6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
Steps to update Java for QMF Workstation & QMF Vision
CVEID:CVE-2020-2601
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174548 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
DB2 Query Management Facility for z/OS | 11.2.1 |
DB2 Query Management Facility for z/OS | 12.1 |
Query Management Facility Classic Edition | 11.1 |
DB2 Query Management Facility for z/OS | 12.2 |
Query Management Facility Enterprise Edition | 11.1 |
DB2 Query Management Facility for z/OS | 11.2 |
DB2 Query Management Facility for z/OS | 11.1 |
Please see “Workaround”
Steps to update Java - QMF for Workstation:
1. Download JRE 8.0.6.15 version from IBM Java download portal.
2. Close QMF for workstation , if any instance is running.
3. Copy 8.0.6.15 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.
4. Start application
Steps to update Java - QMF Vision:
1. Go to: https://adoptopenjdk.net/releases.html
2. Download Open JDK 8(LTS) and extract the files to a temporary location.
3. Stop the following Windows services:
- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)
- QMFServerLite
4. Delete contents of folder - C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre1.8.0_131.
Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.
5. Copy content of downloaded jre from the temporary location (step # 2) to C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java.
6. Rename folder jre1.8.0_131 to jre.
Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference # 0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant services,
Security bulletin # 0880785 link - https://www-01.ibm.com/support/docview.wss?uid=ibm10880785
7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision, edit the following 6 files:
elasticsearch/bin/install.bat
elasticsearch/bin/start.bat
elasticsearch/bin/stop.bat
elasticsearch/bin/uninstall.bat
qmfserver/bat/setenv.bat
qmfserver/conf/wrapper.conf
For each file, replace “jre1.8.0_131” with “jre”, and save.
8. Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.
9. Execute:
uninstall.bat
install.bat
10. Change directory to qmfserver/bat.
11 Execute:
uninstallService.bat
installService.bat.
12. In the Windows Services console, edit “IBM QMF Vision Indexing Service” to change startup type from “Manual” to “Automatic”.
13. Restart Windows Services:
- IBM QMF Vision Indexing Service
- IBM QMF Vision Web Service
- QMFServerLite
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N