Results 1 to 3 of 3

Thread: SDK for DB2

  1. #1
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,369

    Unanswered: SDK for DB2

    I'm trying to understand what needs to be done to address this security vulnerability:
    IBM Security Bulletin: IBM DB2 Java API Documentation Frame Injection Vulnerability (CVE-2013-1571) - United States


    The tool Oracle provides is not available for AIX.


    It looks like the corresponding Java APAR is:
    IBM IV44669: FIX SECURITY VULNERABILITY CVE-2013-1571 - United States


    As per IBM DB2 9.7 for Linux, UNIX and Windows Information Center :

    v9.7 FP5 contains:
    "The IBM Software Development Kit for Java™ that is packaged with DB2 products now use the Java 6.0.9.1 version."


    From v9.7 FP8 server:

    > lslpp -l | grep -i sdk
    Java14.ext.commapi 1.4.2.0 COMMITTED Java SDK 32-bit Comm API
    Java14.ext.javahelp 1.4.2.0 COMMITTED Java SDK 32-bit JavaHelp
    Java14.license 1.4.2.0 COMMITTED Java SDK 32-bit License
    Java14.samples 1.4.2.0 COMMITTED Java SDK 32-bit Samples
    Java14.sdk 1.4.2.320 COMMITTED Java SDK 32-bit
    Java5.sdk 5.0.0.500 APPLIED Java SDK 32-bit
    Java6_64.sdk 6.0.0.415 COMMITTED Java SDK 64-bit
    Java14.sdk 1.4.2.320 COMMITTED Java SDK 32-bit
    Java5.sdk 5.0.0.500 APPLIED Java SDK 32-bit
    Java6_64.sdk 6.0.0.415 COMMITTED Java SDK 64-bit

    Java6_64.sdk is 6.0.0.415, not 6.0.9.1.


    Questions:
    - How do I check IBM SDK for Java version that is shipped with DB2?
    - Do you think IBM SDK for Java can be upgraded to 6.0.0 SR14 (where Java defect is fixed) or this has to be done by applying a DB2 fixpack?


    Just looking for a way to close this vulnerability (we have an application that uses javadoc)

  2. #2
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Quote Originally Posted by db2girl View Post

    The tool Oracle provides is not available for AIX.
    The Javadoc updater tool seems to be pure Java, so I'm almost sure it will run on AIX just fine.


    Quote Originally Posted by db2girl View Post
    - How do I check IBM SDK for Java version that is shipped with DB2?
    You can run /opt/ibm/db2/V9.7/java/jdk64/bin/java -version to check the actual version of what's installed by DB2. (Your path might be different.)

    Quote Originally Posted by db2girl View Post
    - Do you think IBM SDK for Java can be upgraded to 6.0.0 SR14 (where Java defect is fixed) or this has to be done by applying a DB2 fixpack?
    I don't think the API Javadoc is a part of what's installed under DB2, and even if it is it's not what is served publicly, so I don't see this as an issue. Actually, you are unlikely to serve the Java API documentation from the database server at all, so you should be pretty safe.
    ---
    "It does not work" is not a valid problem statement.

  3. #3
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,369
    db2inst1@host:/xxx/db2/db2inst1/sqllib/java/jdk64/bin
    > ./java -fullversion
    java full version "JRE 1.6.0 IBM AIX build pap6460sr9fp1-20110208_03 (SR9 FP1)"


    Based on developerWorks : Technical Topics : Java™ technology : IBM Developer kits : AIX , Java6_64.sdk fileset level for pap6460sr9fp1-20110208_03 is 6.0.0.265, but lslpp shows 6.0.0.415 (SR13 FP2).

    Do you know why?


    When I sudo to the user id that starts java and check java version for their env, I see:

    /home/xxxxx> which java
    /usr/java14/jre/bin/java

    /home/xxxxx> java -fullversion
    java full version "J2RE 1.4.2 IBM AIX build ca142ifx-20091110 (SR13 FP3)"



    root@host:/home/root
    > find / -name javadoc
    /opt/IBM/db2/V9.7/java/jdk64/bin/javadoc
    /opt/IBM/db2/V9.7/samples/wrappers/wrapper_sdk_java/javadoc
    /usr/java14/bin/javadoc
    /usr/java5/bin/javadoc
    /usr/java6_64/bin/javadoc


    I'm pretty sure they use javadoc from /usr/java* or from somewhere not on the server; not from db2 install dir. Like you said, we should be ok without installing the fix.

    Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •