ESB-2018.1274 - [Win][UNIX/Linux] IBM DB2: Access confidential data - Existing account 2018-04-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1274
             Security Bulletin: IBM(R) Db2(R) is affected by a
            vulnerability in IBM Spectrum Scale (CVE-2017-1654)
                               26 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM DB2
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1654  

Reference:         ESB-2018.1054
                   ESB-2018.1020
                   ESB-2018.0848

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22015462

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM(R) Db2(R) is affected by a vulnerability in IBM
Spectrum Scale (CVE-2017-1654)

Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 10.5, 11.1

Operating system(s): AIX, Linux

Software edition: Advanced Enterprise Server, Advanced Workgroup Server,
Enterprise Server, Workgroup Server

Reference #: 2015462

Modified date: 23 April 2018

Security Bulletin

Summary

Db2 is affected by a vulnerability in IBM(R) Spectrum Scale Version 4.1.1
that is used by DB2(R) pureScale(TM) Feature on AIX and Linux. A security
vulnerability has been identified in IBM Spectrum Scale that could allow
a local unprivileged user access to information in dump files, and result
in transfer of such data to IBM during service engagements.

IBM Spectrum Scale is previously known as General Parallel File System
(GPFS).

Vulnerability Details

CVEID: CVE-2017-1654
DESCRIPTION: IBM Spectrum Scale 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and
5.0.0 could allow a local unprivileged user access to information located in
dump files. User data could be sent to IBM during service engagements. IBM
X-Force ID: 133378.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/133378 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Affected Products and Versions

All fix pack levels of IBM DB2 V10.5 and V11.1.1 editions running on AIX
and Linux are affected, only for those customers who have DB2(R) pureScale(TM)
Feature installed.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this
vulnerability.

FIX:

Customers running any vulnerable fixpack level of an affected Program,
V10.5 and V11.1, can contact IBM technical support to obtain the GPFS
eFix. Before installing the GPFS eFix, the DB2 level might need to be
upgraded to the level that includes support for the GPFS level containing
the efix. Do not attempt to upgrade GPFS by any other means. The table
below lists the DB2 releases, the prerequisite that needs to be installed
first and the GPFS efix to request from IBM technical support.

DB2 Release	Install following prerequisite 	Obtain following GPFS efix from 
		before installing efix		IBM technical support
10.5		10.5 FP9			Spectrum Scale V4.1.1.11 efix9
11.1		11.1 FP3			Spectrum Scale V4.1.1.17 efix3

The GPFS efix install instructions are available here:
http://www-01.ibm.com/support/docview.wss?uid=swg27048484

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.
Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

April 20, 2018: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWuE784x+lLeg9Ub1AQiJyA//TKPReCi+vkjxjxqgExSpow4YOodLy95N
pOnoVChjOQC2TGaJITijTFu4LPmVJUm6JKqDibOErKSp2dz0GskRXmCa+JFt8Gmg
Bb0sDMjvdDVN8T2QXgHQdga1dft7iQa4OEtxeJZ1d4UfLK61QYgClHWl+m93xfxh
WJCXjQQw3TzJtrWImAyBftvC4pXm2Dl01kLh0uZ04NEMwxf/+PE9e8vplOxpt2SX
kNsMoruT1qgltU7TExxCMYQoUlnQzv0W83zMiVShNtsZ39/nUMgft0DFbgjJvfWr
u1HAGgh+LEXe9nJbflFv6CNn1igoVywB5PrX5ByJ7F5GZ/6ZviEFnwRHIfNM16pn
BsdXTvIKD4FVf6vTu6Sf27lJZqMB3ONzRFqTQJV+4iURjrm9zf+4iTzBb+xy0VCD
LrC3hb+WwzJNogOgTvEyeKJsz+uF5U4ZQEAwwoZfbJErblE+Lv4SV4urtcWHDjWr
RQkoQszaiRv5PYt+fiB3jL7UPTl0RsEg0jKAcpFgnPRGCSpqUF8AjeI15NBT3eH5
CDGtV7U9RIf5lk9GkgbUS8PG1RKBe02TyEimSWvh0GXHBft0qGDBR2WuhcJQ0wOn
GXwEm9w0W8a7hdb4NZox9X3bMEeTGY4UIw82wzq51A9kNcj2TRfG1SgMSCGLvBeu
FL+PKOHegpQ=
=5/Z7
-----END PGP SIGNATURE-----

« Back to bulletins