CVE-2022-22353 : Security Advisory and Response

IBM Big SQL on IBM Cloud Pak for Data versions 7.1.0, 7.1.1, 7.2.0, and 7.2.3 has a vulnerability that could allow an authenticated user to access sensitive information by bypassing data masking rules.

Understanding CVE-2022-22353

This CVE affects IBM Big SQL on Cloud Pak for Data, allowing specific users to obtain unauthorized data.

What is CVE-2022-22353?

The vulnerability in IBM Big SQL on IBM Cloud Pak for Data versions 7.1.0 through 7.2.3 permits an authenticated user to bypass data masking rules via a CREATE TABLE SELECT statement.

The Impact of CVE-2022-22353

The issue poses a medium severity risk with high impact on confidentiality, but low impact on integrity, requiring low privileges to exploit. The attack complexity is high.

Technical Details of CVE-2022-22353

This section delves deeper into the specifics of the vulnerability.

Vulnerability Description

The vulnerability allows authenticated users to access sensitive data by circumventing data masking rules.

Affected Systems and Versions

The impacted systems are IBM Big SQL on Cloud Pak for Data versions 7.1.0, 7.1.1, 7.2.0, and 7.2.3.

Exploitation Mechanism

An authenticated user with appropriate permissions can exploit this vulnerability using a CREATE TABLE SELECT statement.

Mitigation and Prevention

Outlined below are the steps to mitigate and prevent the exploitation of CVE-2022-22353.

Immediate Steps to Take

IBM recommends applying the official fix provided to address this vulnerability.

Long-Term Security Practices

Ensure restricted access to sensitive data and regularly review user permissions to prevent unauthorized access.

Patching and Updates

Stay informed about security bulletins and updates from IBM for any patches or fixes.