Security Bulletin
Summary
There is vulnerability in IBM® SDK Java™ Technology Edition, Version 6.0 SR14, 7.0 SR5 and 7.0 SR6 that is used by DB2 LUW on HP-UX and Solaris. These issues was disclosed as part of the IBM Java SDK updates in January 2015.
Vulnerability Details
CVEID: CVE-2015-0383
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)
Affected Products and Versions
All fix pack levels of IBM DB2 V9.7, V10.1 and V10.5 editions listed below and running on HP-UX and Solaris are affected.
IBM® DB2® Express Edition
IBM® DB2® Workgroup Server Edition
IBM® DB2® Enterprise Server Edition
IBM® DB2® Advanced Enterprise Server Edition
IBM® DB2® Advanced Workgroup Server Edition
IBM® DB2® Connect™ Application Server Edition
IBM® DB2® Connect™ Enterprise Edition
IBM® DB2® Connect™ Unlimited Edition for System i®
IBM® DB2® Connect™ Unlimited Edition for System z®
Remediation/Fixes
None
Workarounds and Mitigations
Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1 or V10.5 can contact IBM support to obtain the install image for IBM JDK on HPUX/Solaris. Refer to the table below to determine the IBM JDK level required. Then follow the instructions below to perform the JDK installation.
| DB2 Release | IBM JDK level on HP-UX | IBM JDK level on Solaris |
| V9.7 | 6.0 SR16 FP3 | 6.0 SR16 FP3 |
| V10.1 | 6.0 SR16 FP3 | 7.0 SR8 FP10 |
| V10.5 | 7.0 SR8 FP10 | 7.0 SR8 FP10 |
Instruction for IBM JDK Installation
1) Create a new temporary JDK directory, i.e. jdk64, to store the extracted install files.
2) Run the following command to extract all the files from the IBM JDK install image tar file (*.tar.Z) into the temporary JDK directory created in step 1 above.
tar -xvf <IBM JDK install image tar file> -C jdk64
3) Stop all DB2 instances for the installation.
4) As root user, back up the original IBM JDK directory within DB2 installation path and create a new one.
Go to the java sub-directory under <DB2 Installation Path>.
E.g.
cd /opt/IBM/db2/V10.1fp5/java
Back up the original JDK directory <DB2 Installation Path>/java/jdk64
E.g.
mv /opt/IBM/db2/V10.1fp5/java/jdk64 /opt/IBM/db2/V10.1fp5/java/jdk64_old
Create a new JDK directory under <DB2 Installation Path>/java/.
E.g.
mkdir /opt/IBM/db2/V10.1fp5/java/jdk64
5) As root user, copy the extracted files from the temporary JDK directory created in step 1 to the new JDK directory under <DB2 Installation Path>. E.g.
cp -R <Temporary JDK directory>/* /opt/IBM/db2/V10.1fp5/java/jdk64/
All the files in the <DB2 Installation Path>/java/jdk64 directory should have r-x permission.
6) Change the group and owner for all the files in the new JDK directory to bin.
E.g.
chgrp -R bin /opt/IBM/db2/V10.1fp5/java/jdk64
chown -R bin /opt/IBM/db2/V10.1fp5/java/jdk64
Notes:
1) With this update, the metadata of the new JDK is not being recorded with the installer. Hence, for fix pack update in the same installation path, execution of the db2val utility (i.e. the tool that validate files laid down by the DB2 installer at the system level, instance level, or database level after new installation) may fail . Fix pack update to new installation path is not affected.
2) Uninstall will not be able to remove the jdk64 and jdk64_old folder, user will have to remove it manually.
Contact Technical Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.
Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion
Get Notified about Future Security Bulletins
References
Change History
July 10, 2015: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21903738