Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2632 Security Bulletin: BigInsights is affected by multiple vulnerabilities in Db2 19 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM BigInsights Publisher: IBM Operating System: Linux variants Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Overwrite Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-1520 CVE-2017-1519 CVE-2017-1452 CVE-2017-1451 CVE-2017-1439 CVE-2017-1438 CVE-2017-1434 CVE-2017-1297 CVE-2017-1134 CVE-2017-1105 Reference: ASB-2017.0156 ESB-2017.2552 ESB-2017.2078 ESB-2017.1586 ESB-2017.1090 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22008363 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: BigInsights is affected by multiple vulnerabilities in Db2 Document information More support for: IBM BigInsights Big SQL Software version: 4.2.0, 4.2.5 Operating system(s): Linux Reference #: 2008363 Modified date: 18 October 2017 Security Bulletin Summary BigInsights is affected by multiple vulnerabilities in Db2 Vulnerability Details CVEID: CVE-2017-1105 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow that could allow a local user to overwrite DB2 files or cause a denial of service. CVSS Base Score: 5.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 120668 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) CVEID: CVE-2017-1134 DESCRIPTION: IBM Reliable Scalable Cluster Technology could allow a local user to escalate their privileges to gain root access. CVSS Base Score: 8.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 121453 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2017-1297 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 125159 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID: CVE-2017-1434 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) under unusual circumstances, could expose highly sensitive information in the error log to a local user. CVSS Base Score: 5.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 127806 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-1438 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128057. CVSS Base Score: 6.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 128057 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2017-1439 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128058. CVSS Base Score: 6.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 128058 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2017-1451 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128178. CVSS Base Score: 6.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 128178 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2017-1452 DESCRIPTION: IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user to obtain elevated privilege and overwrite DB2 files. IBM X-Force ID: 128180. CVSS Base Score: 6.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 128180 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2017-1519 DESCRIPTION: IBM Db2 contains a denial of service vulnerability. A remote user can cause disruption of service for DB2 Connect Server setup with a particular configuration. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 129829 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2017-1520 DESCRIPTION: IBM Db2 is vulnerable to an unauthorized command that allows the database to be activated when authentication type is CLIENT. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 129830 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions IBM BigInsights: 4.2, 4.2.5 Remediation/Fixes Please contact technical support to obtain fix and install instructions. Workarounds and Mitigations None References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 18 October 2017: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWegGsYx+lLeg9Ub1AQg1RA/+Lqd4M5txtBfnscmvKo/mgkLmsnpN30oP Vtg/GCVZXgDclTwxQ2rgVlheAvAgh8uEYMe35ECUqwV6xl3NDB7GsP4KS6b816EZ 5y5zLlazE1E1K8aniB31U86PQEjPvpW6XABUlHJCXbh7XXMOPDC7WYeleUBUqRYA DCT6hhZTLBO7/q6MYwGvi8F1Xh6RIp5dTM+6Mg6LTRk4VTmO0v9OeZ/xsykSGOv0 siLNW3NYCshLdpAz/VLkzzrVskvzT4kbaC8JS0j6kmcJ0Ew8vgnOklaeuvK3j4Hq kpHC5Iig7u5aUvgw429PBpRiWGzC/A8zy95P2OMtWyXZPwIldlJHeTYYAw1xgeSQ HRdoMhBdgZlvC9+Ii/MERPj2F2Ig6LljR3kVKTKl8KCQJzRww6Mblzlpx4xey74f A7MOuDIfPCVHKWbJdjwqXaUDkjdaK2DqFSeS8C3UnpnEyGJfu1pIRWhUUklgwTgp /sKS67qFV+Py/O0WkbT/vAS6u4bW2RxO6+PThixa99ZcnnFHZnO/s0K++TV0MUPl j7vJ4QCFgtFFdMm8dNGh6RQUZXFnKTxApnvopS11logDNGJ+LiBuLqu/7Y1XPe2r Yn3v9rMCOCdUH6EmcLKX9GChObQwNuNIgqXQKMJ4Uks8pD85Q1XfQqDcmjsvInVM RyWAEz/vKWg= =Hm3G -----END PGP SIGNATURE-----