-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2021.3129.2
IBM(R) Db2(R) could allow a local user to read and write specific files due
                 to weak file permissions (CVE-2020-4976)
                             17 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM DB2
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Overwrite Arbitrary Files -- Existing Account
                   Access Confidential Data  -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-4976  

Reference:         ESB-2021.0889

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6489495

Revision History:  September 17 2021: Vendor added link for v10.5 Windows 32-bit x86
                   September 16 2021: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM(R) Db2(R) could allow a local user to read and write
specific files due to weak file permissions (CVE-2020-4976)

Security Bulletin


Summary

IBM(R) Db2(R) could allow a local user to read and write specific files due to weak
file permissions

Vulnerability Details

CVEID:   CVE-2020-4976
DESCRIPTION:   IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect
Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and
write specific files due to weak file permissions. IBM X-Force ID: 192469.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
192469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on
all platforms are affected.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, V9.7,
V10.1, V10.5, v11.1 and V11.5, can download the special build containing the
interim fix for this issue from Fix Central. These special builds are available
based on the most recent fixpack level for each impacted release: V9.7 FP11,
V10.1 FP6, V10.5 FP11, V11.1.4 FP6, and V11.5.6. They can be applied to any
affected fixpack level of the appropriate release to remediate this
vulnerability.


+-------+--------------+-------+----------------------------------------------+
|Release|Fixed in fix  |APAR   |Download URL                                  |
|       |pack          |       |                                              |
+-------+--------------+-------+----------------------------------------------+
|V9.7   |TBD           |IT36910|Special Build for V9.7 FP11:                  |
|       |              |       |                                              |
|       |              |       |AIX 64-bit                                    |
|       |              |       |HP-UX 64-bit                                  |
|       |              |       |Linux 32-bit, x86-32                          |
|       |              |       |Linux 64-bit, x86-64                          |
|       |              |       |Linux 64-bit, POWER(TM) big endian            |
|       |              |       |Linux 64-bit, System z(R), System z9(R) or    |
|       |              |       |zSeries(R)                                    |
|       |              |       |Solaris 64-bit, SPARC                         |
|       |              |       |Solaris 64-bit, x86-64                        |
|       |              |       |Windows 32-bit, x86   (link will be updated   |
|       |              |       |when available)                               |
|       |              |       |Windows 64-bit, x86   (link will be updated   |
|       |              |       |when available)                               |
+-------+--------------+-------+----------------------------------------------+
|V10.1  |TBD           |IT36909|Special Build for V10.1 FP6:                  |
|       |              |       |                                              |
|       |              |       |AIX 64-bit                                    |
|       |              |       |HP-UX 64-bit                                  |
|       |              |       |Linux 32-bit, x86-32                          |
|       |              |       |Linux 64-bit, x86-64                          |
|       |              |       |Linux 64-bit, POWER(TM) big endian            |
|       |              |       |Linux 64-bit, System z(R), System z9(R) or    |
|       |              |       |zSeries(R)                                    |
|       |              |       |Solaris 64-bit, SPARC                         |
|       |              |       |Solaris 64-bit, x86-64                        |
|       |              |       |Windows 32-bit, x86   (link will be updated   |
|       |              |       |when available)                               |
|       |              |       |Windows 64-bit, x86   (link will be updated   |
|       |              |       |when available)                               |
+-------+--------------+-------+----------------------------------------------+
|V10.5  |TBD           |IT36908|Special Build for V10.5 FP11:                 |
|       |              |       |                                              |
|       |              |       |AIX 64-bit                                    |
|       |              |       |HP-UX 64-bit                                  |
|       |              |       |Linux 32-bit, x86-32                          |
|       |              |       |Linux 64-bit, x86-64                          |
|       |              |       |Linux 64-bit, POWER(TM) big endian            |
|       |              |       |Linux 64-bit, POWER(TM) little endian         |
|       |              |       |Linux 64-bit, System z(R), System z9(R) or    |
|       |              |       |zSeries(R)                                    |
|       |              |       |Solaris 64-bit, SPARC                         |
|       |              |       |Solaris 64-bit, x86-64                        |
|       |              |       |Windows 32-bit, x86                           |
|       |              |       |Windows 64-bit, x86                           |
|       |              |       |Inspur                                        |
+-------+--------------+-------+----------------------------------------------+
|V11.1  |TBD           |IT36869|Special Build for V11.1.4 FP6:                |
|       |              |       |                                              |
|       |              |       |AIX 64-bit                                    |
|       |              |       |Linux 32-bit, x86-32                          |
|       |              |       |Linux 64-bit, x86-64                          |
|       |              |       |Linux 64-bit, POWER(TM) little endian         |
|       |              |       |Linux 64-bit, System z(R), System z9(R) or    |
|       |              |       |zSeries(R)                                    |
|       |              |       |Solaris 64-bit, SPARC                         |
|       |              |       |Windows 32-bit, x86                           |
|       |              |       |Windows 64-bit, x86                           |
+-------+--------------+-------+----------------------------------------------+
|V11.5  |TBD           |IT36907|Special Build for V11.5.6:                    |
|       |              |       |                                              |
|       |              |       |AIX 64-bit                                    |
|       |              |       |Linux 32-bit, x86-32                          |
|       |              |       |Linux 64-bit, x86-64                          |
|       |              |       |Linux 64-bit, POWER(TM) little endian         |
|       |              |       |Linux 64-bit, System z(R), System z9(R) or    |
|       |              |       |zSeries(R)                                    |
|       |              |       |Windows 32-bit, x86                           |
|       |              |       |Windows 64-bit, x86                           |
+-------+--------------+-------+----------------------------------------------+




Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

16 Sep 2021:  Added link for v10.5 Windows 32-bit x86
15 Sep 2021: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYUPrnONLKJtyKPYoAQi55hAAhmYhA1rz+lbL5KD1iWIxZdgJaRUn+oHh
IHMyOZLqGqQJy1t0Hlxsx8Ex578olfmg6z8G+7ouEYTH7cWVQszLsOgZmqi1Ke5O
3T6tUjd543kD3NBVU5c5Ex+dtFTlV9rMcL9Yb6xIZOqoK2rsHIYFFU18u+Xyna1x
HysWIQFv11QYgBKQHFceSU444xscyFHjq2DMyziqd858LCPIRkyjU49vVVeUMZpj
noqfzHeaF4sdm1vbISE92q+ayGeBwU3gAx7buizK4dC01rQfqVQnq1lqWKsRRdKh
mBYzx2ghoIE+sQ205Hx6UN3Zgss5AkXNw/oYpxggCuA9wZIWJboki+vB3Z5TEDb3
3WOWnIx6thDmr93QoM2zM+evSvOMOchiljAYWZ1b1ZzoucXxBerPqCfbp93KRV9Q
VqqFXt50IffNaaFJv1AoVwhFrjvH80pNXvuAlAbNm0ZQitbBVPvaIImlin37zVCK
OI6xrTaVzQ4raDWa5OVf5dvbeQ+PAAfzo3Dd5a5EazbMGdVfqT4O2AaWNoLPyUFj
sjZDhku3ZR9Uiz17PJ5DJJbA1f2BlGgjUxhrYvER7eX32U+rZNea7XZvlh/YjH4e
zgQS0kXcIdk1uamUwkb2crwZ/6xnRjez6RJ89PbthuVvIIJHokFtodGM1JRgJVEe
OdSaHSYr/Ww=
=knmC
-----END PGP SIGNATURE-----