• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    May 15, 2014 Alex Woodie

    If you thought your IBM i server was completely immune to the Heartbleed vulnerability, think again. On Friday, IBM issued a security bulletin directing customers to upgrade their Power Systems firmware with a patch for the Heartbleed vulnerability in OpenSSL.

    In its security bulletin, IBM advised that Power Systems firmware was affected by the Heartbleed vulnerability, CVE-2014-0160, and advised customers to take action. The bulletin applies to the Power Systems server Firmware, HMC, and SDMC. You can find the bulletin at www-304.ibm.com/support/docview.wss?uid=nas8N1020034.

    According to IBM’s bulletin, the vulnerability impacts all current Version 770 (including Power 710, 720, 730, 740, PowerLinux, 750, 760 and 780) servers, as well as Version 780 (including Power 770, 780, and 795) machines. Customers on Version 770 machines are advised to immediately upgrade their firmware to 01Ax770_076 or higher, while customers on Version 780 machines are advised to apply 01Ax780_054 or higher. IBM advises customers to find the fixes at its Fix Central website.

    After applying the fix, IBM advises Power Systems customers to take additional steps to protect themselves from Heartbleed, including resetting all passwords used by any network-facing applications protected by a vulnerable version of OpenSSL, and forcing users to re-authenticate. That includes all HMC user accounts configured for local authentication as well as those configured for Kerberos and LDAP authentication, as well as any OS or application password used on a partition managed by the HMC when the partition is enabled for HMC remote virtual terminal (vterm) or remote 5250 console, IBM says.

    A request for comment from IBM was not received by this newsletter’s deadline.

    The IBM i server has been widely touted as being largely immune to the massive Heartbleed vulnerability that has spooked security professionals around the world and potentially compromised billions of passwords and credit card numbers used on the Internet since December 2011.

    The reason for confidence was primarily based in the fact that IBM uses its own implementation of SSL encryption in its main encryption offerings for IBM i and other enterprise systems. IBM’s products that do use the OpenSSL library, including WebSphere, Lotus Notes/Domino, and the Portable Utilities for i product (which contains the OpenSSH, OpenSSL, and zlib open source packages) used OpenSSL version 0.98. However, only OpenSSL versions 1.0.1 through 1.0.1f are affected by Heartbleed.

    The revelation that Power Systems firmware uses open source security components and is susceptible to the Heartbleed vulnerability will surely lead to some rethinking as to the best way to architect security for IBM’s enterprise systems.

    RELATED STORIES

    Heartbleed Postmortem: Time to Rethink Open Source Security?

    Heartbleed, OpenSSL, and IBM i: What You Need to Know



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    New Generation Software

    Modernizing? Let’s Talk about Data Access

    If you’re studying IBM i modernization, you know there are big decisions and new skills to acquire. While you prepare, don’t sleep on the big win within your grasp when you empower authorized users with a modern query, visualization, and analytics solution.

    With NGS-IQ, you can modernize IBM i data access without programming. RSVP and attend our February 15, 2023, webinar. See a demo and learn about our low-cost licensing options, tech support, maintenance, and education.

    www.ngsi.com – 800-824-1220

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    BCD:  IBM i Webinar April 24: IBM i Web Reports and Queries Made Easy
    LANSA:  Webinar: Mobile and the IBM i: Why Should You Care? May 21, 9 am PT/11 am CT/Noon ET
    COMMON:  Join us at the COMMON 2014 Annual Meeting & Exposition, May 4 - 7 in Orlando, Florida

    More IT Jungle Resources:

    System i PTF Guide: Weekly PTF Updates
    IBM i Events Calendar: National Conferences, Local Events, and Webinars
    Breaking News: News Hot Off The Press
    TPM @ EnterpriseTech: High Performance Computing Industry News From ITJ EIC Timothy Prickett Morgan

    Admin Alert: When Journaling Slows Down Your System, And What To Do About It We’re Integrated, We’re A Platform, Let’s Catch The Wave

    Leave a Reply Cancel reply

Volume 14, Number 9 -- April 22, 2014
THIS ISSUE SPONSORED BY:

ARCAD Software
Enforcive
COMMON
HiT Software
Valence Framework for IBM i

Table of Contents

  • IBM Patches Heartbleed Vulnerability in Power Systems Firmware
  • IBM Patches Heartbleed Vulnerability in Power Systems Firmware
  • Get Your IBM i Training Online
  • HelpSystems Launches Mobile Initiatives, Acquires NAI for Workflow Automation
  • Avoiding Application Modernization Disasters
  • Astro-Med Antes Up with PureFlex Upgrade
  • Mrc Seeks Application Vendors in New Partner Program
  • PHP Developer Chooses WebSmart to Build His ‘Scaffold’
  • Tributary Bolsters VTL Software with NDMP Support
  • Arpeggio Goes for the ‘Hacker Shutdown’ with 2FA Offering for IBM i

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Security Still Top Concern, IBM i Marketplace Study Says
  • Bob Langieri Shares IBM i Career Trends Outlook for 2023
  • Kisco Brings Native SMS Messaging to IBM i
  • Four Hundred Monitor, February 1
  • 2023 IBM i Predictions, Part 4
  • Power Systems Did Indeed Grow Revenues Last Year
  • The IBM Power Trap: Three Mistakes That Leave You Stuck
  • Big Blue Decrees Its 2023 IBM Champions
  • As I See It: The Good, the Bad, And The Mistaken
  • IBM i PTF Guide, Volume 25, Number 5

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.