Security Bulletin: Vulnerability in IBM Java SDK affects IBM® DB2® LUW on HP-UX and Solaris (CVE-2015-0383)

Summary

There is vulnerability in IBM® SDK Java™ Technology Edition, Version 6.0 SR14, 7.0 SR5 and 7.0 SR6 that is used by DB2 LUW on HP-UX and Solaris. These issues was disclosed as part of the IBM Java SDK updates in January 2015.

Vulnerability Details

CVEID: CVE-2015-0383** **
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact.

CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)

Affected Products and Versions

All fix pack levels of IBM DB2 V9.7, V10.1 and V10.5 editions listed below and running on HP-UX and Solaris are affected.

IBM® DB2® Express Edition
IBM® DB2® Workgroup Server Edition
IBM® DB2® Enterprise Server Edition
IBM® DB2® Advanced Enterprise Server Edition
IBM® DB2® Advanced Workgroup Server Edition
IBM® DB2® Connect™ Application Server Edition
IBM® DB2® Connect™ Enterprise Edition
IBM® DB2® Connect™ Unlimited Edition for System i®
IBM® DB2® Connect™ Unlimited Edition for System z®

Remediation/Fixes

None

Workarounds and Mitigations

Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1 or V10.5 can contact IBM support to obtain the install image for IBM JDK on HPUX/Solaris. Refer to the table below to determine the IBM JDK level required. Then follow the instructions below to perform the JDK installation.

Instruction for IBM JDK Installation

1. Create a new temporary JDK directory, i.e. jdk64, to store the extracted install files.

2. Run the following command to extract all the files from the IBM JDK install image tar file (*.tar.Z) into the temporary JDK directory created in step 1 above.

tar -xvf <IBM JDK install image tar file> -C jdk64

3. Stop all DB2 instances for the installation.

4. As root user, back up the original IBM JDK directory within DB2 installation path and create a new one.

Go to the java sub-directory under <DB2 Installation Path>.
E.g.
cd /opt/IBM/db2/V10.1fp5/java

Back up the original JDK directory <DB2 Installation Path>/java/jdk64
E.g.
mv /opt/IBM/db2/V10.1fp5/java/jdk64 /opt/IBM/db2/V10.1fp5/java/jdk64_old

Create a new JDK directory under <DB2 Installation Path>/java/.
E.g.
mkdir /opt/IBM/db2/V10.1fp5/java/jdk64

5. As root user, copy the extracted files from the temporary JDK directory created in step 1 to the new JDK directory under <DB2 Installation Path>. E.g.

cp -R <Temporary JDK directory>/* /opt/IBM/db2/V10.1fp5/java/jdk64/

All the files in the <DB2 Installation Path>/java/jdk64 directory should have r-x permission.

6. Change the group and owner for all the files in the new JDK directory to bin.
   E.g.

chgrp -R bin /opt/IBM/db2/V10.1fp5/java/jdk64
chown -R bin /opt/IBM/db2/V10.1fp5/java/jdk64

Notes:

1. With this update, the metadata of the new JDK is not being recorded with the installer. Hence, for fix pack update in the same installation path, execution of the db2val utility (i.e. the tool that validate files laid down by the DB2 installer at the system level, instance level, or database level after new installation) may fail . Fix pack update to new installation path is not affected.

2. Uninstall will not be able to remove the jdk64 and jdk64_old folder, user will have to remove it manually.

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

Note:_ IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion_