CVE-2023-27867: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows versions 10.5, 11.1, and 11.5 contains a vulnerability that could allow a remote authenticated attacker to execute arbitrary code via JNDI Injection. The vulnerability was assigned CVE-2023-27867 and was disclosed in July 2023 (IBM Advisory).

The vulnerability exists due to improper validation of the clientRerouteServerListJNDIName property. By sending a specially crafted request using this property, an attacker could exploit the vulnerability to execute arbitrary code on the system. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H according to NVD, while IBM rates it at 6.3 MEDIUM. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD, IBM Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects multiple versions of IBM Db2 JDBC Driver across various platforms (NetApp Advisory).

IBM has released special builds containing interim fixes for affected versions: V10.5 FP11, V11.1.4 FP7, V11.5.7, and V11.5.8. For applications calling the JDBC driver, it is recommended to ensure all passed values, classes, etc. are properly set, sanitized, and contain valid values (IBM Advisory).