Security Bulletin: IBM DataQuant is vulnerable to CVE-2020-14781

Summary

CVE-2020-14781 is an unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.

Vulnerability Details

CVEID:CVE-2020-14781
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Please see “Workarounds and Mitigations”.

Workarounds and Mitigations

Use the following instructions to download the latest JRE version from the IBM Java download portal and replace it with the JRE you are currently invoking.

Steps to update JRE - DataQuant:

1. Close DataQuant.

2. Download JRE (IBM_DevelopmentPackage_for_Eclipse_Win_X86_32_6.6.15) and extract the files to a temporary location.

3. Replace jre folder at the install directory location –> “C:\Program Files\IBM\IBM DataQuant\DataQuant for Workstation”. Replace with contents in step above.

4. Download eclipse oxygen from <https://www.eclipse.org/downloads/download.php?file=/technology/epp/downloads/release/oxygen/3a/eclipse-jee-oxygen-3a-win32-x86_64.zip&gt;

5. Extract the eclipse oxygen and copy the plugin - org.apache.jasper.glassfish_2.2.2.v201501141630.jar from eclipse-jee-oxygen-3a-win32-x86_64\eclipse\plugins

6. Copy org.apache.jasper.glassfish_2.2.2.v201501141630.jar in the folder where DataQuant is installed - C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation\plugins

7. Delete the older plugin org.apache.jasper.glassfish_2.2.2.v201205150955.jar from the DataQuant install directory