CVE-2022-34318 IBM CICS TX 11.1 could allow a remote attacker to hijack the clicking action of the victim

X-Force ID: 229462. CVE-2018-1488 Insecure data storage in IBM DB2 for Linux, UNIX, and Windows and other products could allow a remote attacker to obtain sensitive information. If a user had set up a data source to accept SQL input (e.g., by right clicking a data source and selecting “Edit with SQL”), and that data source was connected to a public network, an attacker could connect to the data source and send SQL queries that could retrieve sensitive information. For example, if a data source was connected to the public Internet, an attacker could send SQL queries to retrieve data from another user's account. There is no way to guarantee that a data source is connected to the public Internet, so this vulnerability cannot be exploited by connecting to a data source on an internal network. However, if a data source is connected to a network that is publicly accessible, an attacker could use this vulnerability to access data from another network user's data source. IBM X-Force ID: 229463.

IBM DB2 for Linux, UNIX, and Windows and other products

IBM DB2 for Linux, UNIX, and Windows and other products have an insecure data storage vulnerability that could allow a remote attacker to obtain sensitive information. If a user had set up a data source to accept SQL input (e.g., by right clicking a data source and selecting “Edit with SQL”), and that data source was connected to the public network, an attacker could connect to the data source and send SQL queries that would retrieve sensitive information from another user's account. There is no way to guarantee that a data source is connected to the public network, so this vulnerability cannot be exploited if connecting to a data source on an internal network. However, if a data source is connected to a publicly accessible network, an attacker could use this vulnerability exploit another network user's account using the data stored in their database.

IBM DB2 for Linux, UNIX, and Windows Vulnerabilities

There is a vulnerability in IBM DB2 for Linux, UNIX, and Windows. This product could be vulnerable to an SQL injection attack that could allow an attacker to retrieve sensitive information from another user’s account. If a customer has set up a data source to accept SQL input (e.g., by right clicking a data source and selecting “Edit with SQL”), and the data source is connected to the public Internet, an attacker can connect to the data source and send SQL queries that will retrieve sensitive information from another user's account. There is no way to guarantee that a data source is not connected to the public Internet.

Summary of the Vulnerability

Using an insecure data source, an attacker could retrieve sensitive information from another user's account.

Products Mentioned in this Report

IBM DB2 for Linux, UNIX, and Windows
DB2 Analytics Accelerator

DB2 for Linux, UNIX, and Windows and other products

IBM DB2 for Linux, UNIX, and Windows is a relational database management system. These products are used by many companies in the enterprise space to manage data and applications.
If you want to learn more about DB2 for Linux, UNIX, and Windows or other IBM product vulnerabilities please contact your IBM representative.

Timeline

Published on: 12/12/2022 13:15:00 UTC
Last modified on: 12/14/2022 19:15:00 UTC

References

• https://www.ibm.com/support/pages/node/6833188
• https://www.ibm.com/support/pages/node/6833186
• https://exchange.xforce.ibmcloud.com/vulnerabilities/229461
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34318