Midrange Programmer

In the typical OS/400 shop, the person who programs servers is also responsible for administration and maintenance of the machines. Most of the 225,000 AS/400 and iSeries shops in the world have one, two, or three programmer/analysts; only in the largest organizations do programmers live in the rarefied environment where all they are coping with is RPG, SQL, Java, or HTML code.

This new "OS/400 Alert" column in Midrange Programmer, OS/400 Edition, will be a regular feature. Our goal is to keep OS/400 shops up to date on the critical PTFs for OS/400, DB2/400, and the related system programs that run on the box. We will also track important patches to third-party application and middleware programs that are commonly used on AS/400 and iSeries servers. Despite it's name, however, the "OS/400 Alert" won't focus only on OS/400. It will also track the key updates to Windows and Linux environments and the system, middleware, and application programs that typically run with them as adjuncts to the OS/400 platform at AS/400 and iSeries shops. The idea is to put all of this information in one place, so you don't have to poke around for it. Finally, we will track the security issues that affect OS/400, Windows, and Linux as they relate to the AS/400 and iSeries platform.

Every so often, IBM puts together a list of fixes for OS/400 licensed programs that you just can't live without. Although they are recommended, the truth is that you would probably be safe in not applying these fixes and updates to your iSeries. The chances that you would experience problems if you did not apply the fixes are probably small. However, "probably" is a broad and vague term when you are betting your business or job on it. So it is always a good idea to apply the latest fixes and PTFs for your AS/400 or iSeries and the Licensed Program Products (LPPs) on your system.

Below is a list of IBM's latest recommended PTFs. Not all fixes may apply to every system, since not all systems have the same LPPs. A good rule of thumb is to order and apply the latest cumulative package regardless of the LPPs installed on your system. It's also a good idea to get the latest HIPER and database PTFs. Most of these fixes are common across all systems, regardless of the LPPs installed. Here is a listing of the recommended fixes, with links to them:

When you order the latest cumulative package for V5R1 and V5R2, you also get the latest HIPER and database group packages for your OS/400 version and release. V4R5 clients must order HIPER and database group PTFs separately.

This "PTF Spotlight" focuses on DASD Availability Fixpacks. A DASD Availability Fixpack is a conglomeration of PTFs designed to "enhance" (IBM's word, not mine) the availability of various disk subsystems that were failing in late 2001 and early 2002 because of quality control issues at IBM's disk-manufacturing facilities.

Order V5R1 Fixpack MF27051, and you will also get MF27051 and MF26336. Order V4R5 Fixpack MF27053, and you also get MF27053, MF26366, MF26281, MF25472, and MF25703. Order V4R4 Fixpack MF27063, and you also get MF27063, MF26365, MF26280, MF25473, and MF25702.

These Fixpacks are not applicable to OS/400 V5R2 (which already has the fixes). But many customers are still using V5R1, V4R5, V4R4, and even older versions of OS/400. Therefore, while it may be sexy to focus only on the newest features and fixes to the operating system, that approach is not terribly practical. So though our primary focus will be on fixes for the latest OS/400 version and release, we won't forget all of you who are running older versions of OS/400.

From time to time, the Computer Emergency Response Team releases information on known security vulnerabilities for various hardware, software, and technologies. The OS/400 platform, because of its unique design and its integrated hardware and software, is almost never directly vulnerable to any of the viruses, worms, Trojan horses, or other malicious code bouncing around out there on the Internet. But that is not to say that OS/400 is always 100 percent secure or that it cannot be affected by various security problems. One reason why such vulnerabilities exist is that AS/400 and iSeries servers can run multiple operating systems and support an extremely large variety of IBM and non-IBM software and hardware. This column will focus on those vulnerabilities and let you know what's going on. We may not always have a solution to recommend, but at the very least you will be informed and can make your own decisions based on this knowledge.

As you probably know, IBM is now supplying advisories to CERT as they affect AS/400 and iSeries platforms and their system programs. IBM has released an advisory to CERT on vulnerabilities found in Lotus Notes and Domino and in the Apache Web Server when they run on the OS/400 platform.

To get the details on this CERT advisory and IBM's response to it, you have to go to IBM's Resource Link. This is a password-protected site, so you will need to register. After receiving your user name and password, sign in and click "problem solving," from the menu on the left side of the screen. Then click "security alerts." This will present a list of IBM's responses to CERT vulnerabilities.

