CVE-2023-47152: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 was identified with a vulnerability related to insecure cryptographic algorithm usage and potential information disclosure in stack trace under exceptional conditions. The vulnerability was assigned CVE-2023-47152 and was publicly disclosed on January 22, 2024. The vulnerability affects IBM Db2 version 11.5.x systems across multiple platforms (IBM Security Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) by NIST, while IBM Corporation rated it at 5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). The vulnerability is related to both an insecure cryptographic algorithm implementation and potential information exposure through stack traces under specific conditions (NVD).

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information. The vulnerability affects the confidentiality of the system but does not impact system integrity or availability (NetApp Security Advisory).

IBM has released special builds containing interim fixes for affected versions, particularly for V11.5.9. These special builds can be applied to any affected fixpack level to remediate the vulnerability. Customers running vulnerable fixpack levels of V11.5.x can download the special build containing the interim fix from Fix Central. For specific components like db2jcc4.jar, customers need to contact Db2 support directly (IBM Security Bulletin).