Vulnerability CVE-2021-20373 - CERT Civis.Net

Vulnerability Name:

CVE-2021-20373 (CCN-195521)

Assigned:

2020-12-17

Published:

2021-12-08

Updated:

2022-03-31

Summary:

IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-20373

Source: XF
Type: UNKNOWN
ibm-db2-cve202120373-info-disc(195521)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-db2-cve202120373-info-disc (195521)

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220225-0005/

Source: CCN
Type: IBM Security Bulletin 6523804 (DB2 for Linux, UNIX and Windows)
IBM Db2 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373)

Source: CONFIRM
Type: Patch, Vendor Advisory
https://www.ibm.com/support/pages/node/6523804

Source: CCN
Type: IBM Security Bulletin 6536602 (Db2 Warehouse)
IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data hve released a fix in response to multiple vulnerabilities found in IBM Db2

Source: CCN
Type: IBM Security Bulletin 6541958 (Db2 Warehouse)
IBM Db2 Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2

Source: CCN
Type: IBM Security Bulletin 6562919 (Spectrum Protect Server)
Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926)

Source: CCN
Type: IBM Security Bulletin 6598029 (PureData System for Operational Analytics)
Multiple vulnerabilities has been identified in IBM DB2 shipped with IBM PureData System for Operational Analytics

Source: CCN
Type: IBM Security Bulletin 6619073 (Intelligent Operations Center)
Multiple vulnerabilities found in IBM DB2 which is shipped with IBM Intelligent Operations Center(CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:db2:9.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:*:-:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:11.5:*:*:*:*:-:*:*

AND

cpe:/o:hp:hp-ux:-:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:-:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

OR cpe:/o:oracle:solaris:-:*:*:*:*:*:-:*

Configuration CCN 1:

cpe:/a:ibm:db2:10.5:*:*:*:*:linux:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:*:unix:*:*

OR cpe:/a:ibm:db2:10.5:*:*:*:*:windows:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:*:linux:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:*:unix:*:*

OR cpe:/a:ibm:db2:10.1:*:*:*:*:windows:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:*:linux:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:*:unix:*:*

OR cpe:/a:ibm:db2:9.7:*:*:*:*:windows:*:*

OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:*

OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:*

OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:*

OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:*

OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:*

OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:*

AND

cpe:/a:ibm:intelligent_operations_center:5.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:intelligent_operations_center:5.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:intelligent_operations_center:5.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:intelligent_operations_center:5.1.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:intelligent_operations_center:5.1.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_server:8.1.0.000:*:*:*:*:*:*:*

OR cpe:/a:ibm:intelligent_operations_center:5.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:intelligent_operations_center:5.2.1:*:*:*:*:*:*:*

Denotes that component is vulnerable