Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2713
Security Bulletin: Multiple vulnerabilities in Java SE that could allow an
unauthenticated attacker to obtain sensitive information affect IBM®
Db2®. (CVE-2021-35603, CVE-2021-35550, CVE-2021-2341)
2 June 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Db2
Publisher: IBM
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2021-35603 CVE-2021-35550 CVE-2021-2341
CVE-2021-2021
Original Bulletin:
https://www.ibm.com/support/pages/node/6591297
Comment: CVSS (Max): 5.9 CVE-2021-35550 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities in Java SE that could allow an unauthenticated
attacker to obtain sensitive information affect IBM® Db2®. (CVE-2021-35603,
CVE-2021-35550, CVE-2021-2341)
Document Information
Document number : 6591297
Modified date : 01 June 2022
Product : DB2 for Linux- UNIX and Windows
Software version : 9.7, 10.1, 10.5, 11.1, 11.5
Operating system(s): Linux
AIX
Windows
Summary
Multiple vulnerabilites in Java SE that could allow an unauthenticated attacker
to obtain sensitive information.
Vulnerability Details
CVEID: CVE-2021-35550
DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a high confidentiality impact using unknown attack
vectors.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
211627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2021-2341
DESCRIPTION: An unspecified vulnerability in Java SE related to the Networking
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
205768 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2021-35603
DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
211676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1 and V11.5 editions on
all platforms are affected.
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this
vulnerability.
The fix for this vulnerability is in a later version of IBM JDK. Customers
running any vulnerable fixpack level of an affected Program can download the
latest version of IBM JDK from Fix Central .
Affected IBM SDK, Java Technology Edition, Version:
o 8.0.7.0 and earlier
o 7.0.11.0 and earlier
Fixes for applicable vulnerabilities are included in IBM SDK, Java Technology
Edition:
o 8.0.7.5 and later
o 11.0.11.5 and later
Refer to the table below to determine the IBM JDK level that contains the fix.
Then follow the instructions below to perform the JDK installation.
+----------------------+------------------------------------------+
|Db2 Release |Fixed IBM Release |
+----------------------+------------------------------------------+
|V9.7.x |7.0.11.0 or later |
+----------------------+------------------------------------------+
|V10.1.x |7.0.11.0 or later |
+----------------------+------------------------------------------+
|V10.5.x |7.0.11.0 or later |
+----------------------+------------------------------------------+
|V11.1.x |8.0.7.5 or later |
+----------------------+------------------------------------------+
|V11.5.x |8.0.7.5 or later |
+----------------------+------------------------------------------+
Instructions for IBM JDK Installation can be found here:
http://www.ibm.com/support/docview.wssuid=swg27050993
Workarounds and Mitigations
None
CVE-2021-35550 may affect IBM SDK, Java Technology Edition
CVE-2021-2021-35603 may affect IBM SDK, Java Technology Edition
CVE-2021-2341 may affect IBM SDK, Java Technology Edition
Change History
1 June 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYpgenMkNZI30y1K9AQhSIQ/+JMYfnjOo6wjZW1LQfgYXW2zRvjZxcLap
Nyz0b3kLDhXa+tlVz/I2mVsJYxA8pDFp5uNwQXL/9t0ZLb5rTa3qgcrWVsqQPA/p
T/nInZI3+EGubUfupQ/0z5Kx5NE+Klki+iEfaDuzAC92TBW1G1TQ579EFvxFiuCD
L+n1Tdj25pDhUhsPpZ/4diiAi3x9p6nKpGd9aWVwRCj+nJyz20pwSWi88rkDl22O
I0laqFJkXx9e/7pJEKY1O05AncRDm8h5Zo8oZkk8N11N4BlRXwz2Tco6UVTSI/+0
XHb/nobzcGkHL7C/ebGfkcmSO8ooXd1SK4xEkiIemnTzRRcEimC8d1G0s8F3ns+F
9EQ9l27Bw0l8VbSiv4joPMZFsWDjCIkeMuOzfWc2ayRz1hk3lk7k4sSdQVsngP8w
6RyfTY9HZ9sxyfxO6YH4E8YOEbvtbOWcw/zJpwwEckAnEl8lgzEn8a+NkDf5xQ0j
eczN0gL9TcCn3iy1JE3loAjUc3ouo/C3MakH9YuPQDwb52AzzvNBHoKbFk2J18vh
GFKub+LGEMKXoXdPVCAob6sXAan1GX9Oadf9CdiiMRnBbi6JLogjOnOa24LmYbUE
+WpGK/r2zu6VPySRvrQwLbcdEYRKQR50GFq9By/KPfg32f/Y8QJ4YKI5qON4Zi2Z
J+uDpUg9Zos=
=/3Mo
-----END PGP SIGNATURE-----