IBM Patches Heartbleed Vulnerability in Power Systems Firmware
May 15, 2014 Alex Woodie
If you thought your IBM i server was completely immune to the Heartbleed vulnerability, think again. On Friday, IBM issued a security bulletin directing customers to upgrade their Power Systems firmware with a patch for the Heartbleed vulnerability in OpenSSL.
In its security bulletin, IBM advised that Power Systems firmware was affected by the Heartbleed vulnerability, CVE-2014-0160, and advised customers to take action. The bulletin applies to the Power Systems server Firmware, HMC, and SDMC. You can find the bulletin at www-304.ibm.com/support/docview.wss?uid=nas8N1020034.
According to IBM’s bulletin, the vulnerability impacts all current Version 770 (including Power 710, 720, 730, 740, PowerLinux, 750, 760 and 780) servers, as well as Version 780 (including Power 770, 780, and 795) machines. Customers on Version 770 machines are advised to immediately upgrade their firmware to 01Ax770_076 or higher, while customers on Version 780 machines are advised to apply 01Ax780_054 or higher. IBM advises customers to find the fixes at its Fix Central website.
After applying the fix, IBM advises Power Systems customers to take additional steps to protect themselves from Heartbleed, including resetting all passwords used by any network-facing applications protected by a vulnerable version of OpenSSL, and forcing users to re-authenticate. That includes all HMC user accounts configured for local authentication as well as those configured for Kerberos and LDAP authentication, as well as any OS or application password used on a partition managed by the HMC when the partition is enabled for HMC remote virtual terminal (vterm) or remote 5250 console, IBM says.
A request for comment from IBM was not received by this newsletter’s deadline.
The IBM i server has been widely touted as being largely immune to the massive Heartbleed vulnerability that has spooked security professionals around the world and potentially compromised billions of passwords and credit card numbers used on the Internet since December 2011.
The reason for confidence was primarily based in the fact that IBM uses its own implementation of SSL encryption in its main encryption offerings for IBM i and other enterprise systems. IBM’s products that do use the OpenSSL library, including WebSphere, Lotus Notes/Domino, and the Portable Utilities for i product (which contains the OpenSSH, OpenSSL, and zlib open source packages) used OpenSSL version 0.98. However, only OpenSSL versions 1.0.1 through 1.0.1f are affected by Heartbleed.
The revelation that Power Systems firmware uses open source security components and is susceptible to the Heartbleed vulnerability will surely lead to some rethinking as to the best way to architect security for IBM’s enterprise systems.