QID 20252

Date Published: 2022-04-08

QID 20252: IBM DB2 Security Update for Log4j (6528672,6549888)

DB2 is a family of data management products, including database servers, developed by IBM.

CVE-2021-45105: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process.
CVE-2021-45046: Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVE-2021-44832: Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. QID Detection Logic: Authenticated (DB2): This QID queries the DB2 server to get the server version and fix pack level and checks to see if it's vulnerable. Authenticated (Windows): This QID checks for vulnerable version of DB2 on windows OS

Successful exploitation could compromise confidentiality, integrity and availability

  • CVSS V3 rated as Critical - 9 severity.
  • CVSS V2 rated as High - 6 severity.
  • Solution

    Please refer to the following links 6528672

    CVEs related to QID 20252

    Software Advisories
    Advisory ID Software Component Link
    6528672 URL Logo www.ibm.com/support/pages/node/6528672