Technical Blog Post
Abstract
Db2Connect Java driver (IBM Data Server for JDBC and SQLJ ) class being loaded multiple times in single JVM due to vulnerability issue
Body
Problem :
Websphere loading multiple instances of IBM Data Sevrer for JDBC and SQLJ in single JVM resulted in below stack trace
at sun/nio/ch/FileChannelImpl.lock0
at sun/nio/ch/FileChannelImpl.lock(FileChannelImpl.java:882)
at java/nio/channels/FileChannel.lock(FileChannel.java:871)
at com/ibm/db2/jcc/am/hp.a(hp.java:629)
at com/ibm/db2/jcc/am/gp.a(gp.java:403)
at com/ibm/db2/jcc/am/gp.a(gp.java:475)
at com/ibm/db2/jcc/am/Connection.isLicenseValidatedWithServerLicenseProc
at com/ibm/db2/jcc/am/Connection.checkForLicenseRestrictions
at com/ibm/db2/jcc/am/Connection.completeConnect
The above issue is due to IBM Data Sevrer for JDBC and SQLJ vulerability CVE-2017-1677 :IBM® Db2® performs unsafe deserialization in DB2 JDBC driver (CVE-2017-1677)"
/support/pages/node/303435
Solutuion:
IBM Data Sevrer for JDBC and SQLJ provided the fix in below fix packs which is available to download from
/support/pages/node/382667
Fix JCC versions:
V 9.7 JCC version 3.64.142/4.14.147
V 10.1 JCC version 3.65.138/4.15.147
V 10.5 JCC version 3.69.75/4.19.76
V11.1 M3 FP3 JCC version 3.72.44/4.24.92
Authors:
Sujan S Ghosh (sghosh@rocketsoftware.com)
Adviosry software engineer, Db2Connect
Kollol K Misra (Kmisra@rocketsoftware.com)
Architect, Db2Connect
UID
ibm11141990