IBM9CD42DDF882EA345513EBDBDB5FBE3D666C4C555C1B5A9103544E959B0C90CA3Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect InfoSphere Warehouse, DB2 Warehouse Edition and DB2 Warehouse Edition Tooling. (CVE-2014-6457 and CVE-2014-6558)
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:P/A:P
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7.x and JDK v6.x that are used by InfoSphere Warehouse/DB2 Warehouse and Warehouse Tooling. These issues were disclosed as part of the IBM Java SDK updates in October 2014.
Vulnerability Details
CVEID: CVE-2014-6457
DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-6558
DESCRIPTION: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Affected Products and Versions
Affected Products and Versions
Product Version
| Affected Components| Note
—|—|—
InfoSphere Warehouse v9.7 (All Editions)
-Advanced Enterprise Edition
-Enterprise Edition
-Enterprise Base Edition
-Advanced Departmental Edition
-Departmental Edition
-Departmental Base Edition
-Developer Edition| - Design Studio| Affected Java version listed in the next table
InfoSphere Warehouse v10.1 (All Editions)
-Advanced Enterprise Edition
-Enterprise Edition
-Enterprise Base Edition
-Advanced Departmental Edition
-Departmental Edition
-Departmental Base Edition
-Developer Edition| - Design Studio| Affected Java version listed in the next table
DB2 for Linux, Unix and Windows v10.5
-Advanced Workgroup Server Edition
-Advanced Enterprise Server Edition
-Developer Edition| - Design Studio| Affected Java version listed in the next table
| Affected Product | Affected Java version shipped | Remediated Java Version |
|---|---|---|
| InfoSphere Warehouse v9.7 (All Editions) | ||
| - Advanced Enterprise Edition | ||
| - Enterprise Edition | ||
| - Enterprise Base Edition | ||
| - Advanced Departmental Edition | ||
| - Departmental Edition | ||
| - Departmental Base Edition | ||
| - Developer Edition | - 9.7 -> 6.0.2 | |
| - 9.7.1 -> 6.0.5 | ||
| - 9.7.2 -> 6.0.5 | ||
| - 9.7.3 -> 6.0.9 | 6.0.x -> 6 SR16-FP2 (November 14 2014) : | |
| ->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.0.16.2-JavaSE-SDK-Windowsx8632&continue=1 |
->For Linux: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.0.16.2-JavaSE-SDK-Linuxx8632&continue=1
InfoSphere Warehouse v10.1 (All Editions)
- Advanced Enterprise Edition
- Enterprise Edition
- Enterprise Base Edition
- Advanced Departmental Edition
- Departmental Edition
- Departmental Base Edition
- Developer Edition| - 10.1 -> 6.0.10
- 10.1.0.2 -> 7.0.2| 6.0.x -> 6 SR16-FP2 (November 14 2014) :
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.0.16.2-JavaSE-SDK-Windowsx8632&continue=1
7.0.x -> 7 SR8 (November 14 2014) :
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.8.0-JavaSE-SDK-Windowsx8632&continue=1
->For Linux: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.8.0-JavaSE-SDK-Linuxx8632&continue=1
DB2 for Linux, Unix and Windows v10.5
- Advanced Workgroup Server Edition
- Advanced Enterprise Server Edition
- Developer Edition| - 10.5 -> 7.0.2
- 10.5.0.4 -> 7.1.1
- 10.5.0.5 -> 7.1.1| 7.0.x -> 7 SR8 (November 14 2014) :
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.8.0-JavaSE-SDK-Windowsx8632&continue=1
->For Linux: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.8.0-JavaSE-SDK-Linuxx8632&continue=1
7.1.x -> 7R1 SR2 (October 30 2014)
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.1.2.0-JavaSE-SDK-Windowsx8664&continue=1
Remediation/Fixes
Before you begin, go to the table above and find the IBM SDK, Java™ Technology Edition download link that matches your product version and platform. If you cannot find the download link for your product version and platform, contact IBM Technical Support and refer to this security bulletin.
On Windows, complete the following steps:
- Download the installable package (for example: ibm-java-sdk-71-win-x86_64.exe), or download the compressed archive zip package (for example: ibm-java-sdk-71-win-x86_64.zip) that matches the product architecture (for example 64-bit or 32-bit)…
- Extract it to a folder on a local file system (for example C:\temp\java71).
- Run the installer. The IBM SDK, Java™ Technology Edition will be installed on your local file system (for example C:\Program Files\IBM\Java71).
- If the product is open and running, exit out of the product.
- Open the eclipse.ini file located in the product install directory (for example: C:\Program Files\IBM\ISWarehouse\ds\eclipse.ini).
- Change the -vm argument to point to the new IBM SDK, Java™ Technology Edition that was just installed (for example, change it to -vm C:/Program Files/IBM/Java71/jre/bin/javaw.exe).
- Save and close the file. Note: editing the eclipse.ini file may require administrator privileges.
- Restart the product.
On LINUX, complete the following steps:
- Download the installable package (for example: ibm-java-x86_64-sdk-7.1-2.0.bin), or download the compressed archive package (for example: ibm-java-x86_64-sdk-7.1-2.tar.gz) that matches the product architecture (for example 64-bit or 32-bit).
- Extract it to a folder on a local file system (for example /tmp/ibm-jdk-7.1-2.0).
- If necessary change the file permission (for example chmod 755 ibm-java-x86_64-sdk-7.1-2.0.bin).
- Run the installer (for example enter ./ibm-java-x86_64-sdk-7.1-2.0.bin). The IBM SDK, Java™ Technology Edition will be installed on your local file system (for example /opt/ibm/java-x86_64-71).
- If the product is open and running, exit out of the product.
- Open the eclipse.ini file located in the product install directory (for example opt/IBM/ ISWarehouse/ds).
- Change the -vm argument to point to the new IBM SDK, Java™ Technology Edition that was just installed (for example, change it to -vm /opt/ibm/java-x86_64-71/jre/bin/javaw.exe).
- Save and close the file.
- Restart the product.
*** NOTE:** You might have to repeat steps 4 through 8 for Windows or 5 through 9 for Linux after you install an APAR or upgrade to a newer version of Java, if the version of the IBM SDK, Java™ Technology Edition that is installed with the product is older than the version of Java that you installed following the above instructions. You can determine the version of the IBM SDK, Java™ Technology Edition that is installed with the product by looking at the version.properties file (for example: Windows C:\Program Files\IBM\ISWarehouse\ds \jdk\jre\lib\version.properties or Linux /opt/ISWarehouse/ds/jdk/jre/ lib/version.properties); or by running the command “java -version” (for example: Windows “C:\Program Files\IBM\ISWarehouse\ds \jdk\jre \bin\java -version” or Linux Linux /opt/ ISWarehouse/ds /jdk/jre/bin/java -version").
Workarounds and Mitigations
No workaround.
Related
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:P/A:P