Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1427
Multiple vulnerabilities in dependent libraries affect IBM Db2
24 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Db2
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Remote/Unauthenticated
Create Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-17571 CVE-2019-17195 CVE-2019-16869
CVE-2019-12402 CVE-2019-10202 CVE-2019-10172
CVE-2019-10086 CVE-2019-9518 CVE-2019-9515
CVE-2019-9514 CVE-2019-9512 CVE-2019-0201
CVE-2018-11771 CVE-2018-10237 CVE-2018-8012
CVE-2018-8009 CVE-2017-18640 CVE-2017-12974
CVE-2017-12973 CVE-2017-12972 CVE-2017-5637
CVE-2017-3734 CVE-2016-2402 CVE-2015-2156
CVE-2014-3488 CVE-2014-0193 CVE-2014-0114
CVE-2009-0001
Reference: ESB-2020.1193
ESB-2020.0480
ESB-2020.0450
ESB-2020.0303
ESB-2020.0120
ESB-2017.0814
ESB-2014.0761
AL-2009.0006
Original Bulletin:
https://www.ibm.com/support/pages/node/6198380
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in dependent libraries affect IBM(R)
Db2(R) leading to denial of service or privilege escalation.
Security Bulletin
Summary
Multiple vulnerabilities in dependent libraries affect IBM(R) Db2(R) leading to
denial of service or privilege escalation.
Vulnerability Details
CVEID: CVE-2019-9512
DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused
by a Ping Flood attack. By sending continual pings to an HTTP/2 peer, a remote
attacker could consume excessive CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164903 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9514
DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused
by a Reset Flood attack. By opening a number of streams and sending an invalid
request over each stream, a remote attacker could consume excessive CPU
resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164640 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9515
DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused
by a Settings Flood attack. By sending a stream of SETTINGS frames to the peer,
a remote attacker could consume excessive CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165181 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9518
DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused
by a Empty Frame Flooding attack. By sending a stream of frames with an empty
payload and without the end-of-stream flag, a remote attacker could consume
excessive CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164904 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2014-0114
DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary
code on the system, caused by the failure to restrict the setting of Class
Loader attributes. An attacker could exploit this vulnerability using the class
parameter of an ActionForm object to manipulate the ClassLoader and execute
arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
92889 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2019-10086
DESCRIPTION: Apache Commons Beanutils could allow a remote attacker to gain
unauthorized access to the system, caused by the failure to suppresses the
class property in bean introspection by default. An attacker could exploit this
vulnerability to gain unauthorized access to the classloader.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
166353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2019-10202
DESCRIPTION: Red Hat JBoss Enterprise Application Platform (EAP) could allow
a remote attacker to execute arbitrary code on the system, caused by improper
deserialization in Codehaus. By sending a specially-crafted request, an
attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168251 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-10172
DESCRIPTION: Jackson-mapper-asl could allow a remote attacker to obtain
sensitive information, caused by an XML external entity (XXE) error when
processing XML data. By sending a specially-crafted XML data, a remote attacker
could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172436 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2019-17571
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary
code on the system, caused by improper deserialization of untrusted data in
SocketServer. By sending a specially-crafted request, an attacker could exploit
this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
173314 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-12402
DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service,
caused by an error in the internal file name encoding algorithm. By choosing
the file names inside of a specially crafted archive, a remote attacker could
exploit this vulnerability to cause the application to enter into an infinite
loop.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165956 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-3734
DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service,
caused by an error in the internal file name encoding algorithm. By choosing
the file names inside of a specially crafted archive, a remote attacker could
exploit this vulnerability to cause the application to enter into an infinite
loop.
