• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Security Flaw in OS/400 V5R3

    January 16, 2007 Alex Woodie

    IBM issued several integrity PTFs last September to fix a security vulnerability in OS/400 and i5/OS V5R3 and V5R3M5. The problem, called the OS/400 Connection Reset Denial of Service Vulnerability, can be exploited by hackers to reset established TCP connections on iSeries and System i servers, according to security firm Secunia, which gave the vulnerability a “less critical” rating.

    IBM issued four Program Temporary Fixes (PTFs) on September 26 to fix the problem, in which an established TCP connection can be reset by sending a specially crafted TCP packet. It appears that a hacker could potentially use this technique to launch a denial of service (DoS) attack by repeatedly resetting the connection, thereby forcing a user to disconnect the server’s network connection before the DoS attack causes the server to overload and crash.

    IBM first included the fix in OS/400 V5R4, Jim Herring, director of System i product management and business operations, said today. “Our guys said it would take an awful lot of work to be able to exploit this exposure, so we decided to fix it first in the V5R4 base code, which was in development at the time, because it would get the highest amount of testing,” he said. IBM then applied the fix to V5R3 and V5R3M5 and released the integrity PTFs.

    IBM released two Authorized Program Analysis Reports (APARs) including MA33860 and MA33861, which referenced four patches: R530 MF39879 7016 and R530 MF39880 7016 for OS/400 (i5/OS) V5R3, and R535 MF39909 7016 and 535 MF39910 7016 for V5R3M5. MF39879 has since been superceded by MF40178, and MF39909 has been superceded by MF40861.

    According to the Secunia advisory posted Monday, the OS/400 security vulnerability is related to the TCP Reset Vulnerability that was first reported by security researcher Paul Watson in April 2004. At the time, there was great concern that the vulnerability could be exploited to launch a massive attack that would cripple the Internet. As it turns out, those fears were largely unfounded. Network equipment vendors, led by Cisco Systems, updated their wares to fix the problem.

    Apparently, the problem went unpatched in OS/400 and the new i5/OS operating system for more than two and a half years. Herring said IBM was notified that OS/400’s TCP/IP stack was at risk to the exposure, but it’s unclear if any iSeries or System i users were hit by DoS attacks. In any event, iSeries and System i users should take the problem seriously and apply the integrity PTFs as soon as possible, if they haven’t already done so.

    Herring said there are no plans to issue PTFs to fix the problem in previous releases of OS/400.

    Security vulnerabilities like this are a rare occurrence for OS/400, which is widely regarded to be one of the most–if not the most–secure operating systems in use. While it’s not in any danger of becoming like every hackers’ favorite target, Microsoft Windows, anytime soon, IBM OS/400 does occasionally make news with a vulnerability.

    Also in November, Secunia reports IBM issued MF33249 to fix the “osp-cert Fix ASN.1” vulnerabilities in its ASN.1 parser for OS/400 V5R3. Secunia gave the vulnerabilities a “moderately critical” rating, one step above the rating it gave the Connection Reset DoS vulnerability.

    OS/400 is not without its weaknesses–especially when it comes to implementing standards-based protocols that turn out to have security holes. But when properly configured, OS/400 is practically hacker proof. Its highly regimented access controls make it very difficult for a hacker who’s unfamiliar with the system to break it, and its object oriented design make it highly resistant to conventional viruses. In fact, there has never been a documented virus afflicting OS/400 (although security researchers say it’s not impossible to create one).

    Unfortunately, while security is one of OS/400’s strengths, many companies don’t take the time to properly configure their server’s security settings–either from lack of time and knowledge or a mistaken reliance on the box’s security capabilities–leaving them open to problems down the road. For a sobering look at the slipshod approach to security at many OS/400 shops, check out our story on security software developer PowerTech‘s most recent state of OS/400 security report.

    This story has been corrected. IBM issued the integrity PTF in September 2006, not on January 13, 2007, as the story first stated. On January 13, IBM updated the advisory concerning the PTF and the vulnerability it fixed. IT Jungle regrets the error.



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Krengeltech

    When it comes to consuming web APIs on your IBM i, your options often boil down to one of two things:

    First, you end up having to rely on a variety of open source and non-RPG solutions. This adds developer complexity, taking away time that could have been better spent invested in other projects. Of course, open source software is free, but generally comes at the cost of no professional support, which adds an element of risk in your production environment. RXS is completely professionally supported, and is complemented by a staff of trained IBM i developers who can address your nuanced development challenges, head on.

    Second, if you choose not to pursue an open-source solution, you’re often left having to shake up your current program architecture with proprietary software, external dependencies, and partial RPG implementations – many of which are sub-par compared to RPG-XML Suite’s wide range of features. RXS aims to simplify the efforts of developers with tools like code generators, useful commands, and subprocedures written in 100% RPG – no Java. Because they are entirely RPG, the RXS subprocedures are easy to add to new or existing ILE programs and architecture, helping to cut your development time. RPG-XML Suite offers powerful capabilities in an accessible, easy-to-implement format.

    With RPG-XML Suite, you can accomplish a variety of complex tasks, such as:

    • Calling REST and SOAP web services from your IBM i
    • Offering APIs from your IBM i
    • Creating JSON & XML
    • Parsing JSON & XML
    • Text manipulation, Base64 encoding/decoding, CCSID handling, hashing and encryption functions, and more.

    To try RXS for yourself, we recommend a free proof of concept, which not only gives you access to all of RPG-XML Suite’s subprocedures and utilities but also includes a tailor-made software demonstration that can be used as a starting point for your future API implementations.

    For a free proof of concept, contact us at sales@krengeltech.com, or visit our website for more information.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    BCD:  Try WebSmart - the easiest and most complete iSeries Web development tool
    COMMON:  Join us at the Spring 2007 conference, April 29 – May 3, in Anaheim, California
    New Generation Software:  Leading provider of iSeries BI and financial management software

    IBM Wins U.S. Patent Count Again as Vendors Build Up Patent War Chests Using APIs to Send Impromptu Messages, Take Two

    Leave a Reply Cancel reply

Volume 7, Number 2 -- January 16, 2007
THIS ISSUE SPONSORED BY:

MKS
IBS
Profound Logic Software
Computer Keyes
Affirmative Computer

Table of Contents

  • IBM Patches Security Flaw in OS/400 V5R3
  • LXI Partners with FalconStor for VTL
  • Lawson Brings EMEA EAM App to the U.S.
  • Seagull Relaunches Farabi Tool Under BlueZone Name
  • Group 1 Unveils New Tax Software
  • CommercialWare Goes Java for Multi-Channel MMS
  • Cybele Software Unveils z/Scope Classic Version 6
  • CA Fixes Security Flaws in Backup Software
  • SOA Software Joins SAP’s ‘ES Community’
  • IBM to Open Eight SOA Centers Worldwide

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Guild Mortgage Takes The 20-Year Option For Modernization
  • IBM i Licensing, Part 3: Can The Hardware Bundle Be Cheaper Than A Smartphone?
  • Guru: The Finer Points of Exit Points
  • Big Blue Tweaks IBM i Pricing Ahead Of Subscription Model
  • We Still Want IBM i On The Impending Power E1050
  • DRV Brings More Automation to IBM i Message Monitoring
  • Managed Cloud Saves Money By Cutting System And People Overprovisioning
  • Multiple Security Vulnerabilities Patched on IBM i
  • Four Hundred Monitor, June 22
  • IBM i PTF Guide, Volume 24, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.