CVE-2023-27868: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows versions 10.5, 11.1, and 11.5 contains a vulnerability identified as CVE-2023-27868. The vulnerability was discovered in March 2023 and publicly disclosed in July 2023. This security flaw is caused by an unchecked class instantiation when providing plugin classes, affecting the JDBC driver component of the database system (IBM Advisory, NVD).

The vulnerability stems from improper control of class instantiation when handling plugin classes in the JDBC driver. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while IBM assessed it with a lower score of 6.3 (MEDIUM). The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

When successfully exploited, this vulnerability could allow a remote authenticated attacker to execute arbitrary code on the affected system. The potential impact includes complete compromise of system confidentiality, integrity, and availability (IBM Advisory, NetApp Advisory).

IBM has released special builds containing interim fixes for affected versions. These builds are available for V10.5 FP11, V11.1.4 FP7, V11.5.7, and V11.5.8. As a workaround, administrators should ensure all passed values, classes, and other parameters are properly set, sanitized, and contain valid values when applications call the JDBC driver (IBM Advisory).