• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches BIND and OpenSSL Flaws in IBM i

    March 18, 2015 Alex Woodie

    IBM has patched several security vulnerabilities in the IBM i OS recently, including some lingering problems with OpenSSL, as well as new ISC BIND Delegation Handling vulnerability. The vulnerabilities affect multiple releases of the IBM i OS, and could enable an attacker to successfully crash impacted servers, so go get your PTFs applied as soon as possible.

    The more critical vulnerabilities are related to the ISC BIND Delegation Handling vulnerabilities, which impact the Berkeley Internet Name Domain (BIND) software, specifically the Domain Name Service (DNS). Two BIND-related flaws were discovered in December 2014, according to the Internet Systems Consortium, which oversees the BIND and DNS standards and operates one of the Internet’s 13 DNS root servers.

    The first flaw, known as CVE-2014 8500, could allow an attacker to exploit an oversight in BIND version 9 that causes BIND to issue an unlimited number of queries, which can lead to resource exhaustion and a crash. ISC gave CVE-2014-8500 a severity rating of “critical,” while the National Institutes of Standards and Technology gave it a 7.8, on the Common Vulnerability Scoring System, owing to the ease at which an attacker can exploit the vulnerability.

    A second set of BIND security flaws, which are collectively known as CVE-2014-8680, affects the GeoIP features of BIND version 9.10, and can also lead to DoS attacks on affected servers. The NIST gives these flaws a CVSS score of 5.4, as they are not nearly as exploitable.

    The first BIND flaw affects IBM i, but the second one does not, IBM said March 4 on a post on its Product Security Incident Response (PSIRT) blog.

    The first BIND flaw, CVE-2014-8500, impacts i5/OS V5R4 through IBM i 7.2. IBM has issued three PTFs to patch the problem in IBM i, including SI55895 for IBM i 6.1, SI55748 for IBM i 7.1, and SI55866 for IBM i 7.2, IBM says in its security advisory. V5R4 will not be patched, as it is no longer supported by IBM.

    Meanwhile, IBM patched a slew of new OpenSSL flaws that were discovered in January, including:

    • CVE-2014-3569, the “ssl23_get_client_hello denial of service” vulnerability, which has a CVSS rating of 5
    • CVE-2014-3570, the Bignum unspecified vulnerability, which has a CVSS rating of 2.6
    • CVE-2014-3571, the DTLS denial of service vulnerability, which has a CVSS rating of 5
    • CVE-2014-3572, the ECDH weak security flaw, which has a CVSS rating of 1.2
    • CVE-2014-8275, the fingerprints security bypass vulnerability, which has a CVSS rating of 2.1
    • CVE-2015-0204, the ssl3_get_key_exchange RSA-to-EXPORT_RSA downgrade” vulnerability, which has a CVSS score of 4.3
    • CVE-2015-0205, the DH certificate security bypass, which has a CVSS score of 2.1;
    • and CVE-2015-0206, the dtls1_buffer_record denial of service vulnerability, which carries a CVSS rating of 5

    These flaws impact every release of the OS from i5/OS V5R3 through IBM i 7.2, according to IBM’s PSIRT blog. However, only IBM i 6.1 through 7.2 have been patched, with PTFs SI56063 (for IBM i 6.1), SI55950 (for IBM i 7.1), and SI55951 (for IBM i 7.2); the old releases of i5/OS will not be patched.

    The new batch of OpenSSL patches are not nearly as bad as the Heartbleed flaw that led millions of people to change their passwords last April, and which impacted IBM i, Power Systems firmware, and applications. But it’s still a potent reminder about the potential pitfalls that open source software can bring, and the vigilance that all IBM i shops must take to ensure they’re not caught unknowingly making themselves more vulnerable.

    RELATED STORIES

    IBM And ISVs Fight POODLE Vulnerability In SSL 3.0

    Heartbleed Exposes The Vulnerability Of An IBM i Mentality

    IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    Heartbleed Postmortem: Time to Rethink Open Source Security?

    Heartbleed, OpenSSL, and IBM i: What You Need to Know

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Eradani

    API Enable Your IBM i Today

    Create & Manage Secure, High Speed, APIs for IBM i with Eradani Connect!

    o Automatically schedule and track shipments

    o Communicate with IoT devices

    o Connect to Amazon, Shopify and others

    o Automate order processing

    o Create mobile and web user interfaces

    o Generate Open API Swagger Documentation

    Eradani Mentors will ensure your success!

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    COMMON:  2015 Annual Meeting & Expo, April 26 - 29, at the Disneyland® Resort in Anaheim, California
    Profound Logic Software:  Extend & Future-proof RPG Apps with PHP. March 25 Webinar!
    COMMON:  2015 Annual Meeting & Expo, April 26 - 29, at the Disneyland® Resort in Anaheim, California

    A Ruby And RPG Conversation OpenPower Could Take IBM i To Hyperscale And Beyond

    Leave a Reply Cancel reply

Volume 25, Number 16 -- March 18, 2015
THIS ISSUE SPONSORED BY:

Maxava
BCD Software
COMMON
Northeast User Groups Conference
LaserVault

Table of Contents

  • IBM Patches BIND and OpenSSL Flaws in IBM i
  • IBM Unveils ETL Solution for DB2 Web Query
  • Midrange Dynamics Takes Aim At Database Changes
  • OAuth 2.0 Makes Its Way Onto the IBM i
  • Kisco Debuts Sub-$400 Message Monitor

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • COMMON Set for First Annual Conference in Three Years
  • API Operations Management for Safe, Powerful, and High Performance APIs
  • What’s New in IBM i Services and Networking
  • Four Hundred Monitor, May 18
  • IBM i PTF Guide, Volume 24, Number 20
  • IBM i 7.3 TR12: The Non-TR Tech Refresh
  • IBM i Integration Elevates Operational Query and Analytics
  • Simplified IBM i Stack Bundling Ahead Of Subscription Pricing
  • More Price Hikes From IBM, Now For High End Storage
  • Big Blue Readies Power10 And IBM i 7.5 Training for Partners

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.