Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1139
Db2 Query Management Facility multiple vulnerabilities
6 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Db2 Query Management Facility
Publisher: IBM
Operating System: Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-27221 CVE-2020-14803 CVE-2020-14781
CVE-2020-2773
Reference: ASB-2021.0025
ESB-2021.0973
ESB-2021.0914
Original Bulletin:
https://www.ibm.com/support/pages/node/6439995
https://www.ibm.com/support/pages/node/6439991
https://www.ibm.com/support/pages/node/6439997
Comment: This bulletin contains three (3) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Db2 Query Management Facility is vulnerable to
CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8)
Document Information
More support for:
DB2 Query Management Facility
Software version:
11.1, 11.2, 11.2.1, 12.1, 12.2
Operating system(s):
Linux, Windows
Document number:
6439995
Modified date:
02 April 2021
Security Bulletin
Summary
Db2 Query Management Facility is vulnerable to CVE-2020-14781 (deferred from
Oracle Oct 2020 CPU for Java 8)
Vulnerability Details
CVEID: CVE-2020-14781
DESCRIPTION: An unspecified vulnerability in Java SE related to the JNDI
component could allow an unauthenticated attacker to obtain sensitive
information resulting in a low confidentiality impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
190099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+--------------------------------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.2.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |12.1 |
+--------------------------------------------+----------+
|Query Management Facility Classic Edition |11.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |12.2 |
+--------------------------------------------+----------+
|Query Management Facility Enterprise Edition|11.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.2 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.1 |
+--------------------------------------------+----------+
Remediation/Fixes
Please see "Workarounds and Mitigations"
Workarounds and Mitigations
Use the following instructions to download the latest JRE version from the IBM
Java download portal and replace it with the JRE you are currently invoking.
Steps to update Java - QMF for Workstation:
1. Download JRE 8.0.6.5 version from IBM Java download portal.
2. Close QMF for workstation , if any instance is running.
3. Copy 8.0.6.5 JRE version to C:\Program Files\IBM\Db2 Query Management
Facility\QMF for Workstation\jre.
4. Start application
Steps to update Java - QMF Vision:
1. Go to: https://adoptopenjdk.net/releases.html
2. Download Open JDK 8(LTS) and extract the files to a temporary location.
3. Stop the following Windows services:
- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web
Service due to dependencies)
- QMFServerLite
4. Delete
C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\
elasticsearch\java\jre1.8.0_131.
Note: The folder name would be "jre" in case security bulletin reference
# 0880785 is already applied.
5. Copy content of downloaded jre from the temporary location (step # 2) to
C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\
elasticsearch\java.
6. Rename folder jre1.8.0_131 to jre.
Note: If the folder in the java folder is already renamed to "jre" via
the security bulletin reference #
0880785, then steps 7 through 12 are not required. You can directly go to
step 13 and start the relevant
services,
Security bulletin # 0880785 link - https://www-01.ibm.com/support/
docview.wss?uid=ibm10880785
7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\, edit
the following 6 files:
elasticsearch/bin/install.bat
elasticsearch/bin/start.bat
elasticsearch/bin/stop.bat
elasticsearch/bin/uninstall.bat
qmfserver/bat/setenv.bat
qmfserver/conf/wrapper.conf
For each file, replace "jre1.8.0_131" with "jre", and save.
8. Open a Windows Command window in Administrator mode and Change directory to
elasticsearch/bin.
9. Execute:
uninstall.bat
install.bat
10. Change directory to qmfserver/bat.
11 Execute:
uninstallService.bat
installService.bat.
12. In the Windows Services console, edit "IBM QMF Vision Indexing Service" to
change startup type from
"Manual" to "Automatic".
