IBM Patches Multiple Java Security Vulnerabilities in IBM i
September 17, 2013 Alex Woodie
IBM last week acknowledged that it quietly patched a number of potentially critical security vulnerabilities in IBM i that could enable hackers to compromise, spoof, and gain privileged access to an affected system. The problems stem mostly from flaws in Java that Oracle disclosed in June, and which impact the Java Runtime and Java Software Development Kit (JRE/JDK) for all supported releases of the OS, from i5/OS V5R4 through IBM i 7.1.
On Friday, Secunia issued an advisory that disclosed the existence of multiple security vulnerabilities in IBM i, as recorded by official CVE reference numbers. The security organization stated:
“IBM has acknowledged multiple vulnerabilities in IBM i, which can be exploited by malicious, local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), bypass certain security restrictions, and compromise a vulnerable system.”
IBM issued a security bulletin that affirmed that 45 separate flaws, as depicted through individual CVE listings, that can impact IBM i. Most of those stem from the June disclosure of security flaws from Oracle, but there were eight additional flaws patched that weren’t from that Oracle batch.
IBM says there were several vulnerabilities that affected multiple components, including CVE-2013-3006 through CVE-2013-3012. “These vulnerabilities allow code running under a security manager to escalate its privileges by modifying or removing the security manager,” IBM says in its security advisory. “Some of the issues need to be combined in sequence to achieve an exploit. The vulnerabilities could occur when untrusted code is executed under a security manager, or when the IBM Java SDK has been associated with a Web browser for running applets and Web Start applications.”
IBM patched the flaws with updates to three group PTFs, including:
SF99562 level 25, which addresses the 32-bit JDK for IBM i 6.1 and 7.1 and was last updated August 29;
SF99572 level 14, which addresses the 64-bit JDK for IBM i 6.1 and 7.1 and was last updated August 29;
and SF99291 level 34, which addresses the 32-bit JDK for i5/OS V5R4 and was last updated August 29.