• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Heartbleed Exposes The Vulnerability Of An IBM i Mentality

    April 28, 2014 Alex Woodie

    When IBM recently patched the Heartbleed vulnerability that existed in the Power Systems firmware, it did more than issue a more secure piece of system code. IBM also demonstrated the fallibility of maintaining an IBM i mentality in an increasingly complex and interconnected world. As IT Jungle‘s PTF patch master and IBM business partner Doug Bidwell explains, we can ill afford to think of IBM i as an isolated entity anymore.

    “I just read your article, IBM Patches Heartbleed Vulnerability in Power Systems Firmware. Thank you for getting that out there,” Bidwell writes via email. Bidwell, who edits IT Jungle‘s System i PTF Guide, had alerted us to IBM’s April 18 security bulletin revealing the existence of Heartbleed vulnerability in the Power Systems firmware and the immediate availability of fixes.

    “But, there is something still not gelling with the client base,” Bidwell continues. “Reading your article, I see it there, also. There is no IBM i server. Just as there is no AIX server. Periodically, IBM will announce an OS-specific version of a Power server, such as PowerLinux. But there is only a Power box, and an OS that makes it a server.”

    “One of the legacy conceptions we are all guilty of is that we think of the AS/400 as one entity, a box with an OS that are tightly integrated and a single entity in conversation. That changed when they merged the i and p systems onto Power….”

    So much has changed since that day in April 2008 when IBM formally unveiled the Power Systems platform and did away with System i and System p forever. While the two platforms had shared hardware for some time, that was the day IBM attempted to permanently erase any lines separating those systems.

    Despite the merger of platforms, many in the IBM midrange community maintain the IBM i identity, just as they identified themselves as System/38, AS/400, iSeries, or System i guys or gals before April 2008. It’s a tempting security blanket to hold onto, but the irony is that it may actually hurt security.

    “The entire client base thinks of the one entity,” Bidwell writes. “And that’s the vulnerability, and, the challenge. Because there used to be one entity, when you put on the Cume, and IBM said there were no vulnerabilities, we tended to not touch the box for months, even years at a time. That changed when ‘the merge’ happened, and it’s taking a long time for people to wake up to the point your article both makes and misses, that IBM i is an OS that rides on a Power piece of hardware. Two entities, not one. And they are tightly integrated, but not so much that you can afford to watch only one entity.”

    Specifically, Bidwell points to PASE, the AIX runtime that IBM added to the platform as an option more a decade ago, but which has become a critical part of the infrastructure stack for applications running on IBM i and Power Systems. If you use Java, the Apache Web server, or the PHP runtime, you’re using PASE, whether you know it or not.

    “PASE added a great deal of functionality to the IBM i OS by allowing many varied licensed program products to be added to the OS/400 we all knew,” Bidwell writes. “But it also added another area of watchfulness. Each licensed program product that resides on PASE is susceptible to its own version schedule, and, its own vulnerabilities.”

    PASE is just one example of how the legacy “Fortress Rochester” AS/400 mentality is clashing with today’s modern and complex Power Systems platform. When IT Jungle attempted to ascertain the significance of the Heartbleed OpenSSL vulnerability that existed in the Power Systems firmware–to gauge whether this was a super-critical problem that could be easily exploited or an obscure flaw that a hacker would have a tough time doing anything with–the IBMer from Rochester punted, saying he didn’t handle the firmware and couldn’t speak to that. Whose responsibility is it? It’s tough to say.

    “The days of monitoring and administering one ‘system’ are gone,” Bidwell writes. “We all need to be watching the hardware, the OS, the licensed programs, and be aware of each of their differences and vulnerabilities. In the SMB marketplace, speaking from the ‘i’ point of view, virtually everyone thinks of their system as an IBM i. It was a great concept while it lasted, but that is not the horse we are riding today. Or, as Tim [Prickett Morgan] put it once, ‘This ain’t your daddy’s AS/400 anymore.'”

