Security Bulletin
Summary
Unsafe deserialization in DB2 JDBC driver
Vulnerability Details
The Db2 JDBC driver deserializes the contents of /tmp/connlicj.bin (default path, this is configurable), which leads to object injection and potentially arbitrary code execution depending on the classpath.
CVEID: CVE-2017-1677
DESCRIPTION: IBM Data Server Driver for JDBC and SQLJ deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133999 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
DB2Connect 9.5
DB2Connect 9.7
DB2Connect 10.1
DB2Connect 10.5
DB2Connect 11.1
Remediation/Fixes
Product |
VRMF
|
APAR
|
Remediation / First Fix
|
DB2Connect | V11.1 M2FP2 SB | IT23592 | JCC version 3.72.41/4.23.48 See workaround or contact support |
DB2Connect | V10.5 FP9 SB | IT23591 | JCC version 3.69.75/4.19.76 See workaround or contact support |
DB2Connect | V10.1 FP6 SB | IT23590 | JCC version 3.65.138/4.15.147 See workaround or contact support |
DB2Connect | V9.7 FP11 SB | IT23575 | JCC version 3.64.142/4.14.147 See workaround or contact support |
DB2Connect | V9.5 FP10 SB | IT23575 | JCC version 3.64.142/4.14.147 See workaround or contact support |
Workarounds and Mitigations
Workaround is to Set db2.jcc.outputDirectory property to a secure location so that driver will write the cache file to the configured location which can not accessed without proper authentication.
Or use the above Special build drivers.
Get Notified about Future Security Bulletins
References
Acknowledgement
The vulnerability was reported to IBM by Martin Strand
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
05 July 2018
UID
swg22012479