Security Bulletin: IBM Db2 Mirror for i GUI is affected by cross-site WebSocket hijacking and session fixation vulnerabilities [CVE-2025-36116, CVE-2025-36117].

Summary IBM Db2 Mirror for i GUI is affected by cross-site WebSocket hijacking and session fixation vulnerabilities as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section. Vulnerability Details CVEID:CVE-2025-36116 DESCRIPTION: IBM Db2 Mirror for i GUI is affected by cross-site WebSocket hijacking vulnerability. By sending a specially crafted request, an unauthenticated malicious actor could exploit this vulnerability to sniff an existing WebSocket connection to then remotely perform operations that the user is not allowed to perform. CWE:CWE-1385: Missing Origin Validation in WebSockets CVSS Source: IBM CVSS Base score: 6.3 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID:CVE-2025-36117 DESCRIPTION: IBM Db2 Mirror for i does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. CWE:CWE-384: Session Fixation CVSS Source: IBM X-Force CVSS Base score: 6.3 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Db2 Mirror for i| 7.4 IBM Db2 Mirror for i| 7.5 IBM Db2 Mirror for i| 7.6 Remediation/Fixes The issues can be fixed by applying a PTF to IBM i. IBM Db2 Mirror for i releases 7.6, 7.5, and 7.4 will be fixed. The PTF numbers for 5770-DBM containing the fix for the vulnerabilities are in the…Read More