13. Restart Windows Services:
- IBM QMF Vision Indexing Service
- IBM QMF Vision Web Service
- QMFServerLite
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
02 Apr 2021: Initial Publication
Document Location
Worldwide
- --------------------------------------------------------------------------------
Security Bulletin: Db2 Query Management Facility is vulnerable to IBM SDK, Java
Technology Edition Quarterly CPU - Jan 2021 - Includes Oracle Jan 2021 CPU plus
CVE-2020-27221
Document Information
More support for:
DB2 Query Management Facility
Software version:
11.1, 11.2, 11.2.1, 12.1, 12.2
Operating system(s):
Windows, Linux
Document number:
6439991
Modified date:
02 April 2021
Security Bulletin
Summary
Db2 Query Management Facility is vulnerable to IBM SDK, Java Technology Edition
Quarterly CPU - Jan 2021 - Includes Oracle Jan 2021 CPU CVE-2020-14803 plus
CVE-2020-27221
Vulnerability Details
CVEID: CVE-2020-14803
DESCRIPTION: An unspecified vulnerability in Java SE could allow an
unauthenticated attacker to obtain sensitive information resulting in a low
confidentiality impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
190121 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2020-27221
DESCRIPTION: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow
when the virtual machine or JNI natives are converting from UTF-8 characters to
platform encoding. By sending an overly long string, a remote attacker could
overflow a buffer and execute arbitrary code on the system or cause the
application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
195353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+--------------------------------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.2.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |12.1 |
+--------------------------------------------+----------+
|Query Management Facility Classic Edition |11.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |12.2 |
+--------------------------------------------+----------+
|Query Management Facility Enterprise Edition|11.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.2 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.1 |
+--------------------------------------------+----------+
Remediation/Fixes
Please see "Workarounds and Mitigations"
Workarounds and Mitigations
Use the following instructions to download the latest JRE version from the IBM
Java download portal and replace it with the JRE you are currently invoking.
Steps to update Java - QMF for Workstation:
1. Download JRE 8.0.6.5 version from IBM Java download portal.
2. Close QMF for workstation , if any instance is running.
3. Copy 8.0.6.5 JRE version to C:\Program Files\IBM\Db2 Query Management
Facility\QMF for Workstation\jre.
4. Start application
Steps to update Java - QMF Vision:
1. Go to: https://adoptopenjdk.net/releases.html
2. Download Open JDK 8(LTS) and extract the files to a temporary location.
3. Stop the following Windows services:
- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web
Service due to dependencies)
- QMFServerLite
4. Delete
C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\
elasticsearch\java\jre1.8.0_131.
Note: The folder name would be "jre" in case security bulletin reference
# 0880785 is already applied.
5. Copy content of downloaded jre from the temporary location (step # 2) to
C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\
elasticsearch\java.
6. Rename folder jre1.8.0_131 to jre.
Note: If the folder in the java folder is already renamed to "jre" via
the security bulletin reference #
0880785, then steps 7 through 12 are not required. You can directly go to
step 13 and start the relevant
services,
Security bulletin # 0880785 link - https://www-01.ibm.com/support/
docview.wss?uid=ibm10880785
7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\, edit
the following 6 files:
elasticsearch/bin/install.bat
elasticsearch/bin/start.bat
elasticsearch/bin/stop.bat
elasticsearch/bin/uninstall.bat
qmfserver/bat/setenv.bat
qmfserver/conf/wrapper.conf
For each file, replace "jre1.8.0_131" with "jre", and save.
8. Open a Windows Command window in Administrator mode and Change directory to
elasticsearch/bin.
9. Execute:
uninstall.bat
install.bat
10. Change directory to qmfserver/bat.
11 Execute:
uninstallService.bat
installService.bat.
12. In the Windows Services console, edit "IBM QMF Vision Indexing Service" to
change startup type from
"Manual" to "Automatic".
13. Restart Windows Services:
- IBM QMF Vision Indexing Service
- IBM QMF Vision Web Service
- QMFServerLite
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
Change History
02 Apr 2021: Initial Publication
Document Location
Worldwide
- --------------------------------------------------------------------------------
Security Bulletin: Db2 Query Management Facility is vulnerable to an
unspecified vulnerability in Java SE - CVE-2020-2773
Document Information
More support for:
DB2 Query Management Facility
Software version:
11.1, 11.2, 11.2.1, 12.1, 12.2
Operating system(s):
Linux, Windows
Document number:
6439997
Modified date:
02 April 2021
Security Bulletin
Summary
An unspecified vulnerability in Java SE related to the Java SE Security
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
Vulnerability Details
CVEID: CVE-2020-2773
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Security component could allow an unauthenticated attacker to cause a denial of
service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179673 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+--------------------------------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.2.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |12.1 |
+--------------------------------------------+----------+
|Query Management Facility Classic Edition |11.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |12.2 |
+--------------------------------------------+----------+
|Query Management Facility Enterprise Edition|11.1 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.2 |
+--------------------------------------------+----------+
|DB2 Query Management Facility for z/OS |11.1 |
+--------------------------------------------+----------+
Remediation/Fixes
Please see "Workarounds and Mitigations"
Workarounds and Mitigations
Use the following instructions to download the latest JRE version from the IBM
Java download portal and replace it with the JRE you are currently invoking.
