IBM Support

Security Bulletin: Infosphere BigInsights is affected by multiple IBM DB2 advisories (CVE-2014-8910, CVE-2015-1883, CVE-2015-1922, CVE-2015-1935).

Security Bulletin


Summary

Security Bulletin: Infosphere BigInsights is affected by multiple IBM DB2 advisories (CVE-2014-8910, CVE-2015-1883, CVE-2015-1922, CVE-2015-1935). The vulnerabilities exist in the Big SQL server component included in BigInsights.

Vulnerability Details


CVEID: CVE-2014-8910
DESCRIPTION:
IBM DB2 contains a file disclosure vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted XML statement to view text files owned by the DB2 instance owner.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99251 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2015-1883
DESCRIPTION:
IBM DB2 contains a file disclosure vulnerability. A remote, authenticated DB2 user with elevated privilege could exploit this vulnerability by manipulating a auto maintenance policies stored procedure to view any files owned by the DB2 fenced user on Unix/Linux or Windows administrator on Windows.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101239 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2015-1922
DESCRIPTION:
IBM DB2 contains an illegal data access vulnerability. DB2 Data Movement feature does not perform sufficient privilege checking which allows a user with elevated privilege to delete rows from a table.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2015-1935
DESCRIPTION:
IBM DB2 LUW contains a denial of service vulnerability in scalar function that may cause the DB2 server to terminate abnormally.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102979 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:C)

Affected Products and Versions

IBM InfoSphere BigInsights: 3.0, 3.0.0.1, 3.0.0.2, 4.0, 4.1

Remediation/Fixes

For all the affected versions, apply the interim fix available from Fix Central.

Get Notified about Future Security Bulletins

References

Off

Change History

21 September 2015: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSCRJT","label":"IBM Db2 Big SQL"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Big SQL","Platform":[{"code":"PF016","label":"Linux"}],"Version":"3.0;3.0.0.2;4.0.0;3.0.0.1;4.1.0","Edition":"Enterprise Edition","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
08 April 2021

UID

swg21966964