• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Pair Of TLS Flaws In IBM i

    March 7, 2016 Alex Woodie

    IBM i shops are encouraged to be vigilant following a pair of security vulnerabilities that have emerged in the encryption protocols used by the platform. This includes the SLOTH vulnerability in the IBM i JVM that IBM patched February 15. But a bigger threat looms in the form of DROWN, a potentially significant vulnerability in the SSL/TLS stack that IBM patched on March 1.

    IBM issued a series of patches to address the SLOTH vulnerability in the IBM i JVMs. According to IBM’s Security Bulletin for SLOTH, a problem with the IBM i JVM’s implementation of the TLS 1.2 protocol and how it processes MD5 hash algorithms could weaken security during the TLS handshake with the server. “An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials,” the company says.

    The security vulnerability, which is identified by the Common Vulnerabilities and Exposures database as CVE-2015-7575, carries a Common Vulnerability Scoring System (CVSS) base score of 7.1, which is relatively high. Karthikeyan Bhargavan, a security researcher with miTLS, is credited with discovering the SLOTH flaw in 2015, although its presence was not disclosed until this year. The TLS working group is reportedly working to remove the MD5 hash algorithm from TLS 1.3.

    IBM issued nearly two dozen PTFs to address the SLOTH vulnerability across all supported versions of IBM i (versions 6.1, 7.1, and 7.2); across all supported versions of Java and the associated JVM (Java versions 6.0, 6.26, 7.0, 7.1, and version 8); and in both 32-bit and 64-bit versions. There are no workarounds and IBM recommends applying the patches immediately.

    But a potentially more significant problem with TLS emerged last week when security researchers disclosed the existence of the DROWN vulnerability. On Friday morning, IBM’s Product Security Incident Response team issued the following note on its PSIRT blog:

    “OpenSSL vulnerabilities were disclosed on March 1, 2016, by the OpenSSL Project. OpenSSL is used by IBM i. IBM i has addressed the applicable CVEs including the ‘DROWN: Decrypting RSA with Obsolete and Weakened eNcryption’ vulnerability.”

    Eight individual OpenSSL vulnerabilities collectively compose the DROWN problem, according to IBM’s Security Bulletin for DROWN. While the flaws exist in OpenSSL, they can be used to weaken TLS security, which is the latest encryption protocol used for ecommerce and is considerably more robust than early SSL standards and the open source OpenSSL standard that have caused so much trouble.

    Taken together, the DROWN flaws could allow a remote attacker to bypass security restrictions. “By using a server that supports SSLv2 and EXPORT cipher suites. . . an attacker could exploit this vulnerability to decrypt TLS sessions between clients and non-vulnerable servers,” IBM says in its security bulletin. Three of the individual DROWN flaws carry CVSS base scores of 7.4, indicating a potent threat.

    TLS is the latest and most secure version of Secure Sockets Layer (SSL) encryption protocol standard that has been in use for decades. Following the critical Heartbleed vulnerabilities in OpenSSL that were disclosed in 2014 and additional flaws found in SSL version 3, organizations across the world were encouraged to upgrade their encryption capabilities to TLS.

    With DROWN making headlines across the security world, experts are emphasizing the need to disable SSL version 2, which was first released in 1995 and has long been obsolete. Ivan Ristic, a security researcher with the security software company Qualys, explains the complexity of the DROWN problem.

    “The especially bad aspect of this attack is that it can be used to exploit TLS, even in cases when client devices don’t support SSL v2, and sometimes even in cases when the servers don’t support SSL v2 (but use the same RSA key as some other server that does),” Ristic says in a March 1 blog post. “The researchers estimate that up to 22 percent of servers could be impacted by this problem.”

    It is unclear how the DROWN or SLOTH vulnerabilities might impact third-party products in the IBM i ecosystem. Emulators and managed file transfer (MFT) tools tend to use these protocols fairly extensively to encrypt remote communications with the server. It’s likely that if IBM is patching these problems in its IBM i products, that the exposures exist elsewhere too, which means IBM i shops should contact their vendors to see if patches might be coming down the pike.

    In any event, the lesson to remember is that obsolete cryptography is dangerous. “For many years the argument for not disabling SSL v2 was that there was no harm because no browsers used it anyway,” Ristic says. “This approach is obviously not working. Instead, in the future we must ensure that all obsolete crypto is aggressively removed from all systems. If it’s not, it’s going to come back to bite us, sooner or later.”

    RELATED STORIES

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    IBM Patches More OpenSSL Flaws In IBM i

    Keeping Up With Security Threats To IBM i

    State of IBM i Security? Still Horrible, After All These Years

    IBM Blocks ‘Bar Mitzvah’ Attack In SSL/TLS

    IBM Patches BIND and OpenSSL Flaws in IBM i

    IBM And ISVs Fight POODLE Vulnerability In SSL 3.0

    Heartbleed Exposes The Vulnerability Of An IBM i Mentality

    IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    Heartbleed Postmortem: Time to Rethink Open Source Security?

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    COMMON:  2016 Annual Meeting & Expo, May 15 - 18, in New Orleans! Great Power Systems event!
    System i Developer:  RPG & DB2 Summit - March 22-24 in Dallas. Check out the session grid!
    BCD:  On-Demand Webinar: Introduction to Node.js for IBM i web and mobile development

    The Three Sources Of RUNSQLSTM No More Java 6 Support in Next Version of IBM i

    Leave a Reply Cancel reply

Volume 26, Number 10 -- March 7, 2016
THIS ISSUE SPONSORED BY:

ProData Computer Services
Fresche Legacy
BCD Software
Linoma Software
WorksRight Software

Table of Contents

  • A Possibly Coherent Future Power Hybrid System
  • A Change Of Heart: IBM i Shops More Willing To Share
  • The Most Precious IBM i Resource . . . Women
  • IBM Patches Pair Of TLS Flaws In IBM i
  • IBM Kills Off Flex p260+ Node, Offers PureSystems Trade-In

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Big Blue Raises IBM i License Transfer Fees, Other Prices
  • Keep The IBM i Youth Movement Going With More Training, Better Tools
  • Remain Begins Migrating DevOps Tools To VS Code
  • IBM Readies LTO-10 Tape Drives And Libraries
  • IBM i PTF Guide, Volume 27, Number 23
  • SEU’s Fate, An IBM i V8, And The Odds Of A Power13
  • Tandberg Bankruptcy Leaves A Hole In IBM Power Storage
  • RPG Code Generation And The Agentic Future Of IBM i
  • A Bunch Of IBM i-Power Systems Things To Be Aware Of
  • IBM i PTF Guide, Volume 27, Numbers 21 And 22

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle