Security Bulletin: CVE-2020-2601 (deferred from Oracle Jan 2020 CPU)

Summary

Steps to update Java for QMF Workstation & QMF Vision

Vulnerability Details

CVEID:CVE-2020-2601
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174548 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Please see “Workaround”

Workarounds and Mitigations

Steps to update Java - QMF for Workstation:

1. Download JRE 8.0.6.15 version from IBM Java download portal.

2. Close QMF for workstation , if any instance is running.

3. Copy 8.0.6.15 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.

4. Start application

Steps to update Java - QMF Vision:

1. Go to: https://adoptopenjdk.net/releases.html

2. Download Open JDK 8(LTS) and extract the files to a temporary location.

3. Stop the following Windows services:

- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)

- QMFServerLite

4. Delete contents of folder - C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre1.8.0_131.

Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.

5. Copy content of downloaded jre from the temporary location (step # 2) to C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java.

6. Rename folder jre1.8.0_131 to jre.

Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference # 0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant services,

Security bulletin # 0880785 link - https://www-01.ibm.com/support/docview.wss?uid=ibm10880785

7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision, edit the following 6 files:

elasticsearch/bin/install.bat

elasticsearch/bin/start.bat

elasticsearch/bin/stop.bat

elasticsearch/bin/uninstall.bat

qmfserver/bat/setenv.bat

qmfserver/conf/wrapper.conf

For each file, replace “jre1.8.0_131” with “jre”, and save.

8. Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.

9. Execute:

uninstall.bat

install.bat

10. Change directory to qmfserver/bat.

11 Execute:

uninstallService.bat

installService.bat.

12. In the Windows Services console, edit “IBM QMF Vision Indexing Service” to change startup type from “Manual” to “Automatic”.

13. Restart Windows Services:

- IBM QMF Vision Indexing Service

- IBM QMF Vision Web Service

- QMFServerLite