https://community.qlik.com/t5/Qlik-Replicate/DB2-driver/m-p/2532599#M15185 <P>Hello&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/349997">@Sukanya2</a>&nbsp;,</P> <P>I’m glad to hear that the DB2 LUW database server has been successfully upgraded from version 10.5 to 11.5.9.</P> <P>The IBM DB2 Information Disclosure vulnerabilities (SB#<STRONG>41247</STRONG> / SB#<STRONG>41246</STRONG> / SB#<STRONG>26513</STRONG>) are primarily associated with the DB2 Java client / JDBC driver (JAR files). These issues are typically exploited when the database is accessed via Java/JDBC under specific conditions, which may result in sensitive information disclosure.</P> <P>Although the ODBC client package (eg <STRONG>v11.5.9_ntx64_client.exe</STRONG>) installs JAR files on the Replicate server, Qlik Replicate does not rely on them. Replicate only requires the ODBC client components, and applications that use the ODBC API are generally not affected by these vulnerabilities.</P> <P>Based on this, I recommend the following actions:</P> <OL> <LI>Upgrade the DB2 LUW ODBC client in the on-premises environment to the latest build.</LI> <LI><SPAN>Back up and remove the Java-related folders (by default located at <STRONG>C:\Program Files\IBM\SQLLIB\java</STRONG> and <STRONG>C:\Program Files\IBM\SQLLIB\TOOLS</STRONG>).</SPAN></LI> <LI><SPAN>Perform comprehensive acceptance testing in lower environments before rolling changes out to production.</SPAN></LI> </OL> <P>In my validation tests, <STRONG>removing these JAR files did not impact Replicate functionality</STRONG>.</P> <P>Hope this helps,<BR />John</P> Mon, 06 Oct 2025 10:33:20 GMT john_wang 2025-10-06T10:33:20Z https://community.qlik.com/t5/Qlik-Replicate/DB2-driver/m-p/2532567#M15184 <P><SPAN>We have identified vulnerabilities in the IBM DB2 drivers used within our Qlik Replicate on-prem environment. </SPAN></P> <P><SPAN>Our DB2 team has upgraded the database server from version 10.5 to 11.5.9, which is confirmed to be compatible with Qlik Replicate.</SPAN><BR /><BR /><SPAN>DB2 team also shared a JAR file, but we are currently unclear whether we need to upgrade just the JAR file or the entire DB2 driver package on the Qlik Replicate server.</SPAN><BR /><BR /><SPAN>Could you please advise on the correct upgrade steps and whether a full driver upgrade is required to align with the new DB2 version?</SPAN><BR /><BR /><SPAN>Vulnerability Name: IBM DB2 10.5 &lt; 10.5 FP 11 41247 / 11.1 &lt; 11.1.4 FP 7 41246 / 11.5 &lt; 11.5.8 FP 0 26513 Information Disclosure (Windows)</SPAN></P> Mon, 06 Oct 2025 06:54:04 GMT https://community.qlik.com/t5/Qlik-Replicate/DB2-driver/m-p/2532567#M15184 Sukanya2 2025-10-06T06:54:04Z https://community.qlik.com/t5/Qlik-Replicate/DB2-driver/m-p/2532599#M15185 <P>Hello&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/349997">@Sukanya2</a>&nbsp;,</P> <P>I’m glad to hear that the DB2 LUW database server has been successfully upgraded from version 10.5 to 11.5.9.</P> <P>The IBM DB2 Information Disclosure vulnerabilities (SB#<STRONG>41247</STRONG> / SB#<STRONG>41246</STRONG> / SB#<STRONG>26513</STRONG>) are primarily associated with the DB2 Java client / JDBC driver (JAR files). These issues are typically exploited when the database is accessed via Java/JDBC under specific conditions, which may result in sensitive information disclosure.</P> <P>Although the ODBC client package (eg <STRONG>v11.5.9_ntx64_client.exe</STRONG>) installs JAR files on the Replicate server, Qlik Replicate does not rely on them. Replicate only requires the ODBC client components, and applications that use the ODBC API are generally not affected by these vulnerabilities.</P> <P>Based on this, I recommend the following actions:</P> <OL> <LI>Upgrade the DB2 LUW ODBC client in the on-premises environment to the latest build.</LI> <LI><SPAN>Back up and remove the Java-related folders (by default located at <STRONG>C:\Program Files\IBM\SQLLIB\java</STRONG> and <STRONG>C:\Program Files\IBM\SQLLIB\TOOLS</STRONG>).</SPAN></LI> <LI><SPAN>Perform comprehensive acceptance testing in lower environments before rolling changes out to production.</SPAN></LI> </OL> <P>In my validation tests, <STRONG>removing these JAR files did not impact Replicate functionality</STRONG>.</P> <P>Hope this helps,<BR />John</P> Mon, 06 Oct 2025 10:33:20 GMT https://community.qlik.com/t5/Qlik-Replicate/DB2-driver/m-p/2532599#M15185 john_wang 2025-10-06T10:33:20Z