We have identified vulnerabilities in the IBM DB2 drivers used within our Qlik Replicate on-prem environment.
Our DB2 team has upgraded the database server from version 10.5 to 11.5.9, which is confirmed to be compatible with Qlik Replicate.
DB2 team also shared a JAR file, but we are currently unclear whether we need to upgrade just the JAR file or the entire DB2 driver package on the Qlik Replicate server.
Could you please advise on the correct upgrade steps and whether a full driver upgrade is required to align with the new DB2 version?
I’m glad to hear that the DB2 LUW database server has been successfully upgraded from version 10.5 to 11.5.9.
The IBM DB2 Information Disclosure vulnerabilities (SB#41247 / SB#41246 / SB#26513) are primarily associated with the DB2 Java client / JDBC driver (JAR files). These issues are typically exploited when the database is accessed via Java/JDBC under specific conditions, which may result in sensitive information disclosure.
Although the ODBC client package (eg v11.5.9_ntx64_client.exe) installs JAR files on the Replicate server, Qlik Replicate does not rely on them. Replicate only requires the ODBC client components, and applications that use the ODBC API are generally not affected by these vulnerabilities.
Based on this, I recommend the following actions:
Upgrade the DB2 LUW ODBC client in the on-premises environment to the latest build.
Back up and remove the Java-related folders (by default located at C:\Program Files\IBM\SQLLIB\java and C:\Program Files\IBM\SQLLIB\TOOLS).
Perform comprehensive acceptance testing in lower environments before rolling changes out to production.
In my validation tests, removing these JAR files did not impact Replicate functionality.
Hope this helps, John
Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!
