IBM Patches a Slew of Security Vulns in Db2 Web Query
January 10, 2024 Alex Woodie
If you haven’t started your migration off Db2 Web Query, you might want to accelerate your planning, as IBM last week disclosed a slew of security vulnerabilities in the soon-to-be-discontinued product, two of which are the critical variety and four of which have high severity ratings. IBM has issued patches for all of the flaws for the product running on IBM i 7.4 and 7.5.
On January 3, IBM disclosed a total of eight security vulnerabilities in Db2 Web Query, the IBM i-based data warehousing and business analytics tool that it OEM’ed from TIBCO’s Information Builders subsidiary, and which it abruptly discontinued in early October after over a decade of customer and partner success.
According to the IBM security bulletin for the security flaws, the vulnerabilities exist across a range of open source components included in Db2 Web Query version 2.4, ranging from the VMware Tanzu Spring Framework to Apache Tomcat. Two of the vulnerabilities have CVSS Base scores over 9, making them critical vulnerabilities that should be patched immediately, while another four logged identical scores of 7.5.
The most serious vulnerability is CVE-2017-15708, which is a flaw in Apache Synapse that could allow a remote attacker to execute arbitrary code on the system by injecting a specially crafted serialized object. It carries a CVSS Base score of 9.8, which is among the most serious security flaws recorded (the Log4j flaw from a couple of years ago recorded a perfect 10, for comparison’s sake).
The second-most severe vulnerability is CVE-2023-20860, which is a flaw in the VMware Tanzu Spring Framework that could allow a remote attacker to bypass security restrictions in the system by using “an un-prefixed double wildcard pattern with the mvcRequestMatcher” in Spring’s security configuration. This flaw carries a CVSS Base score of 9.1, making it a critical flaw.
The first of the vulnerabilities with a CVSS severity rating of 7.5 is CVE-2023-20862, which is another flaw in VMware Tanzu Spring. This flaw could allow a remote attacker to bypass security restrictions and remain authenticated after a logout by sending a specially crafted message that doesn’t “properly clean the security context” when using serialized versions.
The second such vulnerability is CVE-2023-24998, which carries a denial of service (DOS) risk in Apache Commons FileUpload and Tomcat that could be exploited by sending a specially crafted request in uploads.
The third security vulnerability with a 7.5 rating is CVE-2023-1370, which refers to a vflaw in netplex json-smart-v2 that could enable a DOS attack due to an error in how the nesting of arrays or objects is handled. An attacker could cause the system to crash by sending a specially crafted input.
The fourth such vulnerability is CVE-2023-20863, another flaw in VMware Tanzu Spring Framework that makes IBM i vulnerable to a DOS attack through a specially crafted SpEL expression.
IBM listed two other flaws, including CVE-2022-41946, a flaw in the PostgreSQL JDBC connector that could allow a local authenticated attacker to obtain sensitive information by sending a specially crafted request. It carries a CVSS Base score of 6.3, making it a moderate threat.
The last of the eight security flaws patched by IBM is CVE-2023-20861, another DOS flaw in the VMware Tanzu Spring Framework. This flaw carries a CVSS Base score of 5.3, a moderate threat.
There are no workarounds available for any of these flaws, and Db2 Web Query customers are encouraged to patch the flaws immediately. IBM has issued two patches, including PTF number SF99673-03 for Db2 Web Query running on IBM i 7.3 and SF99672-03 for IBM i 7.4 customers.
IBM abruptly announced the end of sales, marketing, and support for DB2 Web Query in early October, the same day it announced the Fall 2023 Technology Refresh for IBM i. IBM didn’t give a reason for the sudden change of heart on its flagship IBM i product for analytics, but it clearly is the result of a breakdown with its OEM partner, TIBCO.
The sudden death of Db2 Web Query, and IBM’s decision to provide no replacement product, has left customers wondering how they’ll move forward with critical analytics and business intelligence functions. These security flaws may help clarify customers’ plans to replace the software.
RELATED STORIES
ACS, Merlin Hit With Serious Security Vulnerabilities
