===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2022.07.13.1500
DB2: CVSS (Max): 6.2
13th July 2022
===========================================================================
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM(R) Db2(R) is vulnerable to an information disclosure caus ed
by improper privilege management when table function is used. (CVE-2022-22390)
Document Information
Product : DB2 for Linux- UNIX and Windows
Software version : 9.7,10.1,10.5,11.1,11.5
Operating system(s): AIX
HP-UX
Solaris
Linux
Windows
Edition : Advanced Enterprise Server, et al
Summary
IBM(R) Db2(R) is vulnerable to an information disclosure caused by improper
privilege management when table function is used.
Vulnerability Details
CVEID: CVE-2022-22390
DESCRIPTION: IBM Db2 may be vulnerable to an information disclousre caused by
improper privilege management when table function is used.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/221973 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 server
editions on all platforms are affected.
Remediation/Fixes
Customers running any vulnerable fixpack level of an affected Program, V9.7,
V10.1, V10.5, v11.1 and V11.5, can download the special build containing the
interim fix for this issue from Fix Central. These special builds are
available based on the most recent fixpack level for each impacted release:
V9.7 FP11, V10.1 FP6, V10.5 FP11, V11.1.4 FP7, and V11.5.7. They can be
applied to any affected fixpack level of the appropriate release to remediate
this vulnerability.
+-------+---------------+-------+--------------------------------------------+
|Release|Fixed in fix |APAR |Download URL |
| |pack | | |
+-------+---------------+-------+--------------------------------------------+
|V9.7 |TBD |IT40220|Special Build for V9.7 FP11: |
| | | | |
| | | |AIX 64-bit |
| | | |HP-UX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER(TM) big endian |
| | | |Linux 64-bit, System z(R), System z9(R) or |
| | | |zSeries(R) |
| | | |Solaris 64-bit, SPARC |
| | | |Solaris 64-bit, x86-64 |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+-------+---------------+-------+--------------------------------------------+
|V10.1 |TBD |IT40219|Special Build for V10.1 FP6: |
| | | | |
| | | |AIX 64-bit |
| | | |HP-UX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER(TM) big endian |
| | | |Linux 64-bit, System z(R), System z9(R) or |
| | | |zSeries(R) |
| | | |Solaris 64-bit, SPARC |
| | | |Solaris 64-bit, x86-64 |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+-------+---------------+-------+--------------------------------------------+
|V10.5 |TBD |IT40218|Special Build for V10.5 FP11: |
| | | | |
| | | |AIX 64-bit |
| | | |HP-UX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER(TM) big endian |
| | | |Linux 64-bit, POWER(TM) little endian |
| | | |Linux 64-bit, System z(R), System z9(R) or |
| | | |zSeries(R) |
| | | |Solaris 64-bit, SPARC |
| | | |Solaris 64-bit, x86-64 |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
| | | |Inspur |
+-------+---------------+-------+--------------------------------------------+
|V11.1 |TBD |IT40186|Special Build for V11.1.4 FP7: |
| | | | |
| | | |AIX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER(TM) little endian |
| | | |Linux 64-bit, System z(R), System z9(R) or |
| | | |zSeries(R) |
| | | |Solaris 64-bit, SPARC |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+-------+---------------+-------+--------------------------------------------+
|V11.5 |TBD |IT40217|Special Build for V11.5.7: |
| | | | |
| | | |AIX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER(TM) little endian |
| | | |Linux 64-bit, System z(R), System z9(R) or |
| | | |zSeries(R) |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+-------+---------------+-------+--------------------------------------------+
Workarounds and Mitigations
None
Change History
13 Jul 2022: Added links for v9.7 Windows 64-bit and Windows 32-bit
23 Jun 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other
efforts to address potential vulnerabilities, IBM periodically updates the
record of components contained in our product offerings. As part of that
effort, if IBM identifies previously unidentified packages in a product/
service inventory, we address relevant vulnerabilities regardless of CVE date.
Inclusion of an older CVEID does not demonstrate that the referenced product
has been used by IBM since that date, nor that IBM was aware of a
vulnerability as of that date. We are making clients aware of relevant
vulnerabilities as we become aware of them. "Affected Products and Versions"
referenced in IBM Security Bulletins are intended to be only products and
versions that are supported by IBM and have not passed their end-of-support or
warranty date. Thus, failure to reference unsupported or extended-support
products and versions in this Security Bulletin does not constitute a
determination by IBM that they are unaffected by the vulnerability. Reference
to one or more unsupported versions in this Security Bulletin shall not create
an obligation for IBM to provide fixes for any unsupported or extended-support
products or versions.
- --------------------------END INCLUDED TEXT--------------------
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: report@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT