CVE-2018-1426

moderate-risk
Published 2018-03-22

IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071.

Do I need to act?

-
0.68% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10 High
NETWORK / HIGH complexity

Affected Products (4)

Db2
Db2
Db2
Db2

Affected Vendors

Ibm

References (8)

Vendor Advisory http://www.ibm.com/support/docview.wss?uid=swg22013756
Third Party Advisory http://www.securityfocus.com/bid/105580
Third Party Advisory http://www.securitytracker.com/id/1041012
VDB Entry https://exchange.xforce.ibmcloud.com/vulnerabilities/139071
Vendor Advisory http://www.ibm.com/support/docview.wss?uid=swg22013756
Third Party Advisory http://www.securityfocus.com/bid/105580
Third Party Advisory http://www.securitytracker.com/id/1041012
VDB Entry https://exchange.xforce.ibmcloud.com/vulnerabilities/139071
34
/ 100
moderate-risk
Severity 22/34 · High
Exploitability 2/34 · Minimal
Exposure 10/34 · Low