The Notes/Domino advisory is document CA-2003-11--Multiple Vulnerabilities in Lotus Notes and Domino. IBM says that it has not been able to reproduce the buffer overflow problem on OS/400 servers as has been exhibited on other platforms, but because the Notes/Domino code is mostly the same across different platforms, Notes/Domino might be affected by the buffer overflows. IBM says further that OS/400 itself is not susceptible to denial-of-service attacks, because of its architecture. IBM is nonetheless recommending that customers move to Domino 5.0.12 or a later release.

The Apache advisory is CERT VU#206537--Apache Vulnerable to DOS Attack. Implementations of Apache 2.0.44 on OS/400, Windows, and Unix platforms are vulnerable to a denial-of-service attack because of the way that Apache handles excessively large chunks of consecutive linefeed characters. Earlier and later Apache 2.x versions may also contain the vulnerability. IBM has issued PTF SI08600 for OS/400 V5R1 and PTF SI08601 for OS/400 V5R2 to close this hole.

This week was an unusual one for me. For the first time ever, my PC was infected by a virus, even though I religiously maintain the virus definition files for my antivirus software and never open an e-mail attachment unless I'm expecting one.

Although my PC was not infected by SoBig directly, my inbox has been flooded with thousands of e-mails containing the virus from users whose PCs and servers have been infected. Luckily, my antivirus software does an excellent job of filtering out the virus in these e-mails. Unfortunately, the antivirus software does not automatically filter out SoBig; it prompts me to decide what to do with it (such as quarantine or delete). And before you write and tell me that I should be able to configure my antivirus software to automatically handle these e-mails, let me say that I know this already and have attempted to configure my system this way, but for some reason my antivirus tool does not automatically handle these e-mails. The result is that I have spent the last five days manually quarantining thousands of infected e-mails.

While I had all this free time on my hands deleting these thousands of e-mails one by one, I got to wondering if the iSeries was vulnerable to SoBig. The answer is yes and no.

In general, PC viruses can never affect the OS/400 objects that live where most of us do our work: the QSYS.LIB file system. There are lots of reasons for this, but here are three of the most important:

So the answer to whether the iSeries is vulnerable to SoBig is not black and white. Your iSeries or AS/400 can be affected, although not necessarily infected, by the SoBig virus in a couple of very important ways.

DDOS, or distributed denial of service, attacks occur when an outside TCP/IP process occurs (usually deliberate) and causes unwanted, voluminous TCP/IP traffic to "hit" a PC server or Web site over and over until there is no room left for authorized traffic to get in. In other words, in a DDOS attack, the gateway into your server can become so bogged down in bogus traffic that legitimate traffic can't get in. Your iSeries, acting as an SMTP server/relay, could become bogged down in this manner by this virus.

The other way a virus could affect your system is through propogation. This virus spreads itself by harvesting e-mail addresses from basically any file with an extension of .dbx, .eml, .hlp, .htm, .html, .mht, .wab, or .txt. Because of this, SoBig could propagate itself throughout your company by looking at the OS/400 Integrated File System, via PCs with drives mapped to the IFS. Although not using the iSeries directly to spread itself, it can use the content it finds in the IFS through your users mapped drives, and from there it could spread the virus from the worm running on the users' infected PCs.

And, finally, if you are running an Integrated xSeries Server (IxS) co-processor inside your iSeries, or if you are linking to an external xSeries machine through the Integrated xSeries Adapter (IxA) card, you could find that the file systems used by these Intel-based servers have become infected just like any other Windows-based PC server not connected to your iSeries.

What can you do? The best thing you can do to protect your iSeries is to ensure that you do not grant global access to the /root file system of your iSeries for drive mapping. Surprisingly, many shops do allow users access to any file system on their IFS through a mapped drive. By locking down access to your IFS, you are already well ahead of the game. Also, running the latest virus protection software on your IxS card and on your users' PCs will prevent them from becoming infected by SoBig and other viruses. And, finally, by taking advantage of an external router with a built-in firewall or by using the iSeries' ability to control TCP/IP access via IP addresses, using Operations Navigator (we'll include a "how to" for this in a future issue of this column), as well as the ability to filter e-mails from the SMTP server via a variety of search criteria, also through Operations Navigator (we'll cover this later, too), you can reduce or eliminate the majority of problems related to DDOS attacks. In addition, there are now native OS/400 antivirus products that run directly on your iSeries, in both the IFS and the Linux partition, which will help keep your system virus-free. You can also get antivirus software for the IFS from Bytware, which launched a product to fix just this problem at the end of June.