Security Bulletin
Summary
A security vulnerability has been identified in IBM SDK that could affect DataQuant for z/OS.
Vulnerability Details
CVEID:
CVSS Base Score: 4.8
DESCRIPTION: A flaw in the java.net API incorrectly converts some Unicode characters when converting Internalized Domain Name URLs into KC normalized form. As a result, characters with syntactic significance (colon, slash etc.) can be injected into URLs.
The fix ensures that illegal characters in IDN URLs are detected and handled gracefully.
DESCRIPTION: A flaw in the java.net API incorrectly converts some Unicode characters when converting Internalized Domain Name URLs into KC normalized form. As a result, characters with syntactic significance (colon, slash etc.) can be injected into URLs.
The fix ensures that illegal characters in IDN URLs are detected and handled gracefully.
CVSS Base Score: 3.1
DESCRIPTION: A flaw in the java.net component allows untrusted code to elevate its file access privileges.
The fix corrects the flaw.
DESCRIPTION: A flaw in the java.net component allows untrusted code to elevate its file access privileges.
The fix corrects the flaw.
CVSS Base Score: 8.4
DESCRIPTION: A flaw in OpenJ9's JIT compiler allows untrusted code to elevate its privileges and execute arbitrary code.
The fix corrects the flaw.
DESCRIPTION: A flaw in OpenJ9's JIT compiler allows untrusted code to elevate its privileges and execute arbitrary code.
The fix corrects the flaw.
CVSS Base Score: 3.4
DESCRIPTION: A flaw in the java.security.AccessController API allows untrusted code to elevate its privileges.
The fix corrects the flaw.
DESCRIPTION: A flaw in the java.security.AccessController API allows untrusted code to elevate its privileges.
The fix corrects the flaw.
CVSS Base Score: 8.4
DESCRIPTION: A flaw in OpenJ9's String.getBytes() implementation allows untrusted code to elevate its privileges and execute arbitrary code.
The fix adds bounds checks to correct the flaw.
DESCRIPTION: A flaw in OpenJ9's String.getBytes() implementation allows untrusted code to elevate its privileges and execute arbitrary code.
The fix adds bounds checks to correct the flaw.
CVSS Base Score: 5.3
DESCRIPTION: A flaw in the java.util component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
DESCRIPTION: A flaw in the java.util component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
CVSS Base Score: 5.3
DESCRIPTION: A flaw in the java.lang component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
DESCRIPTION: A flaw in the java.lang component allows an attacker to inflict a DoS via malicious serialized data which triggers an OutOfMemoryError.
The fix ensures that this type of malicious data is detected and handled gracefully.
CVSS Base Score: 6.8
DESCRIPTION: A vulnerability in the libpng code which is used by the java.awt.SplashScreen API may allow untrusted code to elevate its privileges.
The fix updates the libpng code to the level which addresses the flaw.
DESCRIPTION: A vulnerability in the libpng code which is used by the java.awt.SplashScreen API may allow untrusted code to elevate its privileges.
The fix updates the libpng code to the level which addresses the flaw.
Affected Products and Versions
| Principal Products and Versions |
|---|
| DataQuant for z/OS 2.1 |
Remediation/Fixes
Steps to update JRE - DataQuant:
- Close DataQuant.
- Download JRE (ibm-java-jre-80-win-i386) and extract the files to a temporary location.
- Replace jre folder at the install directory location –> “C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation”. Replace with contents in step # 2.
- Download eclipse oxygen from https://www.eclipse.org/downloads/download.php?file=/technology/epp/downloads/release/oxygen/3a/eclipse-jee-oxygen-3a-win32-x86_64.zip
- Extract the eclipse oxygen and copy the plugin - org.apache.jasper.glassfish_2.2.2.v201501141630.jar from eclipse-jee-oxygen-3a-win32-x86_64\eclipse\plugins
- Copy org.apache.jasper.glassfish_2.2.2.v201501141630.jar in the folder where DataQuant is installed - C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for Workstation\plugins
- Delete the older plugin org.apache.jasper.glassfish_2.2.2.v201205150955.jar from the DataQuant install directory
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Off
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSAUQR","label":"IBM DataQuant for z\/OS"},"Component":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
12 February 2021
UID
ibm11103979