IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect InfoSphere Warehouse, DB2 Warehouse Edition and DB2 Warehouse Edition Tooling. (CVE-2014-6457 and CVE-2014-6558)

Created by Jason Shayer on
Published URL:
https://www.ibm.com/support/pages/node/523439
523439

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7.x and JDK v6.x that are used by InfoSphere Warehouse/DB2 Warehouse and Warehouse Tooling. These issues were disclosed as part of the IBM Java SDK updates in October 2014.

Vulnerability Details

    CVEID: CVE-2014-6457


    DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.




    CVSS Base Score: 4
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97148 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)




    CVEID: CVE-2014-6558




    DESCRIPTION: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.




    CVSS Base Score: 2.6
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97151 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)



Affected Products and Versions

Affected Products and Versions

Product Version

Affected ComponentsNote
InfoSphere Warehouse v9.7 (All Editions)
-Advanced Enterprise Edition
-Enterprise Edition
-Enterprise Base Edition
-Advanced Departmental Edition
-Departmental Edition
-Departmental Base Edition
-Developer Edition
- Design StudioAffected Java version listed in the next table
InfoSphere Warehouse v10.1 (All Editions)
-Advanced Enterprise Edition
-Enterprise Edition
-Enterprise Base Edition
-Advanced Departmental Edition
-Departmental Edition
-Departmental Base Edition
-Developer Edition
- Design StudioAffected Java version listed in the next table
DB2 for Linux, Unix and Windows v10.5
-Advanced Workgroup Server Edition
-Advanced Enterprise Server Edition
-Developer Edition
- Design StudioAffected Java version listed in the next table
Affected Product Affected Java version shippedRemediated Java Version
InfoSphere Warehouse v9.7 (All Editions)
- Advanced Enterprise Edition
- Enterprise Edition
- Enterprise Base Edition
- Advanced Departmental Edition
- Departmental Edition
- Departmental Base Edition
- Developer Edition
- 9.7 -> 6.0.2
- 9.7.1 -> 6.0.5
- 9.7.2 -> 6.0.5
- 9.7.3 -> 6.0.9
6.0.x -> 6 SR16-FP2 (November 14 2014) :
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.0.16.2-JavaSE-SDK-Windowsx8632&continue=1

->For Linux: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.0.16.2-JavaSE-SDK-Linuxx8632&continue=1
InfoSphere Warehouse v10.1 (All Editions)
- Advanced Enterprise Edition
- Enterprise Edition
- Enterprise Base Edition
- Advanced Departmental Edition
- Departmental Edition
- Departmental Base Edition
- Developer Edition
- 10.1 -> 6.0.10
- 10.1.0.2 -> 7.0.2
6.0.x -> 6 SR16-FP2 (November 14 2014) :
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.0.16.2-JavaSE-SDK-Windowsx8632&continue=1

->For Linux: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.0.16.2-JavaSE-SDK-Linuxx8632&continue=1

7.0.x -> 7 SR8 (November 14 2014) :
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.8.0-JavaSE-SDK-Windowsx8632&continue=1

->For Linux: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.8.0-JavaSE-SDK-Linuxx8632&continue=1
DB2 for Linux, Unix and Windows v10.5
- Advanced Workgroup Server Edition
- Advanced Enterprise Server Edition
- Developer Edition
- 10.5 -> 7.0.2
- 10.5.0.4 -> 7.1.1
- 10.5.0.5 -> 7.1.1
7.0.x -> 7 SR8 (November 14 2014) :
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.8.0-JavaSE-SDK-Windowsx8632&continue=1
->For Linux: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.8.0-JavaSE-SDK-Linuxx8632&continue=1

7.1.x -> 7R1 SR2 (October 30 2014)
->For Windows: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.1.2.0-JavaSE-SDK-Windowsx8664&continue=1

->For Linux: http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.1.2.0-JavaSE-SDK-Linuxx86_6464&continue=1

Remediation/Fixes

Before you begin, go to the table above and find the IBM SDK, Java™ Technology Edition download link that matches your product version and platform. If you cannot find the download link for your product version and platform, contact IBM Technical Support and refer to this security bulletin.

On Windows, complete the following steps:

  1. Download the installable package (for example: ibm-java-sdk-71-win-x86_64.exe), or download the compressed archive zip package (for example: ibm-java-sdk-71-win-x86_64.zip) that matches the product architecture (for example 64-bit or 32-bit)..
  2. Extract it to a folder on a local file system (for example C:\temp\java71).
  3. Run the installer. The IBM SDK, Java™ Technology Edition will be installed on your local file system (for example C:\Program Files\IBM\Java71).
  4. If the product is open and running, exit out of the product.
  5. Open the eclipse.ini file located in the product install directory (for example: C:\Program Files\IBM\ISWarehouse\ds\eclipse.ini).
  6. Change the -vm argument to point to the new IBM SDK, Java™ Technology Edition that was just installed (for example, change it to -vm C:/Program Files/IBM/Java71/jre/bin/javaw.exe).
  7. Save and close the file. Note: editing the eclipse.ini file may require administrator privileges.
  8. Restart the product.

On LINUX, complete the following steps:
  1. Download the installable package (for example: ibm-java-x86_64-sdk-7.1-2.0.bin), or download the compressed archive package (for example: ibm-java-x86_64-sdk-7.1-2.tar.gz) that matches the product architecture (for example 64-bit or 32-bit).
  2. Extract it to a folder on a local file system (for example /tmp/ibm-jdk-7.1-2.0).
  3. If necessary change the file permission (for example chmod 755 ibm-java-x86_64-sdk-7.1-2.0.bin).
  4. Run the installer (for example enter ./ibm-java-x86_64-sdk-7.1-2.0.bin). The IBM SDK, Java™ Technology Edition will be installed on your local file system (for example /opt/ibm/java-x86_64-71).
  5. If the product is open and running, exit out of the product.
  6. Open the eclipse.ini file located in the product install directory (for example opt/IBM/ ISWarehouse/ds).
  7. Change the -vm argument to point to the new IBM SDK, Java™ Technology Edition that was just installed (for example, change it to -vm /opt/ibm/java-x86_64-71/jre/bin/javaw.exe).
  8. Save and close the file.
  9. Restart the product.

* NOTE: You might have to repeat steps 4 through 8 for Windows or 5 through 9 for Linux after you install an APAR or upgrade to a newer version of Java, if the version of the IBM SDK, Java™ Technology Edition that is installed with the product is older than the version of Java that you installed following the above instructions. You can determine the version of the IBM SDK, Java™ Technology Edition that is installed with the product by looking at the version.properties file (for example: Windows C:\Program Files\IBM\ISWarehouse\ds \jdk\jre\lib\version.properties or Linux /opt/ISWarehouse/ds/jdk/jre/ lib/version.properties); or by running the command "java -version" (for example: Windows “C:\Program Files\IBM\ISWarehouse\ds \jdk\jre \bin\java -version” or Linux Linux /opt/ ISWarehouse/ds /jdk/jre/bin/java -version").

Workarounds and Mitigations

No workaround.

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSK8TX","label":"InfoSphere Warehouse"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF027","label":"Solaris"},{"code":"PF010","label":"HP-UX"}],"Version":"9.7.0;9.7.1;9.7.2;9.7.3;10.1;9.7.7;10.1.0.2;10.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21694036