SB2024010322 - Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data
Published: January 3, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2023-43646)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing malicious input. A remote attacker can trigger resource exhaustion when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly, and perform a denial of service (DoS) attack.
2) Incorrect Comparison (CVE-ID: CVE-2023-45133)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists in '@babel/traverse' and `babel-traverse`. A local user can execute arbitrary code during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.
3) Incorrect Regular Expression (CVE-ID: CVE-2022-25883)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application via the new Range function and perform regular expression denial of service (ReDos) attack.
Remediation
Install update from vendor's website.