Vulnerability Name:

CVE-2020-5024 (CCN-193660)

Assigned:2019-12-30
Published:2021-03-10
Updated:2021-04-12
Summary:IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated attacker to cause a denial of service due a hang in the SSL handshake response. IBM X-Force ID: 193660.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-5024

Source: XF
Type: UNKNOWN
ibm-db2-cve20205024-dos(193660)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-db2-cve20205024-dos (193660)

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210409-0003/

Source: CCN
Type: IBM Security Bulletin 6427861 (DB2 for Linux, UNIX and Windows)
IBM Db2 is vulnerable to a denial of service (CVE-2020-5024)

Source: CONFIRM
Type: Vendor Advisory
https://www.ibm.com/support/pages/node/6427861

Source: CCN
Type: IBM Security Bulletin 6444895 (Db2 Warehouse)
IBM Db2 Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2

Source: CCN
Type: IBM Security Bulletin 6446155 (Emptoris Strategic Supply Management)
Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform

Source: CCN
Type: IBM Security Bulletin 6446157 (Emptoris Contract Management)
Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management

Source: CCN
Type: IBM Security Bulletin 6446159 (Emptoris Supplier Lifecycle Management)
IBM DB2 Server Vulnerabilities Affect IBM Emptoris Emptoris Supplier Lifecycle Mgmt

Source: CCN
Type: IBM Security Bulletin 6446161 (Emptoris Sourcing)
Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing

Source: CCN
Type: IBM Security Bulletin 6446619 (Emptoris Program Management)
IBM DB2 Server Vulnerabilities Affect IBM Emptoris Program Management

Source: CCN
Type: IBM Security Bulletin 6462189 (Spectrum Protect)
Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2020-5024, CVE-2020-5025, CVE-2020-4976)

Source: CCN
Type: IBM Security Bulletin 6528194 (Monitoring)
Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product.

Source: CCN
Type: IBM Security Bulletin 6583541 (Cloud Pak System Software)
Multiple vulnerabilities found in Db2 affect IBM Cloud Pak System Software and Cloud Pak System Software Suite

Source: CCN
Type: IBM Security Bulletin 6598029 (PureData System for Operational Analytics)
Multiple vulnerabilities has been identified in IBM DB2 shipped with IBM PureData System for Operational Analytics

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:db2:9.7:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp10:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp3a:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp4:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp5:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp6:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp7:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp8:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.7:fp9:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:*:*:*:*:*:*:*:* (Version >= 11.5 and < 11.5.5.0)
  • OR cpe:/a:ibm:db2:9.7:fp9a:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:fp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:fp3a:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:fp4:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:fp5:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp3a:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:*:*:*:*:*:*:*:* (Version >= 11.1.0.0 and < 11.1.4.6)
  • OR cpe:/a:ibm:db2:10.5:fp4:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp5:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp6:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp7:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp8:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:fp9:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:10.1:-:*:*:*:*:*:*
  • AND
  • cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:db2:10.5:*:*:*:*:linux:*:*
  • OR cpe:/a:ibm:db2:10.5:*:*:*:*:unix:*:*
  • OR cpe:/a:ibm:db2:10.5:*:*:*:*:windows:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:*:linux:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:*:unix:*:*
  • OR cpe:/a:ibm:db2:10.1:*:*:*:*:windows:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:*:linux:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:*:unix:*:*
  • OR cpe:/a:ibm:db2:9.7:*:*:*:*:windows:*:*
  • OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:*
  • OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:*
  • OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:*
  • OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:*
  • OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:*
  • OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:*
  • AND
  • cpe:/a:ibm:emptoris_sourcing:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_sourcing:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_contract_management:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_sourcing:10.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:monitoring:8.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_contract_management:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_contract_management:10.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_program_management:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_program_management:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_program_management:10.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:11.2:*:*:*:*:linux:*:*
  • OR cpe:/a:ibm:db2:11.2:*:*:*:*:unix:*:*
  • OR cpe:/a:ibm:db2:11.2:*:*:*:*:windows:*:*
  • OR cpe:/a:ibm:spectrum_protect:8.1.0.000:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:8.1.12.000:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:7.1.0.000:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:7.1.13.100:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm db2 9.7 -
    ibm db2 9.7 fp1
    ibm db2 9.7 fp10
    ibm db2 9.7 fp2
    ibm db2 9.7 fp3
    ibm db2 9.7 fp3a
    ibm db2 9.7 fp4
    ibm db2 9.7 fp5
    ibm db2 9.7 fp6
    ibm db2 9.7 fp7
    ibm db2 9.7 fp8
    ibm db2 9.7 fp9
    ibm db2 *
    ibm db2 9.7 fp9a
    ibm db2 10.1 fp1
    ibm db2 10.1 fp2
    ibm db2 10.1 fp3
    ibm db2 10.1 fp3a
    ibm db2 10.1 fp4
    ibm db2 10.1 fp5
    ibm db2 10.5 fp1
    ibm db2 10.5 fp2
    ibm db2 10.5 fp3
    ibm db2 10.5 fp3a
    ibm db2 *
    ibm db2 10.5 fp4
    ibm db2 10.5 fp5
    ibm db2 10.5 fp6
    ibm db2 10.5 fp7
    ibm db2 10.5 fp8
    ibm db2 10.5 fp9
    ibm db2 10.5 -
    ibm db2 10.1 -
    linux linux kernel -
    microsoft windows -
    netapp oncommand insight -
    ibm db2 10.5
    ibm db2 10.5
    ibm db2 10.5
    ibm db2 10.1
    ibm db2 10.1
    ibm db2 10.1
    ibm db2 9.7
    ibm db2 9.7
    ibm db2 9.7
    ibm db2 11.1
    ibm db2 11.1
    ibm db2 11.1
    ibm db2 11.5
    ibm db2 11.5
    ibm db2 11.5
    ibm emptoris sourcing 10.1.0
    ibm emptoris sourcing 10.1.1
    ibm emptoris contract management 10.1.0
    ibm emptoris sourcing 10.1.3
    ibm monitoring 8.1.4
    ibm emptoris contract management 10.1.1
    ibm emptoris contract management 10.1.3
    ibm emptoris program management 10.1.0
    ibm emptoris program management 10.1.1
    ibm emptoris program management 10.1.3
    ibm emptoris supplier lifecycle management 10.1.0
    ibm emptoris supplier lifecycle management 10.1.1
    ibm emptoris supplier lifecycle management 10.1.3
    ibm emptoris strategic supply management 10.1.0
    ibm emptoris strategic supply management 10.1.1
    ibm emptoris strategic supply management 10.1.3
    ibm db2 11.2
    ibm db2 11.2
    ibm db2 11.2
    ibm spectrum protect 8.1.0.000
    ibm spectrum protect 8.1.12.000
    ibm spectrum protect 7.1.0.000
    ibm spectrum protect 7.1.13.100