CVSS Base score: 0
CVSS Vector:
CVEID: CVE-2019-16869
DESCRIPTION: Netty is vulnerable to HTTP request smuggling, caused by a flaw
when handling unusual whitespaces before the colon in HTTP headers. By sending
a specially-crafted request, an attacker could exploit this vulnerability to
poison the web cache, bypass web application firewall protection, and conduct
XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167672 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2019-17195
DESCRIPTION: Connect2id Nimbus JOSE+JWT is vulnerable to a denial of service,
caused by the throwing of various uncaught exceptions while parsing a JWT. An
attacker could exploit this vulnerability to crash the application or obtain
sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID: CVE-2017-18640
DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by an
entity expansion in Alias feature during a load operation. By sending a
specially crafted request, a remote attacker could exploit this vulnerability
to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174331 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-0201
DESCRIPTION: Apache ZooKeeper could allow a remote attacker to obtain
sensitive information, caused by the failure to check permissions by the getACL
() command. By sending a specially-crafted request, a remote attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
161303 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2014-3488
DESCRIPTION: Netty is vulnerable to a denial of service, caused by an error
in SslHandler. A remote attacker could exploit this vulnerability using a
specially-crafted SSLv2Hello message to exhaust all available CPU resources and
cause the application to enter into an infinite loop.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
95285 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-2156
DESCRIPTION: Netty could allow a remote attacker to bypass restrictions,
caused by the improper validation of characters in a cookie name by the cookie
parsing code. An attacker could exploit this vulnerability to bypass the
HttpOnly flag in all Play applications and gain access to the system.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
103239 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-0193
DESCRIPTION: Netty is vulnerable to a denial of service, caused by an error
in the WebSocket08FrameDecoder implementation. A remote attacker could exploit
this vulnerability to exhaust all available memory resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
93006 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2017-12974
DESCRIPTION: Connect2id Nimbus JOSE+JWT could provide weaker than expected
security, caused by proceeding with ECKey construction without ensuring that
the public x and y coordinates are on the specified curve. A remote attacker
could exploit this vulnerability to conduct an Invalid Curve Attack.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
130788 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2017-12973
DESCRIPTION: Connect2id Nimbus JOSE+JWT could provide weaker than expected
security, caused by proceeding improperly after detection of an invalid HMAC in
authenticated AES-CBC decryption. A remote attacker could exploit this
vulnerability to conduct a padding oracle attack.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
130789 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-12972
DESCRIPTION: Connect2id Nimbus JOSE+JWT could provide weaker than expected
security, caused by the lack of integer-overflow check when converting length
values from bytes to bits. A remote attacker could exploit this vulnerability
to conduct a HMAC bypass attack.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
130790 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2018-8012
DESCRIPTION: Apache Zookeeper could allow a remote attacker to bypass
security restrictions, caused by the failure to enforce authentication or
authorization when a server attempts to join a quorum. An attacker could
exploit this vulnerability to join the cluster and begin propagating
counterfeit changes to the leader.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
143565 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2017-5637
DESCRIPTION: Apache Zookeeper is vulnerable to a denial of service, caused by
the improper handling of the wchp command. By sending a specially-crafted wchp
command, a remote attacker could exploit this vulnerability to cause the
application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
121602 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-11771
DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service,
caused by the failure to return the correct EOF indication after the end of the
stream has been reached by the ZipArchiveInputStream method. By reading a
specially crafted ZIP archive, a remote attacker could exploit this
vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
148429 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-10237
DESCRIPTION: Google Guava is vulnerable to a denial of service, caused by
improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering
class. By sending a specially-crafted data, a remote attacker could exploit
this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
142508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-8009
DESCRIPTION: Apache Hadoop could could allow a remote attacker to traverse
directories on the system. By persuading a victim to extract a
specially-crafted ZIP archive containing "dot dot slash" sequences (../), an
attacker could exploit this vulnerability to write to arbitrary files on the
system. Note: This vulnerability is known as "Zip-Slip"
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
150617 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2016-2402
DESCRIPTION: OkHttp is vulnerable to a man-in-the-middle attack. By sending a
certificate chain with a certificate from a non-pinned trusted CA and the
pinned certificate, a remote attacker could exploit this vulnerability to
bypass certificate pinning.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
125848 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2009-0001
DESCRIPTION: Apple QuickTime is vulnerable to a heap-based buffer overflow,
caused by improper bounds checking when processing RTSP URLs. By persuading a
victim to open a specially-crafted RTSP URL, a remote attacker could overflow a
buffer and execute arbitrary code on the system or cause the application to
crash.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
48154 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Affected Products and Versions
All fix pack levels of IBM Db2 V11.5 editions on all platforms are affected.
