Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2887 IBM Db2 is affected by vulnerabilities in the IBM SDK, Java Technology Edition 14 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Db2 Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-9843 CVE-2016-9842 CVE-2016-9841 CVE-2016-9840 Reference: ESB-2017.1251 ESB-2017.1321 ESB-2017.1185 ESB-2017.2876 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22010282 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Db2 is affected by vulnerabilities in the IBM SDK, Java Technology Edition Quarterly Critical Patch Updates (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) Document information Software version: 9.7, 10.1, 10.5, 11.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Software edition: Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Personal, Workgroup Server Reference #: 2010282 Modified date: 13 November 2017 Security Bulletin Summary Db2 is affected by a vulnerability in IBM® JDK. Vulnerability Details CVEID: CVE-2016-9840 DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 120508 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2016-9841 DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 120509 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2016-9842 DESCRIPTION: zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 120510 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2016-9843 DESCRIPTION: zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 120511 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) Affected Products and Versions All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, and V11.1 editions on all platforms are affected. Remediation/Fixes The recommended solution is to apply the appropriate fix for this vulnerability. The fix for this vulnerability is in latest version of IBM JDK. Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1, V10.5 or V11.1 can download the latest version of IBM JDK from Fix Central Affected IBM Releases: • 6.0.16.41 and earlier • 6.1.8.41 and earlier • 7.0.10.1 and earlier • 7.1.4.1 and earlier • 8.0.4.2 and earlier Fixed IBM Releases: • 6.0.16.45 • 6.1.8.45 • 7.0.10.5 • 7.1.4.5 • 8.0.4.5 Refer to the table below to determine the IBM JDK level that contains the fix. Then follow the instructions below to perform the JDK installation. +----------------------------------------------------------+ |Db2 Release |Fixed IBM Release | |-------------------+--------------------------------------| |V9.7.x |6.0.16.45 or later | |-------------------+--------------------------------------| |V10.1.x |7.0.10.5 or later | |-------------------+--------------------------------------| |V10.5.x |7.0.10.5 or later (6.0.16.45 or later | | |for LinuxIA64) | |-------------------+--------------------------------------| |V11.1.x |8.0.4.5 or later | +----------------------------------------------------------+ Instruction for IBM JDK Installation on UNIX 1) Create a new temporary JDK directory, i.e. jdk64, to store the extracted install files. 2) Run the following command to extract all the files from the IBM JDK install image tar file into the temporary JDK directory created in step 1 above. tar -xvf <IBM JDK install image tar file> -C jdk64 3) Stop all DB2 instances for the installation. 4) As root user, create a new JDK directory. Create a new JDK directory jdk64 under /opt/IBM/db2. E.g. mkdir /opt/IBM/db2/jdk64 5) As root user, copy the extracted files from the temporary JDK directory created in step 1 to the new JDK directory. E.g. cp -R <Temporary JDK directory>/* /opt/IBM/db2/jdk64/ All the files in the /opt/IBM/db2/jdk64/ directory should have r-x permission. 6) Change the group and owner for all the files in the new JDK directory to bin. E.g. chgrp -R bin /opt/IBM/db2/jdk64/ chown -R bin /opt/IBM/db2/jdk64/ 7) Configure DB2 to use the new JDK. E.g. db2 update dbm cfg using JDK_PATH /opt/IBM/db2/jdk64/ Instruction for IBM JDK Installation on Windows 1) Stop all DB2 instances 2) Go to the DB2 installation directory E.g C:\Program Files (x86)\IBM\SQLLIB\java\jdk Rename the following folders: • bin to bin_old • include to include_old • lib to lib_old • properties to properties_old • jre to jre_old This might not work as you might get the error of folder in-use. If that happens, try the following steps: • cd to C:\Program Files (x86)\IBM\SQLLIB\java\jdk\jre folder • rename bin to bin_old • copy lib as lib_old • cd to lib directory, delete all the files except the fonts folder (which might be held by windows svchost.exe process and might not be renamed) 3) Unzip the new java files and copy all the extracted java files under the jdk directory. Notes: 1) With this update, the metadata of the new JDK is not being recorded with the installer. Hence, for fix pack update in the same installation path, execution of the db2val utility (i.e. the tool that validate files laid down by the DB2 installer at the system level, instance level, or database level after new installation) may fail . Fix pack update to new installation path is not affected. 2) Uninstall will not be able to remove the jdk64 and jdk64_old folder, user will have to remove it manually. Workarounds and Mitigations None. Change History November 13, 2017: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgp9TIx+lLeg9Ub1AQiHJQ/+I+e4esDywLfqN6tbpzfOTA2Q6eWMkSMJ xHY6ui1jSuZGcAGUh1Xhk7zGBSjuyvZo6/IzR4hfGZGP9BsAbLf64gGnP5Ms2MGV lh6Uxqd+QL/4aEGUz7JoTIV4XhylxMJJc2ehJtYSh1AtykWkMG13ejfIHa+2ngJ1 G+CFekoHKmRiaAF7owsrTMkMzQGUamdYBKB92mucAYTzTlJo2IIso7QvcI3GqxOq gJy6s9T+dtvwPW/B//OBIUXHyOPiMGGUeh91DaKoBmF6r5fuxJe6G+vHNKduAnaM W0Np4h8XJ4hwgXcjfmVasWCzqc34HEAwPp69b0XP7NbNdmBJH8UUAlHmgRO8VFFZ DzUBeRpgQVK1Jh8QKKhlTUdVRStjIDLD1v9Dqa+bJEOdUy9flvn/kMR/E5GE8rl6 TjL7kiUYIRwEGQiyXkchySJRur7dJN75XYcNaOFiz9uY3hwUK4RmBnJLU8dYDbhT O5bBofqcqh9noRyWrbraqYwqZAcD3rrk0Z+Q7t/5QuvB8264N4U22f4lKlaP6e/d erS53jvlE0SpLbbJn0Iuz7k6XJE8z+lacvwQEs9ywK9J04MHFFsa4UGnfU1KE471 8L3kfj3fFEu5mJMK86OJU+Ep1UwyKydeAgBDk1bQ6KN1s/AilAdv0wv3zjW9I4vw dHWsOfyHWfs= =WYU+ -----END PGP SIGNATURE-----