CVE-2020-4230: 
IBM Db2 vulnerability analysis and mitigation

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) versions 11.1 and 11.5 was identified with a privilege escalation vulnerability tracked as CVE-2020-4230. The vulnerability was discovered and assigned on December 30, 2019, allowing an authenticated local attacker with special permissions to execute specially crafted Db2 commands to modify the owner of stored procedures to SYSIBM, potentially leading to privilege escalation (IBM Security).

The vulnerability has been assigned a CVSS Base score of 6.7 with a vector of CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. This indicates a local attack vector requiring high privileges but no user interaction, with potential for high impacts on confidentiality, integrity, and availability in an unchanged scope (IBM Security).

If successfully exploited, this vulnerability allows an authenticated attacker with special permissions to escalate their privileges by executing specially crafted Db2 commands. The attacker could modify the owner of stored procedures to SYSIBM, effectively gaining elevated access to the database system (IBM Security).

IBM has released fixes for affected versions through special builds. For V11.1, the fix is available in Fix Pack 6 (APAR IT31604), and for V11.5, a special build containing APAR IT31481 was released. These fixes can be applied to any affected fixpack level of the appropriate release to remediate the vulnerability. No workarounds were provided as alternatives to patching (IBM Security).