to denial of service.
http://www.ibm.com/support/docview.wss?uid=ibm10880741
CVE-2019-4057: Security Bulletin: IBM Db2 is vulnerable to privilege escalation to root via malicious use of fenced user.
http://www.ibm.com/support/docview.wss?uid=ibm10880735
Workaround
These vulnerabilities are addressed by Db2 V11.1.4.4 images that are bundled with IBM Cloud Pak System V2.3.0.1.
Db2 V10.5.0.10 that is bundled with IBM Cloud Pak System V2.3.0.1 does not include fixes for these vulnerabilities. You must apply the fixes from the following links.
- For LINUX:
- For AIX:
Original Publication Date
27 September 2019
Was this topic helpful?
Document Information
Modified date:
06 May 2020
UID
ibm11072654