Security Bulletin: CVE-2020-2601 (deferred from Oracle Jan 2020 CPU)

Summary

Steps to update JRE - IBM DataQuant

Vulnerability Details

CVEID:CVE-2020-2601
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174548 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Please see “Workarounds”

Workarounds and Mitigations

Steps to update JRE - DataQuant:

1. Close DataQuant.
2. Download JRE (ibm-java-jre-80-win-i386) and extract the files to a temporary location.
3. Replace jre folder at the install directory location –> “C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation”. Replace with contents in step # 2.
4. Download eclipse oxygen from https://www.eclipse.org/downloads/download.php?file=/technology/epp/downloads/release/oxygen/3a/eclipse-jee-oxygen-3a-win32-x86_64.zip
5. Extract the eclipse oxygen and copy the plugin - org.apache.jasper.glassfish_2.2.2.v201501141630.jar from eclipse-jee-oxygen-3a-win32-x86_64\eclipse\plugins
6. Copy org.apache.jasper.glassfish_2.2.2.v201501141630.jar in the folder where DataQuant is installed - C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation\plugins
7. Delete the older plugin org.apache.jasper.glassfish_2.2.2.v201205150955.jar from the DataQuant install directory