IBM Issues HiPER And Security Patches For V5R4

September 21, 2015 Timothy Prickett Morgan

Here is a weird one. Last week, IBM released PTF patches for OS/400 V5R4, also known as i5/OS 5.4, the venerable release of OS/400 that came out in February 2006 and that was withdrawn from marketing in May 2011 and had its standard Software Maintenance ended in September 2013. Extended maintenance is still running for those customers who pay for it, and will continue to do so until September 30, 2016.

While this Program Support Extension (PSE) support does offer tech support for the V5R4 stack on Power Systems and earlier machines, it has always been my understanding that Big Blue does not generate new bug fixes outside of the normal Software Maintenance (SWMA) window. IBM does not do new feature development under extended support, but it does provide usage support, meaning helping you out when something goes wrong as you try to do stuff.

Doug Bidwell, our intrepid PTF hunter, spotted the updates for V5R4 and has downloaded then and applied them to some customer machines that are still running V5R4 and they appear to work. The PTFs were put into the HIPER and Security PTF groups, HIPER being short for “High Impact” and “Pervasive” patches to the OS/400 and IBM i platform, and security being what you expect. As far as Bidwell can tell, the patches are exactly the same in both groups, and IBM has not issued a new cumulative release (CUME, in IBMspeak) of V5R4.

Here are the PTF numbers so you can go hunting for them if you are still on V5R4:

Here are the links to the two PTF groups:

When you click through to those links, you will see that IBM actually did the updates on September 11 this year, and it updated the HIPER PTF group last on December 17, 2013 and the Security PTF group on January 29, 2013. The description of the issue is as follows from these documents: “ISC released an CVE-2015-5477, BIND did not handle TKEY queries correctly, and may cause BIND to exit. ISC released an CVE-2015-4620, over DNSSEC validation, which will affect V7R1~V7R2 release and can cause a security problem.”

If you understand that, you need to spend more time outside. But seriously, ISC is short for the Internet Systems Consortium, and BIND is a popular open source implementation of the Domain Name Server (DNS) and is short for the Berkeley Internet Name Domain. The DNS is was converts the text names of a web address to an IP address with its four sets of three digit numbers. (We all thought it might have something to do with the binding of program elements during program compilations, but nothing that exciting.) Anyway, the bug fix for BIND, which is in the OS/400 V5R4 stack, relates to this security issue identified by CVE, allowing for denial of service attacks to be launched by remote hackers. This vulnerability was identified on July 10 of this year, and has been fixed in the Canonical Ubuntu Server, SUSE Linux Enterprise Server, Red Hat Enterprise Linux, and Debian variants of Linux.

One warning from the patch: “After update to BIND 9, the V5R4 IBM i Navigator will not be compatible with the new version BIND server. The high version i Navigator (V6R1 or above) can be partially compatible with the BIND 9 on V5R4, it can be used to configure the existing instances, but when creating new instances, the generated configuration files will be still in BIND 8 format, and cannot work correctly with BIND 9.”

The same fixes are in their equivalent groups for IBM i 6.1, 7.1, and 7.2.

That sounds like a pain in the neck, but maybe not enough to just upgrade to IBM i 7.2. Which is probably a good idea, people.

IBM Clarifies IBM i 6.1.1 And Support Withdrawal

IBM i Marketplace Survey Fills In The Blanks

Big Blue To Sunset IBM i 6.1 A Year From Now

IBM i Upgrades Not All On The Same Path

All Your IBM i Base Are Belong To Us

IBM i Installed Base Dominated By Vintage Iron

Big Blue Backs Off On IBM i Maintenance Price Hike

Big Blue Jacks Software Maintenance Prices For IBM i

IBM Sunsets i5/OS V5R4 Again–For Real This Time

IBM i Technology Refreshes and PTFs: Be Careful

The Carrot: i5/OS V5R4 Gets Execution Stay Until May

The Stick: IBM Jacks Up i5/OS V5R4 Prices

Reader Feedback on The Carrot: i5/OS V5R4 Gets Execution Stay Until May

The i 7.1s Have It; i5/OS V5R4 Extended

IBM Sunsets i5/OS V5R4, Kills Older 595 Iron

Features Galore Inside i5/OS V5R4

Tags:

CYBER-ATTACKS ON THE RISE. PROTECT WITH THE TRIPLE PLAY.

COVID-19 has not only caused a global pandemic, but has sparked a “cyber pandemic” as well.

“Cybersecurity experts predict that in 2021, there will be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.”1

Protecting an organization’s data is not a single-faceted approach, and companies need to do everything they can to both proactively prevent an attempted attack and reactively respond to a successful attack.

UCG Technologies’ VAULT400 subscription defends IBM i and Intel systems against cyber-attacks through comprehensive protection with the Triple Play Protection – Cloud Backup, DRaaS, & Enterprise Cybersecurity Training.

Cyber-attacks become more sophisticated every day. The dramatic rise of the remote workforce has accelerated this trend as cyber criminals aggressively target company employees with online social engineering attacks. It is crucial that employees have proper training on what NOT to click on. Cyber threats and social engineering are constantly evolving and UCG’s Enterprise Cybersecurity Training (powered by KnowBe4) is designed to educate employees on the current cutting-edge cyber-attacks and how to reduce and eliminate them.

A company is only as strong as its weakest link and prevention is just part of the story. Organizations need to have a quick response and actionable plan to implement should their data become compromised. This is the role of cloud backup and disaster-recovery-as-a-service (DRaaS).

Data is a company’s most valuable asset. UCG’s VAULT400 Cloud Backup provides 256-bit encrypted backups to two (2) remote locations for safe retrieval should a cyber-attack occur. This is a necessary component of any protection strategy. Whether a single click on a malicious link brings down the Windows environment or an infected SQL server feeds the IBM i, once the data is compromised, there is no going back unless you have your data readily available.

Recovery is not a trivial task, especially when you factor in the time sensitive nature of restoring from an active attack. This leads to the third play of the Triple Play Protection – DRaaS. Companies have myriad concerns once an attack is realized and a managed service disaster recovery allows employees to keep focus on running the business in a crisis state.

The combination of training employees with secure backup and disaster recovery offers companies the best chance at avoiding financial disruption in an age of stronger, more frequent cyber-attacks.

Reach out to UCG Technologies to discuss your company’s security needs and develop a data protection plan that fits you best.

ucgtechnologies.com/triple-play

800.211.8798 | info@ucgtechnologies.com