    RELATED STORIES

    IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    Heartbleed Postmortem: Time to Rethink Open Source Security?

    Heartbleed, OpenSSL, and IBM i: What You Need to Know

    It’s Official: Now We’re Power Systems and i for Business



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored By
    COMMON

    COMMON 2014 Annual Meeting and Exposition

    Mark your calendars and register today for COMMON's 2014 Annual Meeting and Exposition in Orlando, Florida, May 4 - 7 at the Loews Royal Pacific Resort!

    The COMMON Annual Meeting is the largest gathering of the Power Systems user community and COMMON's largest educational event of the year, with four full days of in-depth IBM i , AIX, and Linux education that includes all-day pre-conference workshops, open labs and a wide variety of sessions on topics relevant to you.

    Browse the world's largest Power Systems Exposition, encompassing nearly 80 exhibitors, of the industry's leading solution providers. It's a one-stop source of up-to-the minute information and ideas for the IT industry. Discover what's new in the Power Systems world and give your company ways to reduce costs and improve productivity.

    Benefits
    The COMMON Annual Meeting and Exposition is the premier Power Systems-related educational conference and annual meeting of the COMMON membership.

      · Most cost-effective conference option for your 2014 educational needs providing tremendous ROI.
      · Four full days of over 300 educational sessions, labs and pre-conference workshops -
        all led by industry experts.
      · Endless networking opportunities at the largest gathering of the Power Systems user community.
      · Discover the latest products and solutions available for the Power Systems industry in the
        Exposition of nearly 80 exhibitors.
      · Advance your career and showcase your business and technical knowledge with an
        esteemed Certification in Business Computing or technical RPG.
      · See all available educational options in the Online Session Guide: www.common.org/sessions.html.

    The COMMON 2014 Annual Meeting and Exposition provides the most value to you available in an educational conference:

      · Learning from Power Systems experts on the latest IBM i, AIX, and Linux topics.
      · Sharing knowledge and Meeting with peers, speakers, experts, and vendors.
      · Discovering the latest products and solutions in the Exposition.
      · Advancing your career through certification opportunities.

    The COMMON 2014 Annual Meeting and Exposition is the premier educational and
    networking event that you and your team will not want to miss.

    Learn more and register today: www.common.org/annualmeeting

    Hotels Expand Agilysys Footprints As Vendor Sells UK Business Emulate sp_Help In DB2 For i

    Leave a Reply Cancel reply

Volume 24, Number 15 -- April 28, 2014
THIS ISSUE SPONSORED BY:

Infinite Corporation
Fresche Legacy
HiT Software
Manta Technologies
COMMON

Table of Contents

  • IBM i Runs On Two Of Five New Power8 Machines
  • A Real Open Power Server, Finally
  • Executing RPG: Pull The Plug, Kilner Says
  • As I See It: Old Hephaestus Had A Bot, A.I.A.I.O.
  • Heartbleed Exposes The Vulnerability Of An IBM i Mentality
  • Avnet To Resell SoftLayer Cloud, But No IBM i Slices
  • Big Deals Spark Q1 At Manhattan Associates
  • Avnet Sees IT Spending Slowdown March Draws To A Close
  • Manager And Programmer Ratios In IT Shops
  • Unions Criticize IBM’s Earning Per Share Focus

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Big Blue Finally Brings IBM i To Its Own Public Cloud
  • Building A Positive Culture of Learning On IBM i
  • Guru: Change XML Elements in SQL
  • Four Hundred Monitor, February 18
  • IBM i PTF Guide, Volume 21, Number 7
  • Guru Classic: Triggers – Allow Repeated Change
  • Guru Classic: Who Needs Custom Perspectives In RDi?
  • Guru Classic: A Bevy of BIFs — %CHAR, %EDITC and %EDITW
  • Settling In With IBM i For The Long Haul
  • Domino And Notes 10 Finally Come To IBM i

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2017 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.