Db2 V11.1.4.4 and V11.1.4.5 are affected. V11.1.3.3 iFix 002 and earlier, Db2
10.5, Db2 10.1, and Db2 9.7 are not affected. Only instances using Db2
Federation are affected.
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this
vulnerability.
+-------+----------------+-------+--------------------------------------------+
|Release|Fixed in fix |APAR |Download URL |
| |pack | | |
+-------+----------------+-------+--------------------------------------------+
|V11.1 |TBD |IT32122|Special Build for V11.1 FP5: |
| | | | |
| | | |AIX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER(TM) little endian |
| | | |Linux 64-bit, System z(R), System z9(R) or |
| | | |zSeries(R) |
| | | |Solaris 64-bit, SPARC |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+-------+----------------+-------+--------------------------------------------+
|V11.5 |TBD |IT32121|Special Build for V11.5 GA: |
| | | | |
| | | |AIX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER(TM) little endian |
| | | |Linux 64-bit, System z(R), System z9(R) or |
| | | |zSeries(R) |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+-------+----------------+-------+--------------------------------------------+
Note: Windows 32-bit and Linux 32-bit links will be published by May, 2020.
Workarounds and Mitigations
None
Change History
23 Apr 2020: Initial Publication
Document Information
More support for:
DB2 for Linux- UNIX and Windows
Software version:
11.5, 11.1
Operating system(s):
AIX, Linux, Windows
Software edition:
Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server,
Express, Express-C, Personal, Workgroup Server
Document number:
6198380
Modified date:
23 April 2020
UID
ibm16198380
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXqJiFGaOgq3Tt24GAQiFeBAAsbSqZ2vCajfCEXjdTXHT7rQZkCHUW4ln
s8fNTe3+Ekyyuw2N3IjIB1yZxT+OPQDfL1uasosvWCD1jQQZitHBVzEkgASxkAza
llYbBNjVlEpUuJ5N/+nvyYxOuLCV6kXa038o4POhLe9qaoljhHiK0NK7x0htozqt
As0VZ1WluBPHVYTsFVFJmzj5mBAZA0XfrS+EpjnlOC6ccqTELRGfuSwQgtfRUbWf
ODWcnm6lKfummHOlnp9neOUmkcAzTdyV2QXN7oQOOlilIPOFK7nIJo+SN/5Nzukr
Rtg1w3NJys6ws2LhBEjKNmwnlgIBK6KhtVN50PxfIcew1hO9OFyNnJWLsZ2wQYF6
eJXv2+xfammgjSlEHK4FeCYJx2BSceSSUmxFW2gg7U95YXhxA2j6YyC5AlqwiXyh
2ttw7G/u3nOqDkQpShpLnNPRRNcsBgj8rYumWmDdJHfxJJFzfNYcShdUTkfidq0t
0RRvFU9LLLW/JTgPVO3HrVBASF7Nu7HXwNKchaBjxLreFPGMXAFob7uE7t/4wjmo
00Piqh91vHek2Sy8ZeZPelaVf5nGcfGb2o5Fd0My0j+OmVMVFxl+4cVC9AtX4y4+
YNzbY7xIDZRWPG56mk37icNLhMcl9UZ4JrhDbCg/e+qBGRlnGh3CLEBtryCd4Rnv
M5Var759G3Q=
=Uh2H
-----END PGP SIGNATURE-----