Security Bulletin: A security vulnerability has been idenfied in IBM SDK which affects IBM Db2 Query Management Facility ( CVE-2019-2684, CVE-2019-2602, CVE-2019-2697, CVE-2019-2698)

Summary

A security vulnerability has been identified in IBM SDK that could affect Db2 Query Management Facility.

Vulnerability Details

CVEID: CVE-2019-2684 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded RMI component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9

CVEID: CVE-2019-2602 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 7.5

CVEID: CVE-2019-2697 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE 2D component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.1

CVEID: CVE-2019-2698 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE 2D component could allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.1

Affected Products and Versions

Principal Product and Version(s)

DB2 Query Management Facility for z/OS v11.1
Query Management Facility Enterprise Edition V11.1
DB2 Query Management Facility for z/OS v11.2
DB2 Query Management Facility for z/OS v12.1
DB2 Query Management Facility for z/OS 12.2

Remediation/Fixes

Steps to update Java - Query Management Facility for Workstation:

1. Download JRE 8.0.5.35 version from IBM Java download portal.

2. Close QMF for workstation , if any instance is running.

3. Copy 8.0.5.35 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.

4. Start application

Steps to update Java -Query Management Facility Vision:

1. Go to: https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

2. Download “jre-8u221-windows-x64.tar.gz”, and extract the files to a temporary location.

3. Stop the following Windows services:

- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)

- QMFServerLite

4. Delete C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre1.8.0_131.

Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.

5. Copy folder jre1.8.0_221 from the temporary location to C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java.

6. Rename folder jre1.8.0_221 to jre.

Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference # 0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant services,

Security bulletin # 0880785 link - <https://www-01.ibm.com/support/docview.wss?uid=ibm10880785&gt;

7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision, edit the following 6 files:

elasticsearch/bin/install.bat

elasticsearch/bin/start.bat

elasticsearch/bin/stop.bat

elasticsearch/bin/uninstall.bat

qmfserver/bat/setenv.bat

qmfserver/conf/wrapper.conf

For each file, replace “jre1.8.0_131” with “jre”, and save.

8. Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.

9. Execute:

uninstall.bat

install.bat

10. Change directory to qmfserver/bat.

11 Execute:

uninstallService.bat

installService.bat.

12. In the Windows Services console, edit “IBM QMF Vision Indexing Service” to change startup type from “Manual” to “Automatic”.

13. Restart Windows Services:

- IBM QMF Vision Indexing Service

- IBM QMF Vision Web Service

- QMFServerLite

Workarounds and Mitigations

None