Security Bulletin
Summary
IBM Db2 is shipped as a component of IBM Cloud Pak System and IBM Cloud Pak System Software Suite. Db2 is shipped as a component in Platform System Manager, as DB2 ptype and PureScale. Vulnerabilities have been identified in IBM Db2 and information about fixes are published in security bulletins.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
Principal Product and Version(s) | Supporting Product and Version(s) |
IBM Cloud Pak System V2.2.5 - V2.2.6 | DB2 V10.5, V11.1 |
IBM Cloud Pak System V2.3.0.1, V2.3.1.1 | DB2 V10.5, V11.1 |
IBM Cloud Pak System V2.3.2.0 | DB2 V11.5 |
Remediation/Fixes
Consult the following security bulletins for IBM Db2 for vulnerability details and information about fixes.
Security: IBM® Db2® is vulnerable to privilege escalation (CVE-2020-4230)
https://www.ibm.com/support/pages/node/2878809
Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135)
https://www.ibm.com/support/pages/node/2876307
Security: Multiple buffer overflow vulnerabilities exist in IBM® Db2® leading to privilege escalation (CVE-2020-4204)
https://www.ibm.com/support/pages/node/2875875
Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200)
https://www.ibm.com/support/pages/node/2875251
Security: IBM® Db2® is vulnerable to denial of service (CVE-2020-4161)
https://www.ibm.com/support/pages/node/2874621
For IBM Cloud Pak System v.2.3.0.1, v.2.3.1.1, v.2.3.2.0
upgrade to IBM Cloud Pak System v2.3.3.0, Platform System Manager provide update to DB2 v11.5 mod0 fp0.
Information on upgrading can be found here:http://www.ibm.com/support/docview.wss?uid=ibm10887959.
Workarounds and Mitigations
Consult table below for CVEs, apply fix to update DB2 fix packs in virtual system database patterns, refer to
https://www.ibm.com/support/knowledgecenter/SSZQFR_2.3.2.0/iwd/mpt_vsys_db2_fixpack_top.html
Customers are advised to patch the DB2 instances using ICPS -> Deployed Instance -> Manage -> Operations -> “Apply Fixpack” functionality. Follow the instructions below:
- Download the fixes as per DB2 support documentation and
- Rename and upload special fixes as Fixpacks based on ICPS DB2 fixpack naming convention -> https://www.ibm.com/support/knowledgecenter/SSCR9A_2.3.1.0/doc/iwd/mpt_vsys_db2_fixpack_upload.html
- Apply these fixes to from ICPS -> Deployed Instance -> Manage -> Operations -> “Apply Fixpack”
https://www.ibm.com/support/knowledgecenter/SSCR9A_2.3.1.0/doc/iwd/mpt_vsys_db2_fixpack_apply.html
If you are running DB2 PureScale follow the instructions as per documentation below:
For purescale 11.1 https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.qb.server.doc/doc/t0061542.html
For purescale 10.5 https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.l…
CVSS |
Platform |
DB2 V *10.5 |
DB2 V 11.1 |
DB2 V 11.5 |
CVE-2020-4230 |
AIX |
NA | ||
Linux |
NA | |||
CVE-2020-4135 |
AIX | |||
Linux | ||||
CVE-2020-4204 |
AIX | |||
Linux | ||||
CVE-2020-4200 |
AIX | |||
Linux | ||||
CVE-2020-4161 |
AIX |
NA |
NA | |
Linux |
NA |
NA |
Get Notified about Future Security Bulletins
References
Change History
11 Sep 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
11 September 2020
UID
ibm16328277