Steps to update Java - QMF for Workstation:
1. Download JRE 8.0.6.5 version from IBM Java download portal.
2. Close QMF for workstation , if any instance is running.
3. Copy 8.0.6.5 JRE version to C:\Program Files\IBM\Db2 Query Management
Facility\QMF for Workstation\jre.
4. Start application
Steps to update Java - QMF Vision:
1. Go to: https://adoptopenjdk.net/releases.html
2. Download Open JDK 8(LTS) and extract the files to a temporary location.
3. Stop the following Windows services:
- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web
Service due to dependencies)
- QMFServerLite
4. Delete
C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\
elasticsearch\java\jre1.8.0_131.
Note: The folder name would be "jre" in case security bulletin reference
# 0880785 is already applied.
5. Copy content of downloaded jre from the temporary location (step # 2) to
C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\
elasticsearch\java.
6. Rename folder jre1.8.0_131 to jre.
Note: If the folder in the java folder is already renamed to "jre" via
the security bulletin reference #
0880785, then steps 7 through 12 are not required. You can directly go to
step 13 and start the relevant
services,
Security bulletin # 0880785 link - https://www-01.ibm.com/support/
docview.wss?uid=ibm10880785
7. Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\, edit
the following 6 files:
elasticsearch/bin/install.bat
elasticsearch/bin/start.bat
elasticsearch/bin/stop.bat
elasticsearch/bin/uninstall.bat
qmfserver/bat/setenv.bat
qmfserver/conf/wrapper.conf
For each file, replace "jre1.8.0_131" with "jre", and save.
8. Open a Windows Command window in Administrator mode and Change directory to
elasticsearch/bin.
9. Execute:
uninstall.bat
install.bat
10. Change directory to qmfserver/bat.
11 Execute:
uninstallService.bat
installService.bat.
12. In the Windows Services console, edit "IBM QMF Vision Indexing Service" to
change startup type from
"Manual" to "Automatic".
13. Restart Windows Services:
- IBM QMF Vision Indexing Service
- IBM QMF Vision Web Service
- QMFServerLite
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
02 Apr 2021: Initial Publication
Document Location
Worldwide
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYGvXwuNLKJtyKPYoAQhSsA//bhYT9qPXpy6g7vlbna/FoMZxa9eln7+7
F+li0RpoD2vR9gA269bxe9OMVYbdBUKczv2jdh6UBt/cqXjGkJ70+oDu/LZ2CxiP
vbUkKeOOPjjyQXjhmfoRPcN+5erjaghAsglIUMlXBO4vn8J/6jaqJcx2iLCYcvtJ
WuVAReqHYI7K8kK9PRBCXdh//65Q8smcYk0JWbI+UYJ+8SikNGxZBtRtfGa5/z4c
f5hCc+36Fjve6HQ2KUbx/xBZ1CWumTlRp7myMg5w4rGqNw126xTIPWIZB2Vwedgt
J1QgPF+fgy9/Vr1RPijC+sVSLYZsR1xWqJeprxtVoyAYepWsJ/xA+OBa66FdYpL+
4+E5xn3BCKHBxBCJQQx1dVZ2TdYGpp41NUsx77cVkrRpfkMHpV+hsmKwUgUqmqoE
YM5iAj34leOSeuKCiKm2khQU2zgfGBa/IcvBaza7/2FkSm3O9DEI58ewcQnDiA73
dh8oX+sOpaVM1OJXD2ozRZ0D0rVi+eunMq35gUcayEzTCrsmx9+80UfMC7jfRuwR
PQktYTUl+HVZazlNVvLv26+C4V25iY8Pxskd9EXb6iINuwLVoOLSVVtNP4RsXxfj
8n49WZDuNWypBq/ZDZKTNRn/Uy+7pAw8kDuFBS5out3kgyIbl93XMmm+Wt3b6HZ+
4ah8vfxXZEY=
=1pre
-----END PGP SIGNATURE-----