Vulnerability Name: CVE-2020-5025 (CCN-193661) Assigned: 2019-12-30 Published: 2021-03-10 Updated: 2021-04-12 Summary: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 db2fm is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 193661. CVSS v3 Severity: 7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-120 Vulnerability Consequences: Gain Privileges References: Source: MITRECVE-2020-5025 ibm-db2-cve20205025-bo(193661) ibm-db2-cve20205025-bo (193661) https://security.netapp.com/advisory/ntap-20210409-0003/ IBM Db2 db2fm is vulnerable to a buffer overflow (CVE-2020-5025) https://www.ibm.com/support/pages/node/6427855 IBM Db2 Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2 Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management IBM DB2 Server Vulnerabilities Affect IBM Emptoris Emptoris Supplier Lifecycle Mgmt Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing IBM DB2 Server Vulnerabilities Affect IBM Emptoris Program Management Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2020-5024, CVE-2020-5025, CVE-2020-4976) Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product. Multiple vulnerabilities found in Db2 affect IBM Cloud Pak System Software and Cloud Pak System Software Suite Multiple vulnerabilities has been identified in IBM DB2 shipped with IBM PureData System for Operational Analytics Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:db2:9.7:-:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp1:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp10:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp2:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp3:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp3a:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp4:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp5:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp6:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp7:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp8:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:fp9:*:*:*:*:*:* OR cpe:/a:ibm:db2:*:*:*:*:*:*:*:* (Version >= 11.5 and < 11.5.5.0) OR cpe:/a:ibm:db2:9.7:fp9a:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.1:fp1:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.1:fp2:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.1:fp3:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.1:fp3a:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.1:fp4:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.1:fp5:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp1:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp2:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp3:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp3a:*:*:*:*:*:* OR cpe:/a:ibm:db2:*:*:*:*:*:*:*:* (Version >= 11.1.0.0 and < 11.1.4.6) OR cpe:/a:ibm:db2:10.5:fp4:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp5:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp6:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp7:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp8:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:fp9:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5:-:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.1:-:*:*:*:*:*:* AND cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows:-:*:*:*:*:*:*:* Configuration 2 :cpe:/a:netapp:oncommand_insight:-:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:ibm:db2:10.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:* AND cpe:/a:ibm:emptoris_sourcing:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_sourcing:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_contract_management:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_sourcing:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:monitoring:8.1.4:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_contract_management:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_contract_management:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:* OR cpe:/a:ibm:emptoris_program_management:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_program_management:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_program_management:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:11.2:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.2:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.2:*:*:*:*:windows:*:* OR cpe:/a:ibm:spectrum_protect:8.1.0.000:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect:8.1.12.000:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect:7.1.0.000:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect:7.1.13.100:*:*:*:*:*:*:* BACK
ibm db2 9.7 -
ibm db2 9.7 fp1
ibm db2 9.7 fp10
ibm db2 9.7 fp2
ibm db2 9.7 fp3
ibm db2 9.7 fp3a
ibm db2 9.7 fp4
ibm db2 9.7 fp5
ibm db2 9.7 fp6
ibm db2 9.7 fp7
ibm db2 9.7 fp8
ibm db2 9.7 fp9
ibm db2 *
ibm db2 9.7 fp9a
ibm db2 10.1 fp1
ibm db2 10.1 fp2
ibm db2 10.1 fp3
ibm db2 10.1 fp3a
ibm db2 10.1 fp4
ibm db2 10.1 fp5
ibm db2 10.5 fp1
ibm db2 10.5 fp2
ibm db2 10.5 fp3
ibm db2 10.5 fp3a
ibm db2 *
ibm db2 10.5 fp4
ibm db2 10.5 fp5
ibm db2 10.5 fp6
ibm db2 10.5 fp7
ibm db2 10.5 fp8
ibm db2 10.5 fp9
ibm db2 10.5 -
ibm db2 10.1 -
linux linux kernel -
microsoft windows -
netapp oncommand insight -
ibm db2 10.5
ibm db2 10.5
ibm db2 10.5
ibm db2 10.1
ibm db2 10.1
ibm db2 10.1
ibm db2 9.7
ibm db2 9.7
ibm db2 9.7
ibm db2 11.1
ibm db2 11.1
ibm db2 11.1
ibm db2 11.5
ibm db2 11.5
ibm db2 11.5
ibm emptoris sourcing 10.1.0
ibm emptoris sourcing 10.1.1
ibm emptoris contract management 10.1.0
ibm emptoris sourcing 10.1.3
ibm monitoring 8.1.4
ibm emptoris contract management 10.1.1
ibm emptoris contract management 10.1.3
ibm db2 9.7
ibm db2 9.7
ibm db2 9.7
ibm db2 10.1
ibm db2 10.1
ibm db2 10.1
ibm db2 10.5
ibm db2 10.5
ibm db2 10.5
ibm db2 11.1
ibm db2 11.1
ibm db2 11.1
ibm db2 11.5
ibm db2 11.5
ibm db2 11.5
ibm emptoris program management 10.1.0
ibm emptoris program management 10.1.1
ibm emptoris program management 10.1.3
ibm emptoris supplier lifecycle management 10.1.0
ibm emptoris supplier lifecycle management 10.1.1
ibm emptoris supplier lifecycle management 10.1.3
ibm emptoris strategic supply management 10.1.0
ibm emptoris strategic supply management 10.1.1
ibm emptoris strategic supply management 10.1.3
ibm db2 11.2
ibm db2 11.2
ibm db2 11.2
ibm spectrum protect 8.1.0.000
ibm spectrum protect 8.1.12.000
ibm spectrum protect 7.1.0.000
ibm spectrum protect 7.1.13.100
Denotes that component is vulnerable