CVE-2023-27869: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows versions 10.5.0.11, 11.1.4.7, and 11.5.x contains a vulnerability that could allow a remote authenticated attacker to execute arbitrary code on the system. The vulnerability (CVE-2023-27869) was caused by an unchecked logger injection, where an attacker could exploit the vulnerability by sending a specially crafted request using the named traceFile property (IBM Advisory).

The vulnerability is tracked as CVE-2023-27869 with a CVSS v3.1 base score of 8.8 HIGH (NIST) and 6.3 MEDIUM (IBM). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and requiring low privileges with no user interaction. The vulnerability is classified as CWE-94: Improper Control of Generation of Code ('Code Injection') (NVD).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete system compromise. The vulnerability affects the confidentiality, integrity, and availability of the system with high severity ratings across all three aspects (NetApp Advisory).

IBM has released special builds containing interim fixes for affected versions. The fixes are available for V10.5 FP11, V11.1.4 FP7, V11.5.7, and V11.5.8. For applications calling the JDBC driver, it is recommended to ensure all passed values, classes, etc. are properly set, sanitized, and contain valid values (IBM Advisory).