• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    May 15, 2014 Alex Woodie

    If you thought your IBM i server was completely immune to the Heartbleed vulnerability, think again. On Friday, IBM issued a security bulletin directing customers to upgrade their Power Systems firmware with a patch for the Heartbleed vulnerability in OpenSSL.

    In its security bulletin, IBM advised that Power Systems firmware was affected by the Heartbleed vulnerability, CVE-2014-0160, and advised customers to take action. The bulletin applies to the Power Systems server Firmware, HMC, and SDMC. You can find the bulletin at www-304.ibm.com/support/docview.wss?uid=nas8N1020034.

    According to IBM’s bulletin, the vulnerability impacts all current Version 770 (including Power 710, 720, 730, 740, PowerLinux, 750, 760 and 780) servers, as well as Version 780 (including Power 770, 780, and 795) machines. Customers on Version 770 machines are advised to immediately upgrade their firmware to 01Ax770_076 or higher, while customers on Version 780 machines are advised to apply 01Ax780_054 or higher. IBM advises customers to find the fixes at its Fix Central website.

    After applying the fix, IBM advises Power Systems customers to take additional steps to protect themselves from Heartbleed, including resetting all passwords used by any network-facing applications protected by a vulnerable version of OpenSSL, and forcing users to re-authenticate. That includes all HMC user accounts configured for local authentication as well as those configured for Kerberos and LDAP authentication, as well as any OS or application password used on a partition managed by the HMC when the partition is enabled for HMC remote virtual terminal (vterm) or remote 5250 console, IBM says.

    A request for comment from IBM was not received by this newsletter’s deadline.

    The IBM i server has been widely touted as being largely immune to the massive Heartbleed vulnerability that has spooked security professionals around the world and potentially compromised billions of passwords and credit card numbers used on the Internet since December 2011.

    The reason for confidence was primarily based in the fact that IBM uses its own implementation of SSL encryption in its main encryption offerings for IBM i and other enterprise systems. IBM’s products that do use the OpenSSL library, including WebSphere, Lotus Notes/Domino, and the Portable Utilities for i product (which contains the OpenSSH, OpenSSL, and zlib open source packages) used OpenSSL version 0.98. However, only OpenSSL versions 1.0.1 through 1.0.1f are affected by Heartbleed.

    The revelation that Power Systems firmware uses open source security components and is susceptible to the Heartbleed vulnerability will surely lead to some rethinking as to the best way to architect security for IBM’s enterprise systems.

    RELATED STORIES

    Heartbleed Postmortem: Time to Rethink Open Source Security?

    Heartbleed, OpenSSL, and IBM i: What You Need to Know



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    ARCAD Software

    DevSecOps & Peer Review – The Power of Automation

    In today’s fast-paced development environments, security can no longer be an afterthought. This session will explore how DevSecOps brings security into every phase of the DevOps lifecycle—early, consistently, and effectively.

    In this session, you’ll discover:

    • What DevSecOps is and why it matters?
    • Learn how to formalize your security concerns into a repeatable process
    • Discover the power of automation through pull requests, approval workflows, segregation of duties, peer review, and more—ensuring your data and production environments are protected without slowing down delivery.

    Whether you’re just getting started or looking to enhance your practices, this session will provide actionable insights to strengthen your security posture through automation and team alignment to bring consistency to the process.

    Watch Now!

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    BCD:  IBM i Webinar April 24: IBM i Web Reports and Queries Made Easy
    LANSA:  Webinar: Mobile and the IBM i: Why Should You Care? May 21, 9 am PT/11 am CT/Noon ET
    COMMON:  Join us at the COMMON 2014 Annual Meeting & Exposition, May 4 - 7 in Orlando, Florida

    More IT Jungle Resources:

    System i PTF Guide: Weekly PTF Updates
    IBM i Events Calendar: National Conferences, Local Events, and Webinars
    Breaking News: News Hot Off The Press
    TPM @ EnterpriseTech: High Performance Computing Industry News From ITJ EIC Timothy Prickett Morgan

    Admin Alert: When Journaling Slows Down Your System, And What To Do About It We’re Integrated, We’re A Platform, Let’s Catch The Wave

    Leave a Reply Cancel reply

Volume 14, Number 9 -- April 22, 2014
THIS ISSUE SPONSORED BY:

ARCAD Software
Enforcive
COMMON
HiT Software
Valence Framework for IBM i

Table of Contents

  • IBM Patches Heartbleed Vulnerability in Power Systems Firmware
  • IBM Patches Heartbleed Vulnerability in Power Systems Firmware
  • Hotels Expand Agilysys Footprints As Vendor Sells UK Business
  • Avoiding Application Modernization Disasters
  • Tributary Bolsters VTL Software with NDMP Support
  • Mrc Seeks Application Vendors in New Partner Program
  • Astro-Med Antes Up with PureFlex Upgrade
  • HelpSystems Launches Mobile Initiatives, Acquires NAI for Workflow Automation
  • Get Your IBM i Training Online
  • Arpeggio Goes for the ‘Hacker Shutdown’ with 2FA Offering for IBM i

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • IBM Pulls The Curtain Back A Smidge On Project Bob
  • IBM Just Killed Merlin. Here’s Why
  • Guru: Playing Sounds From An RPG Program
  • A Bit More Insight Into IBM’s “Spyre” AI Accelerator For Power
  • IBM i PTF Guide, Volume 27, Number 42
  • What You Will Find In IBM i 7.6 TR1 and IBM i 7.5 TR7
  • Three Things For IBM i Shops To Consider About DevSecOps
  • Big Blue Converges IBM i RPG And System Z COBOL Code Assistants Into “Project Bob”
  • As I See It: Retirement Challenges
  • IBM i PTF Guide, Volume 27, Number 41

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle