Severity rating: High
Software affected
· IBM Db2 version 9.7
· IBM Db2 version 10.1
· IBM Db2 version 10.5
· IBM Db2 version 11.1
· IBM Db2 version 11.5
· IBM i2 Analyze version 4.3.0
· IBM i2 Analyze version 4.3.1
· IBM i2 Analyze version 4.3.2
Overview
Multiple vulnerabilities have been reported in IBM DB2 which could allow an
attacker to gain elevated privileges or cause denial of service conditions
on the targeted system.
Description
1. Buffer Overflow Vulnerability (CVE-2020-4204)
This vulnerability exists in IBM DB2 due to improper bounds checking. A
local attacker could exploit this vulnerability to execute arbitrary code
with root privileges.
2. Denial of Service Vulnerability (CVE-2020-4135)
This vulnerability exists in IBM DB2 due to uncontrolled resource
consumption. An attacker could exploit this vulnerability by sending
specially crafted packets to the DB2 server resulting in high usage of
memory.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions resulting in the DB2 to stop working.
3. Privilege Escalation Vulnerability (CVE-2020-4230)
This vulnerability exists in IBM DB2 due to improper privilege management.
A local attacker could exploit this vulnerability by executing specially
crafted DB2 commands resulting in modification of the owner of stored
procedures to SYSIBM.
Successful exploitation of this vulnerability could allow the attacker to
gain privileges on the target system.
4. Denial of Service Vulnerability (CVE-2020-4200)
This vulnerability exists in IBM DB2 when a local attacker using a JDBC
client sends specially crafted commands to the DB2 server.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions resulting in the DB2 to stop working.
5. Denial of Service Vulnerability (CVE-2020-4161)
This vulnerability exists in IBM DB2 due to improper handling of certain
commands. A local attacker could exploit this vulnerability by sending
specially crafted commands to the DB2 server.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions resulting in the DB2 to stop working.
Solution
Apply appropriate updates mentioned in the IBM Security Bulletin:
Vendor Information
IBM
References
IBM
IBM X-Force Exchange
CVE Name
CVE-2020-4230
CVE-2020-4135
CVE-2020-4204
CVE-2020-4200
CVE-2020-4161
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.