Security Bulletin: IBM Data Server Driver for JDBC and SQLJ is affected by a 3RD PARTY Unsafe deserialization

Summary

Unsafe deserialization in DB2 JDBC driver

Vulnerability Details

CVEID:CVE-2017-1677
**DESCRIPTION:**IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/133999 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

DB2Connect 9.5

DB2Connect 9.7

DB2Connect 10.1

DB2Connect 10.5

DB2Connect 11.1

Remediation/Fixes

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—
DB2Connect| V11.1 M2FP2 SB| IT23592| JCC version 3.72.41/4.23.48
See workaround or contact support
DB2Connect| V10.5 FP9 SB| IT23591| JCC version 3.69.75/4.19.76
See workaround or contact support
DB2Connect| V10.1 FP6 SB| IT23590| JCC version 3.65.138/4.15.147
See workaround or contact support
DB2Connect| V9.7 FP11 SB| IT23575| JCC version 3.64.142/4.14.147
See workaround or contact support
DB2Connect| V9.5 FP10 SB| IT23575| JCC version 3.64.142/4.14.147
See workaround or contact support

Workarounds and Mitigations

Workaround is to Set db2.jcc.outputDirectory property to a secure location so that driver will write the cache file to the configured location which can not accessed without proper authentication.
Or use the above Special build drivers.