Security Bulletin: IBM Tivoli Business Service Manager is vulnerable to an insecure cryptographic algorithm and to information disclosure due to DB2 (CVE-2023-47152)

Summary

DB2 JDBC driver is shipped as part of the XMLToolkit component for IBM Tivoli Business Service Manager. Information about security vulnerability affecting DB2 JDBC driver has been published in a security bulletin.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by executing these steps:

Fix List for Db2 Version 11.5 for Linux, UNIX and Windows

To remediate the vulnerability:

For TBSM Data server:

1. Download the latest DB2 JDBC Driver (v11.5.x) from Fix Central and extract the db2jcc.jar file.
Alternatively, if DB2 v11.5.8.0 or higher is already installed and the special build from the Fix List has been applied, the file can be found under db2’s install directory by navigating to the install directory and searching for db2jcc.jar file.

2. Stop the TBSM servers.

3. Replace the old db2jcc.jar with the new db2jcc.jar under following directories:
<TBSM Install Directory>/XMLtoolkit/tools/crviewer/lib/

<TBSM Install Directory>/XMLtoolkit/tools/ExportDatabaseTool/drivers/

<TBSM Install Directory>/XMLtoolkit/jars/

4. Start the TBSM servers.

For DASH server:

1. Stop the Dashboard server.

2. Navigate to the following directory:
<JazzSM Install Directory>/profile/installedApps/JazzSMNode01Cell/isc.ear/sla.war/WEB-INF/lib/

3. Delete the following files:
db2jcc.jar
db2jcc_license_cu.jar

4. Start the DASH server.

Workarounds and Mitigations

None