Qiguang Zhu

Name of the Vulnerable Software and Affected Versions: IBM Db2 versions 9.7, 10.1, 10.5, 11.1, and 11.5 Description: The issue is related to an Information Disclosure when using the LOAD utility under certain circumstances where it does not enforce directory restrictions. Recommendations: For IBM Db2 versions 9.7, 10.1, 10.5, 11.1, and 11.5, consider restricting access to the LOAD utility until a patch is available. As a temporary workaround, consider implementing additional directory restrictions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 9.7, 10.1, 10.5, 11.1, and 11.5 **Description** The issue allows a user with DBADM authority to access other databases and read or modify files. **Recommendations** For versions 9.7, 10.1, 10.5, 11.1, and 11.5, consider restricting the DBADM authority to minimize the risk of exploitation. As a temporary workaround, consider disabling access to sensitive databases and files until a patch is available. Restrict access to the affected databases to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions 12.2.0.1, 19c, and 21c Description: The issue affects the RDBMS Security component, allowing a high-privileged attacker with DBA privilege and network access via Oracle Net to compromise RDBMS Security. Successful attacks can result in unauthorized access to update, insert, or delete some RDBMS Security accessible data, as well as cause a hang or complete denial of service of RDBMS Security. Recommendations: For version 12.2.0.1, update to a version that includes the fix for this issue. For version 19c, update to a version that includes the fix for this issue. For version 21c, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the RDBMS Security component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 12.1.0.2 through 19c **Description** The issue is related to insufficient input validation in the Oracle XML DB component, allowing a high-privileged attacker with Alter User privilege and network access via Oracle Net to compromise Oracle XML DB. This can result in unauthorized access to critical data or complete access to all Oracle XML DB accessible data. **Recommendations** For versions 12.1.0.2, 12.2.0.1, and 19c, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.