Midrange Stuff, OS/400 Edition

IBM recently started posting information on the Web that addresses Computer Emergency Response Team (CERT) security warnings for each of its server platforms, including OS/400 machines. Now, AS/400 and iSeries administrators, who are concerned that security vulnerabilities publicized by the respected industry group may pose a threat to their company or their customers, can check an IBM Web site to see Big Blue's response to the threat.

In July, IBM started posting platform-by-platform responses for the last nine months of CERT security vulnerability warnings at its Resource Link site. As of last Friday, the site provided iSeries, pSeries, and xSeries responses to approximately 30 CERT security vulnerabilities. Only two of the vulnerabilities could possibly affect OS/400 servers at the time: the problems in Domino found in February and the Apache vulnerability discovered in April. The worst that could happen to OS/400 servers in these two cases is susceptibility to denial of service (DoS) attacks. The advisories also provide information on which OS/400 PTFs address the problems.

The security concerns of OS/400 customers were first reported 14 months ago in a Guild Companies article, IBM Looking to Change How It Responds to Security Vulnerabilities. The situation was brought to light when an iSeries consultant was looking for some assurance from IBM that the flaw found in the simple network management protocol (SNMP) wouldn't effect OS/400. The team in Rochester did issue a document (in a worst-case scenario the iSeries was susceptible to a DoS attack) that was posted to the CERT Web site in the same way that most other major computer manufacturers responded. However, IBM's legal team soon retracted the document, fearing it would set a precedent in how it responded to security vulnerabilities. The consultant had aired his protest to the iSeries top brass at a Sound-Off session at COMMON.

Even before the botched response to the SNMP flaw was made public, iSeries security architect Patrick Botz was working to find a suitable means to distribute this information to AS/400 and iSeries shops. IBM's lawyers eventually signed off on the current Resource Link method of distributing information because they considered the vulnerabilities to be public information after CERT publishes them on its Web site, Botz says. In this way, IBM figured it was not putting its midrange and mainframe clients in additional jeopardy by disclosing the potential weaknesses of their still-proprietary IT systems. (However, IBM is hedging its bets by not providing mainframe responses to CERT vulnerabilities to the public.)

Botz says the big challenge in creating the Resource Link vulnerability response was getting all of IBM's server groups on one page. "CERT likes to deal with one contact at a company. For some, it works fine. For IBM, that wasn't working out very well."

Historically, IBM's pSeries team worked with CERT to provide IBM responses to CERT advisories, and the IBM information posted to the CERT Web site has always been AIX-specific. Instead of trying to get iSeries, xSeries, and zSeries information to CERT through the pSeries team, IBM decided to create its own internal reporting system.

The IBMer who created the tools to distribute CERT advisories to the different IBM divisions and collect the different responses, and who came up with the idea to publish the information via Resource Link, was Steven Bade. "He deserves much of the credit," Botz says. "To put this together, for a company the size of IBM, was no small feat. It took a lot of effort, a lot of coordination, and a lot of cooperation across marketing and legal departments to make this work and to find the right division to host the Web site."

While the iSeries team is publicly acknowledging and responding to CERT advisories for the first time, Botz and his security team always paid attention to CERT advisories. "We're not looking any closer at them," he says. "We've always known what our vulnerability was." Botz says 99 percent of the security exposures just don't apply to OS/400, although there might be a risk of DoS attacks. "From an iSeries point of view, we want to reassure everybody that the iSeries is not susceptible to the vast majority of problems," Botz says. "I've been wanting to trumpet this stuff for years."

Although the OS/400 entries in the resource link page may contain information about certain PTFs that address a specific problem, there is no linkage to OS/400 PTF Web pages at this time. Also, this new program does not change IBM's policy of not discussing specific OS/400 security vulnerabilities addressed by the integrity PTFs IBM occasionally issues.

Botz says the new Resource Link Web page should be another place that systems administrators check on a regular basis, in addition to the Web page listing integrity PTFs. "I would always go out to the IBM PTF Web site, and keep track of any integrity PTFs. And in addition, I would go here and look," he says.

You have to sign up for a user name and password to view the responses to CERT on the Resource Link page. This is just how the Resource Link Web page was designed, although it could benefit the user if IBM decides to offer this information in e-mails. To view IBM's response to CERT vulnerabilities for zSeries, you must have a mainframe support contract with IBM. Information for iSeries, xSeries, and AIX is available to the public.

To view IBM's response to CERT vulnerabilities on the Resource Link page, go to www.ibm.com/servers/resourcelink and click "register." After receiving your user name and password, sign-in from the page above, and click on "problem solving" from the menu on the left side of the screen. Then click on "security alerts." This will present a list of IBM's responses to CERT vulnerabilities.

For each entry, you can view the original CERT document, and view any platform-specific information. OS/400 will not be an option if the topic just doesn't apply to OS/400. And when there is the potential for some kind of threat, more often than not, the OS/400 statement will read "based on current knowledge, this vulnerability does not apply to OS/400."