What is the severity of CVE-2023-27859?

CVE-2023-27859 has been rated as a critical vulnerability due to its potential to allow arbitrary code execution by remote users.

How do I fix CVE-2023-27859?

To mitigate CVE-2023-27859, update to the latest available version of IBM Db2 that resolves this issue.

What versions of IBM Db2 are affected by CVE-2023-27859?

CVE-2023-27859 affects IBM Db2 versions 10.1, 10.5, 11.1, and 11.5.

What may happen if I don't address CVE-2023-27859?

Failure to address CVE-2023-27859 could result in unauthorized remote code execution within your Db2 environment.

Can CVE-2023-27859 affect databases on different servers?

Yes, CVE-2023-27859 allows a malicious user to exploit vulnerable jar file installations across multiple databases, even if they are hosted on different servers.

Vulnerability/
CVE-2023-27859

medium

6.5

8/1/2024

22/1/2024

20/2/2025

CVE-2023-27859: IBM Db2 code execution

First published: Mon Jan 08 2024(Updated: )

IBM Db2 10.1, 10.5, and 11.1 could allow a remote user to execute arbitrary code caused by installing like named jar files across multiple databases. A user could exploit this by installing a malicious jar file that overwrites the existing like named jar file in another database. IBM X-Force ID: 249205.

Credit: psirt@us.ibm.com

Affected Software	Affected Version	How to fix
IBM Data Virtualization on Cloud Pak for Data	<=3.0
IBM Watson Query with Cloud Pak for Data	<=2.2
IBM Watson Query with Cloud Pak for Data	<=2.1
IBM Watson Query with Cloud Pak for Data	<=2.0
IBM Data Virtualization on Cloud Pak for Data	<=1.8
IBM Data Virtualization on Cloud Pak for Data	<=1.7
All of
Any of
IBM DB2 Universal Database	>=10.5.0.0<=10.5.0.11
IBM DB2 Universal Database	>=11.1.0.0<=11.1.4.7
IBM DB2 Universal Database	>=11.5<=11.5.9
Any of
HPE HP-UX
IBM AIX
IBM z/OS Linux
Linux Kernel
Microsoft Windows Operating System
Oracle Solaris and Zettabyte File System (ZFS)

Remedy

https://www.ibm.com/support/pages/node/7105503

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7183851

Frequently Asked Questions

What is the severity of CVE-2023-27859?
CVE-2023-27859 has been rated as a critical vulnerability due to its potential to allow arbitrary code execution by remote users.
How do I fix CVE-2023-27859?
To mitigate CVE-2023-27859, update to the latest available version of IBM Db2 that resolves this issue.
What versions of IBM Db2 are affected by CVE-2023-27859?
CVE-2023-27859 affects IBM Db2 versions 10.1, 10.5, 11.1, and 11.5.
What may happen if I don't address CVE-2023-27859?
Failure to address CVE-2023-27859 could result in unauthorized remote code execution within your Db2 environment.
Can CVE-2023-27859 affect databases on different servers?
Yes, CVE-2023-27859 allows a malicious user to exploit vulnerable jar file installations across multiple databases, even if they are hosted on different servers.

agent/title
agent/type
agent/first-publish-date
agent/description
agent/author
agent/remedy
collector/mitre-cve
source/MITRE
agent/trending
agent/source
agent/last-modified-date
agent/references
agent/severity
agent/event
collector/ibm-support
source/IBM
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/tags
agent/softwarecombine
collector/nvd-api
source/NVD
vendor/ibm
canonical/ibm data virtualization on cloud pak for data
version/ibm data virtualization on cloud pak for data/3.0
canonical/ibm watson query with cloud pak for data
version/ibm watson query with cloud pak for data/2.2
version/ibm watson query with cloud pak for data/2.1
version/ibm watson query with cloud pak for data/2.0
version/ibm data virtualization on cloud pak for data/1.8
version/ibm data virtualization on cloud pak for data/1.7
canonical/ibm db2 universal database
version/ibm db2 universal database/10.5.0.0
version/ibm db2 universal database/10.5.0.11
version/ibm db2 universal database/11.1.0.0
version/ibm db2 universal database/11.1.4.7
version/ibm db2 universal database/11.5
version/ibm db2 universal database/11.5.9
vendor/hp
canonical/hpe hp-ux
canonical/ibm aix
canonical/ibm z/os linux
vendor/linux
canonical/linux kernel
vendor/microsoft
canonical/microsoft windows operating system
vendor/oracle
canonical/oracle solaris and zettabyte file system (zfs)