During the last weeks of the year, I usually go through my tools to do some cleanup work and compile an annual review. When I did so, I remembered a security vulnerability that kept the whole IT world busy in December 2021 and early 2022. Now that some months have passed by, I thought it might be worthwhile summarizing the strategy, tools, and processes that are used to address security vulnerabilities with SAP NetWeaver and IBM Db2.
While compiling this blog post, I also realized that there are some IBM Db2 releases going out of maintenance by the end of 2022. So, I also share this information with you.
SAP NetWeaver Systems Running on IBM Db2 – End of Support for IBM Db2 Versions 9.7 and 10.1
If you check the IBM documentation for the end of support dates for IBM Db2, you will find that the IBM Db2 versions 9.7. and 10.1 have already been out of extended maintenance since September 2020. However, you will also find a special IBM technote for SAP customers that points to SAP Note 1168456 – DB6: Support Process and End of Support Dates for IBM Db2 LUW.
According to this SAP Note, support for SAP systems running on IBM Db2 versions 9.7 and 10.1 will expire by 2022-12-31. So, it’s time to prepare for upgrading your database to a more recent version. This will require some planning and checking the SAP Product Availability Matrix (PAM) for a valid combination of operating system and IBM Db2 versions. If you can’t complete the planning or find a good downtime window for the upgrade, you should plan this as soon as possible in early 2023. The IBM Db2 Support team for SAP will not refuse to work on critical issues, but a fix for such issues might require you to upgrade to available newer IBM Db2 versions. What will not be available are any security fixes required for the Log4j issues.
Apache Log4j Security Vulnerabilities
In December 2021 and early 2022, Apache Log4j security vulnerabilities caused a lot of discussions and activities in the IT world. Db2 was partly affected, for example, when some special features of federation or text search were used. While I was answering the questions and talked to customers about the impact of the vulnerabilities, a capability of the SAP DBA Cockpit came to my mind that could help with clarifying questions around security vulnerabilities in IBM Db2 and how they are addressed.
How Security Vulnerabilities Are Addressed
Before talking about the SAP DBA Cockpit, let’s recap some of the basics around security vulnerabilities first. The IBM Product Security Incident Response Team (PSIRT) is dedicated to managing potential IBM security vulnerabilities that are reported by IBM customers, security researchers, industry groups, government organizations, or vendors. If you want to get details or subscribe for security bulletins via mail, RSS feed, or blog, please refer to this IBM website: IBM PSIRT | IBM Trust Center.
The IBM Db2 development teams interact with the Product Security Incident Response Team and have dedicated team members who check reported potential vulnerabilities and provide code changes to address the security issues.
The Product Security Incident Response Team publishes IBM security bulletins that contain CVE (Common Vulnerabilities and Exposures) and CVSS (Common Vulnerability Scoring System) information.
Security vulnerabilities are categorized based on their CVSS score and range from severity 4 or low with an CVSS score of 0.0 – 3.9 to severity 1 or critical with a score of 9.0 – 10.0. Along with the classification, a remediation timeline is defined, that is, the number of days that a security vulnerability mitigation must be available – for example, 90 days in the case of a thread that is defined as high.
If you want to know details about how the CVSS is calculated and if you want to create your own CVSS example, please refer to NVD – CVSS v3 Calculator (nist.gov).
Checking for Fixed Security Vulnerabilities Using the DBA Cockpit
Now, let’s come back to the SAP Database Administration (DBA) Cockpit function that I want to present in this blog post: the capability called IBM Db2 Fix Pack level check. This check in the SAP DBA Cockpit has two main features. First, the check can validate whether the system is running on an SAP-certified level of IBM Db2.
Second, the IBM Db2 Fix Pack level check can show which SAP-certified Fix Packs are available for the current installed version of IBM Db2. In the example below, the system is running on IBM Db2 10.5 Fix Pack 11. For this Fix Pack level, a total of 10 Fix Packs or security special builds are certified by SAP and available for download. The IBM Db2 Fix Pack level check lists the CVE included in the available fix packs and provides some more recommendations, for example, recommendations to upgrade to a newer version of Db2.
Using this information, you can more easily explore what security vulnerabilities are fixed in a certain IBM Db2 fix pack and assess if an upgrade is required.
In addition, this screen also checks whether the committed software level is identical to the installed software level of your database. Such a mismatch may occur if you have upgraded your database software but have not run the shell script db6_update_db on OS command line as described in SAP Note 1365982 – DB6: Current “db6_update_db/db6_update_client” script
The IBM Db2 Fix Pack level check is based on SAP Note 101809 – DB6: Supported Db2 Versions and Fix Pack Levels. This SAP Note was changed to a machine-readable structure and can be downloaded to your SAP NetWeaver based system. To enable the download of this SAP Note, please first implement SAP Note 2857949 – Download of SAP Note without persisting it (for DBA Cockpit).
The IBM Db2 Fix Pack level check can be implemented with the correction instructions in SAP Note 2989894 and is also part of SAP support packages, for example, support package 26 for SAP Basis 7.40. For details about the required support packages, please refer to SAP Note 2989894 – DB6: DBA Cockpit: Db2 Fix Pack Level Check.
IBM Db2 Fix Packs with Security Patches
As you might be aware, IBM Db2 Fix packs are certified by SAP before they are released for SAP customers. The SAP verification for an IBM Db2 Fix Pack is a comprehensive set of tests, and this takes some time. However, when there’s a security vulnerability, a fast certification is required. To speed up the certification process, the interaction between SAP and the IBM was optimized in 2020.
Before 2020, the SAP certification process for security special builds started as soon as the build was published by IBM. Now the process of SAP certification runs in parallel with the final IBM test cycle. This small but efficient change in the process is possible because of additional tests during the IBM Db2 Fix Pack verification, which allows for faster certification of IBM Db2 builds by SAP. The goal is to have IBM Db2 security fixes for the most recent IBM Db2 release 11.5 certified by SAP within two weeks after they have been published by IBM. Downstream releases (Db2 11.1 and 10.5) may take a little longer. Fixes for Db2 versions 9.7 and 10.1 are no longer available since these IBM Db2 releases are out of maintenance by the end of 2022.
You might also ask yourself whether a certain security vulnerability affects SAP applications at all and if you must implement a fix. For example, if a security vulnerability uses a functionality like materialized query tables that are not supported by SAP, the fix might not be relevant for SAP customers. Given the frequency of security special builds, the wide range of applications and different implementations, it is almost impossible to validate every single security issue and it would lead to an increasing number of SAP-specific IBM Db2 security builds. Therefore, SAP certifies IBM Db2 security special builds regardless of the components that are subject to a published security vulnerability.
The IBM Db2/SAP development team will continue to assess the impact of security vulnerabilities and will publish an SAP Security Note or SAP HotNews if required.
Conclusion
With the IBM Db2 Fix Pack level check, the comprehensive SAP Note 101809 with details about IBM Db2 Fix Packs, and the optimized integration of IBM and SAP development and certification processes, there’s now a more timely and convenient process against security vulnerabilities in place for SAP NetWeaver-based systems on IBM Db2.
But don’t forget: If you are running an SAP NetWeaver-based system on IBM Db2 version 9.7 or 10.1, prepare for an upgrade as soon as possible and check SAP Note 1168456 for the end-of-service dates of IBM Db2.
Follow our community page to stay up-to-date and feel free to share your comments or suggestions here in the blog, or post and answer questions about IBM Db2 and SAP NetWeaver here.