Security Bulletin
Summary
This Security Bulletin provides steps for updating Java for Db2 Query Management Facility QMF Workstation and QMF Vision.
Vulnerability Details
CVEID: CVE-2021-2161
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200290 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
Affected Product(s) | Version(s) |
DB2 Query Management Facility for z/OS | 11.2.1 |
DB2 Query Management Facility for z/OS | 12.1 |
Query Management Facility Classic Edition | 11.1 |
DB2 Query Management Facility for z/OS | 12.2 |
Query Management Facility Enterprise Edition | 11.1 |
DB2 Query Management Facility for z/OS | 11.2 |
DB2 Query Management Facility for z/OS | 11.1 |
Remediation/Fixes
Please see 'Workarounds and Mitigations'
Workarounds and Mitigations
Below are steps to update Java - QMF Workstation and QMF Vision
Steps to update Java - QMF for Workstation:
1. Download JRE 8.0.6.35 version from IBM Java download portal.
2. Close QMF for workstation , if any instance is running.
3. Copy 8.0.6.35 JRE version to C:\Program Files\IBM\Db2 Query Management Facility\QMF for Workstation\jre.
4. Start application.
Note:
Users of QMF for Workstation (v12.2.0.1 – v12.2.0.4) must upgrade to version 12.2.0.5 before applying this Java upgrade.
This is required for scheduled tasks to work seamlessly after the Java Update.
Steps to update Java - QMF Vision:
- Go to: https://adoptopenjdk.net/releases.html
- Download Open JDK 8(LTS) and extract the files to a temporary location.
- Stop the following Windows services:
- IBM QMF Vision Indexing Service (this will also stop IBM QMF Vision Web Service due to dependencies)
- QMFServerLite
- Delete C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java\jre1.8.0_252. Note: The folder name would be “jre” in case security bulletin reference # 0880785 is already applied.
- Copy folder jre 1.8.0_302 from the temporary location to C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\elasticsearch\java.
- Rename folder jre 1.8.0_302 to jre.
- Note: If the folder in the java folder is already renamed to “jre” via the security bulletin reference # 0880785, then steps 7 through 12 are not required. You can directly go to step 13 and start the relevant services,
- Security bulletin # 0880785 link - https://www-01.ibm.com/support/docview.wss?uid=ibm10880785
- Under C:\Program Files\IBM\DB2 Query Management Facility\QMF Vision\, edit the following 6 files:
- elasticsearch/bin/install.bat
- elasticsearch/bin/start.bat
- elasticsearch/bin/stop.bat
- elasticsearch/bin/uninstall.bat
- qmfserver/bat/setenv.bat
- qmfserver/conf/wrapper.con
-
- For each file, replace "jre1.8.0_302" with "jre", and save.
- Open a Windows Command window in Administrator mode and Change directory to elasticsearch/bin.
- Execute:
- uninstall.bat
- install.bat
- Change directory to qmfserver/bat.
- Execute:
-
- uninstallService.bat
- installService.bat.
12. In the Windows Services console, edit "IBM QMF Vision Indexing Service" to change startup type from "Manual" to "Automatic".
13. Restart Windows Services:
- IBM QMF Vision Indexing Service
- IBM QMF Vision Web Service
- QMFServerLite
Get Notified about Future Security Bulletins
References
Change History
17 Sep 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
16 September 2021
UID
ibm16490271