Security Bulletin: IBM SDK, Java Tech Edition Quarterly CPU Jul 2021 - Includes Oracle Jul 2021 CPU (minus CVE-2021-2341)

Summary

This Security Bulletin provides steps for updating Java for Db2 Query Management Facility QMF Workstation and QMF Vision.

Vulnerability Details

CVEID:CVE-2021-2388
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to take control of the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-2369
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Library component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205796 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID:CVE-2021-2432
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205856 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

Please see ‘Workarounds and Mitigations’

Workarounds and Mitigations

Below are steps to update Java - QMF Workstation and QMF Vision

Steps to update Java - QMF for Workstation:

1. Download ** JRE 8.0.**6.35 version from IBM Java download portal.

2. Close QMF for workstation , if any instance is running.

3. Copy 8.0.6.35 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.

4. Start application.

Note:

Users of QMF for Workstation (v12.2.0.1 – v12.2.0.4) must upgrade to version 12.2.0.5 before applying this Java upgrade.

This is required for scheduled tasks to work seamlessly after the Java Update.

Steps to update Java - QMF Vision:

1. Go to: https://adoptopenjdk.net/releases.html
2. Download Open JDK 8(LTS) and extract the files to a temporary location.
3. Stop the following Windows services:

1. IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)
2. QMFServerLite

4. Delete C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre1.8.0_252. Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.
5. Copy folder jre 1.8.0_302 from the temporary location to C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java.
6. Rename folder jre 1.8.0_302 to jre.

1. Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference # 0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant services,
2. Security bulletin # 0880785 link - <https://www-01.ibm.com/support/docview.wss?uid=ibm10880785>

7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision, edit the following 6 files:

1. elasticsearch/bin/install.bat
2. elasticsearch/bin/start.bat
3. elasticsearch/bin/stop.bat
4. elasticsearch/bin/uninstall.bat
5. qmfserver/bat/setenv.bat
6. qmfserver/conf/wrapper.con

8. 7. For each file, replace "jre1.8.0_302" with "jre", and save.
   

9. Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.

10. Execute:

1. uninstall.bat
2. install.bat

10. Change directory to qmfserver/bat.
11. Execute:

12. 1. uninstallService.bat
    

2. installService.bat.

12. In the Windows Services console, edit “IBM QMF Vision Indexing Service” to change startup type from “Manual” to “Automatic”.

13. Restart Windows Services:

1. IBM QMF Vision Indexing Service
2. IBM QMF Vision Web Service
3. QMFServerLite