Multiple vulnerabilities in IBM DB2 Data Management Console
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2019-19921 CVE-2021-43784 CVE-2022-29162 CVE-2022-41723 CVE-2023-25809 CVE-2023-28642 CVE-2023-27561 CVE-2016-1000027 CVE-2023-25173 CVE-2023-25153 CVE-2022-31030 CVE-2022-23471 CVE-2021-41103 CVE-2021-32760 |
| CWE-ID | CWE-284 CWE-190 CWE-264 CWE-400 CWE-281 CWE-502 CWE-269 CWE-276 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
DB2 Data Management Console on CPD Other software / Other software solutions DB2 Data Management Console Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU25847
Risk: Low
CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-19921
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions, related to libcontainer/rootfs_linux.go in runc. A local user with ability to spawn two containers with custom volume-mount configurations, and run custom images can escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Integer overflow
EUVDB-ID: #VU58522
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-43784
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in netlink bytemsg length field. A remote authenticated attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU63090
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-29162
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to containers are incorrectly started with non-empty inheritable Linux process capabilities, which leads to security restrictions bypass and privilege escalation.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU72686
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-41723
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the HPACK decoder. A remote attacker can send a specially crafted HTTP/2 stream to the application, cause resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Preservation of Permissions
EUVDB-ID: #VU74189
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-25809
CWE-ID:
CWE-281 - Improper preservation of permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the rootless "/sys/fs/cgroup" is writable when cgroupns is not unshared. A local administrator can gain the write access to user-owned cgroup hierarchy "/sys/fs/cgroup/user.slice/..." on the host.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Preservation of Permissions
EUVDB-ID: #VU74193
Risk: Medium
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-28642
CWE-ID:
CWE-281 - Improper preservation of permissions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper preservation of permissions in the AppArmor and SELinux when /proc inside the container is symlinked with a specific mount configuration. A remote attacker can gain access to the target application.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU74190
Risk: Low
CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-27561
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise the target system.
The vulnerability exists due to improper access restrictions in the libcontainer/rootfs_linux.go. A local user can gain elevated privileges on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Deserialization of Untrusted Data
EUVDB-ID: #VU76601
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2016-1000027
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper Privilege Management
EUVDB-ID: #VU72320
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-25173
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management where supplementary groups are not set up properly inside a container. A local user can use supplementary group access to bypass primary group restrictions and compromise the container.
Install update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Resource exhaustion
EUVDB-ID: #VU72319
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-25153
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when importing an OCI image. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Resource exhaustion
EUVDB-ID: #VU64007
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-31030
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the ExecSync API. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Resource exhaustion
EUVDB-ID: #VU70039
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-23471
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in containerd CRI stream server when handling terminal resize events. A remote user can request a TTY and force it to fail by sending a faulty command and exhaust memory on the host.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Incorrect default permissions
EUVDB-ID: #VU57038
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-41103
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for container root directories and some plugins. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host can discover, read, and modify those files.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU54999
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-32760
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to archive package allows chmod of file outside of unpack target directory. A remote attacker can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky.
MitigationInstall update from vendor's website.
Vulnerable software versionsDB2 Data Management Console on CPD: 4.7.1
DB2 Data Management Console: 3.1.11 - 3.1.13
CPE2.3- cpe:2.3:a:ibm_corporation:db2_data_management_console_on_cpd:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:db2_data_management_console:3.1.13:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7239178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
