IBMCCDACEB58192F5A227256B40DC626E439EBEA9983A36F4B71941E2A60D78D407Security Bulletin: Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Apr 2024 - Includes Oracle April 2024 CPU plus CVE-2023-38264
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.7%
Summary
Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Apr 2024 - Includes Oracle April 2024 CPU plus CVE-2023-38264
Vulnerability Details
CVEID:CVE-2024-21094
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287959 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2024-21085
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2024-21011
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288020 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2023-38264
**DESCRIPTION:**The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| DB2 Query Management Facility for z/OS | 12.2 |
| DB2 Query Management Facility for z/OS | 13.1 |
Remediation/Fixes
Please see “Workarounds and Mitigations”
Workarounds and Mitigations
Use the following instructions to download the latest JRE version from the IBM Java download portal and replace it with the JRE you are currently invoking.
Steps to update Java - QMF for Workstation:
- Download JRE 8.0.8.25 version from IBM Java download portal.
- Close QMF for workstation , if any instance is running.
- Copy 8.0.8.25 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.
- Start application
Observations:
- While updating java in QMF for workstation for z/OS and Multiplatform build versions from 12.2.0.1 to 12.2.0.4 will reflect some issue for scheduled tasks after java update. Please update to QMF 12.2.0.5 before applying the java update for scheduled tasks to run without any issues.
- After migrating to QMF 12.2.0.5, update the java using above steps. To run Visual Reports, please set below 3 VM arguments in C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\eclipse.ini (QMF install directory)
-Djdk.xml.xpathExprGrpLimit=0
-Djdk.xml.xpathExprOpLimit=0
-Djdk.xml.xpathTotalOpLimit=0
Steps to update Java - QMF Vision:
1. Go to: <https://adoptopenjdk.net/releases.html>
2. Download Open JDK 8(LTS) and extract the files to a temporary location.
3. Stop the following Windows services:
- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)
- QMFServerLite
4. Delete C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre 1.8.0_362. (QMF Vision install directory)
Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.
5. Copy folder jre 1.8.0_412 from the temporary location to C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java. (QMF Vision install directory)
6. Rename folder jre 1.8.0_412 to jre.
Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference # 0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant services,
Security bulletin # 0880785 link - https://www-01.ibm.com/support/docview.wss?uid=ibm10880785
7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision, edit the following 6 files:
elasticsearch/bin/install.bat
elasticsearch/bin/start.bat
elasticsearch/bin/stop.bat
elasticsearch/bin/uninstall.bat
qmfserver/bat/setenv.bat
qmfserver/conf/wrapper.conf
For each file, replace “jre1.8.0_362” with “jre”, and save.
8. Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.
9. Execute:
uninstall.bat
install.bat
10. Change directory to qmfserver/bat.
11. Execute:
uninstallService.bat
installService.bat.
12. In the Windows Services console, edit “IBM QMF Vision Indexing Service” to change startup type from “Manual” to “Automatic”.
13. Restart Windows Services:
- IBM QMF Vision Indexing Service
- IBM QMF Vision Web Service
- QMFServerLite.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| db2 query management facility | eq | 12.2 | |
| db2 query management facility | eq | 13.1 |
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.7%