IBM family of products (IBM Cognos Analytics, IBM Db2, etc.) security update advisory

Overview

 

We have released updates to fix vulnerabilities in the IBM family of products. users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-25047

• IBM Cognos Analytics versions: 12.0 (inclusive) to 12.0.2 (inclusive)
• IBM Cognos Analytics Versions: 11.2.0 (inclusive) through 11.2.4 FP2 (inclusive)

 

Cve-2023-26021, cve-2023-29257, cve-2023-30431

• IBM System Storage Virtualization Engine TS7700 Version: 3957-VED R5.3 8.53.1.21
• IBM System Storage Virtualization Engine TS7700 Version: 3957-VED R5.4 8.54.0.68
• IBM System Storage Virtualization Engine TS7700 Version: 3948-VED R5.3 8.53.1.21
• IBM System Storage Virtualization Engine TS7700 version: 3948-VED R5.4 8.54.0.68

 

CVE-2023-47145

• IBM Cloud APM, Base Private Version: 8.1.4
• IBM Cloud APM, Advanced Private Version: 8.1.4
• IBM® Db2® Versions: 10.5.0.x 11.1.4.x 11.5.x

 

CVE-2023-37407

• IBM Aspera Orchestrator Version: 4.0.1

 

Resolved Vulnerabilities

 

Injection attack vulnerability in application logging due to failure to sanitize user-supplied data in IBM Cognos Analytics (CVE-2024-25047)

Denial of service vulnerability in IBM Db2 when compiling a specially crafted SQL query using a LIMIT clause (CVE-2023-26021)

Remote code execution vulnerability in IBM Db2 due to an administrator of a database being able to access other databases within the same instance (CVE-2023-29257)

Buffer overflow vulnerability in IBM Db2 due to improper boundary checking in Db2Set (CVE-2023-30431)

Privilege escalation vulnerability in IBM Db2 that allows a local user to assign privileges using the MSI repair function (CVE-2023-47145)

Arbitrary code execution vulnerability in IBM Aspera Orchestrator due to an authenticated remote attacker sending a specially crafted request (CVE-2023-37407)

 

Vulnerability Patches

 

Vulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-25047

• IBM Cognos Analytics Version: 12.0.3
• IBM Cognos Analytics Version: 11.2.4 FP3

 

Cve-2023-26021, cve-2023-29257, cve-2023-30431

• IBM System Storage Virtualization Engine TS7700 Version: 3957-VED R5.3 8.54.1.27
• IBM System Storage Virtualization Engine TS7700 Version: 3957-VED R5.4 8.54.1.27
• IBM System Storage Virtualization Engine TS7700 version: 3948-VED R5.3 8.54.1.27
• IBM System Storage Virtualization Engine TS7700 Version: 3948-VED R5.4 8.54.1.27

 

CVE-2023-47145

• Updated based on the “remediation/Fixes” section of the Referenced Sites[4]

 

CVE-2023-37407

• IBM Aspera Orchestrator Version: 4.0.1 PL1/PL2

 

Referenced Sites

 

[1] CVE-2024-25047 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-25047

[2] Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

https://www.ibm.com/support/pages/node/7149874

[3] Security Bulletin: IBM Virtualization Engine TS7700 is susceptible to multiple vulnerabilities due to the use of IBM Db2

https://www.ibm.com/support/pages/node/7145239

[4] Security Bulletin: There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.

https://www.ibm.com/support/pages/node/7150158

[5] Security Bulletin: IBM Aspera Orchestrator affected by a command injection vulnerability (CVE-2023-37407)

https://www.ibm.com/support/pages/node/7150117

[6] Security Bulletin: IBM Aspera Orchestrator affected by a command injection vulnerability (CVE-2023-37407)

https://www.ibm.com/support/pages/node/7150117