IBMD89289B9CECC2BB3FBC01DA874A32E880AA088E32097E6F810B1B31F53DEDE04Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jul 2020 - Includes Oracle Jul 2020 CPU plus one additional vulnerability
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
Summary
Steps to update Java for QMF Workstation & QMF Vision
Vulnerability Details
CVEID:CVE-2020-14583
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185061 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:CVE-2020-14593
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185071 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID:CVE-2020-14621
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2020-14556
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185034 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2020-14581
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the 2D component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185059 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2020-14579
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185057 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-14578
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-14577
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2019-17639
**DESCRIPTION:**Eclipse OpenJ9 could allow a remote attacker to obtain sensitive information, caused by the premature return of the current method with an undefined return value. By invoking the System.arraycopy method with a length longer than the length of the source or destination array can, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| DB2 Query Management Facility for z/OS | 11.2.1 |
| DB2 Query Management Facility for z/OS | 12.1 |
| Query Management Facility Classic Edition | 11.1 |
| DB2 Query Management Facility for z/OS | 12.2 |
| Query Management Facility Enterprise Edition | 11.1 |
| DB2 Query Management Facility for z/OS | 11.2 |
| DB2 Query Management Facility for z/OS | 11.1 |
Remediation/Fixes
Please see }Workarounds"
Workarounds and Mitigations
Steps to update Java - QMF for Workstation:
1. Download JRE 8.0.6.15 version from IBM Java download portal.
2. Close QMF for workstation , if any instance is running.
3. Copy 8.0.6.15 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.
4. Start application
Steps to update Java - QMF Vision:
1. Go to: https://adoptopenjdk.net/releases.html
2. Download Open JDK 8(LTS) and extract the files to a temporary location.
3. Stop the following Windows services:
- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)
- QMFServerLite
4. Delete contents of folder - C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre1.8.0_131.
Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.
5. Copy content of downloaded jre from the temporary location (step # 2) to C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java.
6. Rename folder jre1.8.0_131 to jre.
Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference # 0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant services,
Security bulletin # 0880785 link - https://www-01.ibm.com/support/docview.wss?uid=ibm10880785
7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision, edit the following 6 files:
elasticsearch/bin/install.bat
elasticsearch/bin/start.bat
elasticsearch/bin/stop.bat
elasticsearch/bin/uninstall.bat
qmfserver/bat/setenv.bat
qmfserver/conf/wrapper.conf
For each file, replace “jre1.8.0_131” with “jre”, and save.
8. Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.
9. Execute:
uninstall.bat
install.bat
10. Change directory to qmfserver/bat.
11 Execute:
uninstallService.bat
installService.bat.
12. In the Windows Services console, edit “IBM QMF Vision Indexing Service” to change startup type from “Manual” to “Automatic”.
13. Restart Windows Services:
- IBM QMF Vision Indexing Service
- IBM QMF Vision Web Service
- QMFServerLite
Related
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N