May 12, 2022

IBM database updates address critical 3rd party XML parser vulnerabilities

Adam Bannister April 25, 2022 at 15:39 UTC

Updated: April 25, 2022 at 4:00 p.m. UTC

Flaws in popular parser prompt updates from many downstream vendors

IBM has updated the Db2 data management platform to protect users against a pair of critical vulnerabilities in older versions of Expat, a third-party library.

Both flaws earned a CVSS score of 9.8, and each potentially allowed attackers to execute arbitrary code on vulnerable systems due to integer overflow issues.

Integer overflows can be found in Expat’s (CVE-2022-23852) and functions (CVE-2022-23990).

YOU MIGHT ALSO LIKE Hotfix for Log4Shell vulnerability in AWS enabled full host takeover

If exploited, the bugs “could result in the disclosure of sensitive information, the addition or modification of data, or a denial of service (DoS),” according to Related notice from NetApp, which is working on fixes for several of its own vulnerable products.

IBM Db2 is just one of many company products this Expat (aka libexpat) bundle, a C library for XML parsing that dates back to 1997 and “excels with files that are too large to hold RAM, and where performance and flexibility are crucial,” according to its maintainers.

Downstream fixes

Expat maintainers fixed flaws in version 2.4.4which dropped on January 30, 2022.

The bugs affect Db2 versions 9.7.x, 10.1.x, 10.5.x, and 11.1.x.

IBM has advised customers running vulnerable fix pack levels to download a corresponding special release containing an interim fix. “These special builds are available based on the latest fixpack level for each affected release: V9.7 FP11, V10.1 FP6, V10.5 FP11, and V11.1.4 FP6,” reads an IBM safety bulletin published on April 20.

The Expat flaws have also prompted updates to the Oracle Communications MetaSolv Solution and Red Hat Enterprise Linux.

Pulse Secure a scheduled outputs fix issues for a number of products, including Pulse Desktop Client, Pulse Connect Secure, and Ivanti Connect Secure, and are still investigating whether certain other products are also vulnerable.

There have been other related Linux distribution reviews UbuntuCisco compared to its 8000 Series CCTV cameras, and Dell EMC regarding its VxRail hyperconverged infrastructure appliances (storage).

RELATED NIST Revamps Aging Enterprise Patch Management Guidance