i View

IBM DB2 Web Query Security Bulletin, January 2, 2024

Posted on January 8, 2024 by Bill Langston

Just as you were returning to work to begin the new year, IBM published a security bulletin, alerting DB2 Web Query customers that the software is "vulnerable to a remote attacker bypassing security restrictions or executing arbitrary code, to a local authenticated attacker obtaining sensitive information, or to denial of service."

The security bulletin only references release 2.4.0 of the now withdrawn DB2 Web Query software, but we suspect that is only because IBM doesn't test unsupported releases. We believe the security vulnerabilities listed in the bulletin also exist in release 2.3.0 and prior releases.

This news puts DB2 Web Query customers in an uncomfortable position. Since the software is no longer marketed by IBM, IBM will not let you extend your software maintenance beyond the current term; they have recommended customers look for an alternative solution.

If you're running DB2 Web Query release 2.4.0 and can't stop using the software immediately, you should heed IBM’s warnings and apply the Program Temporary Fixes (PTF’s) as soon as possible. If you're like many DB2 Web Query customers who are running an earlier release, you have a couple options:

• Ignore the warning and cross your fingers.
• Spend the time upgrading to release 2.4.0, applying the PTF’s, and assigning someone to test your production queries at the new level. Of course, all this work means investing further in software that IBM will support only through the remaining months of your current software maintenance term.

We think you should treat this security bulletin as justification for your company to prioritize replacing DB2 Web Query as soon as possible.

NGS specializes in IBM i business intelligence (BI) and reporting. Unlike IBM and many of our competitors, our development and technical support resources aren't divided across product lines and platforms. Our livelihood depends on our ability to help you use our software successfully over the long term.

We welcome you to begin your search for an IBM DB2 Web Query alternative by watching the on demand video, "Planning Your Exit from IBM DB2 Web Query", scheduling a conference call with our team, and requesting a private web demo of NGS-IQ.

Posted in IBM i Marketplace | Comments