IBMF7E51655AE0C3E3A5C7AFAE4499771D71B4A3255C1EDE468013BB3892E874345Security Bulletin: A security vulnerability in IBM SDK which affects Db2 Query Management Facility (CVE-2019-2816, CVE-2019-2766, CVE-2019-2786, CVE-2019-2769, CVE-2019-2762, CVE-2019-7317)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
Summary
A security vulnerability has been identified in IBM SDK that could affect Db2 Query Management Facility.
Vulnerability Details
CVEID: CVE-2019-2816
CVSS Base Score: 4.8
**DESCRIPTION:**A flaw in the java.net API incorrectly converts some Unicode characters when converting Internalized Domain Name URLs into KC normalized form. As a result, characters with syntactic significance (colon, slash etc.) can be injected into URLs.
The fix ensures that illegal characters in IDN URLs are detected and handled gracefully.
CVEID: CVE-2019-2766
CVSS Base Score: 3.1
**DESCRIPTION:**A flaw in the java.net component allows untrusted code to elevate its file access privileges.
The fix corrects the flaw.
CVEID: CVE-2019-2786
CVSS Base Score: 3.4
**DESCRIPTION:**A flaw in the java.security.AccessController API allows untrusted code to elevate its privileges.
The fix corrects the flaw.
CVEID: CVE-2019-2769
CVSS Base Score: 5.3
**DESCRIPTION:**A flaw in the java.util component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
CVEID: CVE-2019-2762
CVSS Base Score: 5.3
**DESCRIPTION:**A flaw in the java.lang component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
CVEID: CVE-2019-7317
CVSS Base Score: 6.8
**DESCRIPTION:**A vulnerability in the libpng code which is used by the java.awt.SplashScreen API may allow untrusted code to elevate its privileges.
The fix updates the libpng code to the level which addresses the flaw.
Affected Products and Versions
| Principal Product and Version(s) | Affected Supporting Product |
|---|---|
| DB2 Query Management Facility Classic Edition v11.1 | |
| Query Management Facility Enterprise Edition V11.1 | |
| DB2 Query Management Facility for z/OS v12.1 | |
| DB2 Query Management Facility for z/OS v12.2 |
Remediation/Fixes
Steps to update Java - QMF for Workstation:
1. Download JRE 8.0.5.40 version from IBM Java download portal.
2. Close QMF for workstation , if any instance is running.
3. Copy 8.0.5.40 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.
4. Start application
Steps to update Java - QMF Vision:
1. Go to: https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
2. Download “jre-8u221-windows-x64.tar.gz”, and extract the files to a temporary location.
3. Stop the following Windows services:
- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)
- QMFServerLite
4. Delete C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre1.8.0_131.
Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.
5. Copy folder jre1.8.0_221 from the temporary location to C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java.
6. Rename folder jre1.8.0_221 to jre.
Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference # 0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant services,
Security bulletin # 0880785 link - https://www-01.ibm.com/support/docview.wss?uid=ibm10880785
7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision, edit the following 6 files:
elasticsearch/bin/install.bat
elasticsearch/bin/start.bat
elasticsearch/bin/stop.bat
elasticsearch/bin/uninstall.bat
qmfserver/bat/setenv.bat
qmfserver/conf/wrapper.conf
For each file, replace “jre1.8.0_131” with “jre”, and save.
8. Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.
9. Execute:
uninstall.bat
install.bat
10. Change directory to qmfserver/bat.
11 Execute:
uninstallService.bat
installService.bat.
12. In the Windows Services console, edit “IBM QMF Vision Indexing Service” to change startup type from “Manual” to “Automatic”.
13. Restart Windows Services:
- IBM QMF Vision Indexing Service
- IBM QMF Vision Web Service
- QMFServerLite
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| db2 query management facility for z/os | eq | 12.1 | |
| db2 query management facility for z/os | eq | 12.2 |
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N