• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Big Blue Patches 14 More OpenSSL Flaws In IBM i

    October 3, 2016 Alex Woodie

    IBM i shops that use the OpenSSL encryption protocol will want to know that IBM last week issued program temporary fixes (PTFs) for 14 security vulnerabilities impacting IBM i versions 7.1, 7.2, and 7.3. If you’re running an older version of the IBM i OS, you are out of luck.

    Like most modern operating systems, IBM i includes a range of open source components. That includes OpenSSL, which is an open source implementation of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) wire encryption protocols that’s managed by the OpenSSL Project.

    As we learned following the big “Heartbleed” vulnerability that shook the security world back in 2014, we can find OpenSSL in multiple places on IBM i, including WebSphere and Domino products. But the biggest concern is likely the Portable Utilities for i product, or 5733-SC1 LPO, which contains the OpenSSH, OpenSSL, and zlib open source packages that IBM i professionals can use to secure communications.

    Since the big wakeup call that was Heartbleed, security researchers have been poking at OpenSSL and finding a series of problems. That has led to a series of patches for OpenSSL flaws, including one batch back in March 2015, and another batch in August 2015.

    IBM issued its latest batch of OpenSSL patches last week after researchers posted patches to various security sites. The patches are primarily targeted for Linux environments, but since OpenSSL runs in the AIX PASE runtime on IBM i, it’s a small matter for IBM to port them over. It appears IBM did this work quickly this time around, which is good for security conscious IBM i shops. (It’s also good for those security unconscious IBM i shops out there, but that’s another story.)

    IBM detailed the 14 OpenSSL flaws in IBM i in this security bulletin posted last Tuesday. As per usual, IBM also had patches available immediately upon disclosing the existence of the security flaws. The PTFs are available immediately. Customers running IBM i 7.1 should apply PTF number SI62623, while customers running IBM i 7.2 and 7.3 should look for SI62622. As with most security flaws such as this, customers are recommended to apply the patches as soon as possible.

    Here’s a short description of the 14 flaws that IBM patched, according to the Common Vulnerabilities and Exposures (CVE) clearinghouse of security flaws:

    • CVE-2016-6302: This flaw impacts the decryption component of the security protocol that could allow an attacker to launch a denial of service (DOS) attack by sending a malformed ticket. The flaw was first described by security researchers in August, and carries a Common Vulnerability Scoring System (CVSS) base score of 5.3.

    • CVE-2016-6303: This flaw is caused by an integer overflow in the MDC2_Update function, which could enable an attacker to launch a DOS attack against het affected machine. It also was discovered in August and carries a CVSS base score of 5.3, but it could be more dangerous, as researchers say there could be unknown vectors.

    • CVE-2016-6304: A flaw in how the OpenSSL service handles requests could enable an attacker to launch a DOS attack by repeatedly requesting renegotiation. This flaw, which was discovered by researchers this month, carries a CVSS base score of 7.5, making it a substantial threat.

    • CVE-2016-6305: A problem with the SSL_peek() component of OpenSSL could enable an remote criminal to carry out a DOS attack by sending specially crafted data. The attacker must be authenticated, which mitigates the risk to some extent, giving this flaw (discovered last month) a CVSS score of 4.3.

    • CVE-2016-6306: A problem with how OpenSSL checks message lengths when parsing certificates could enable an attacker to launch a DOS attack. The flaw carries a CVSS base score of 4.3.

    • CVE-2016-6307: This is another DOS-related vulnerability discovered in September that’s caused by a problem in how OpenSSL allocates memory when checking for excessive message lengths. By initiating multiple connection attempts, a remote authenticated attacker could send an overly large message to exhaust all available memory resources, thereby crashing the vulnerable system. It carries a CVSS base score of 4.3.

    • CVE-2016-6308: This is another DOS-related flaw, also caused by a failure to properly allocate memory prior to checking for excessive message lengths. It was also discovered last month and also carries a CVSS base score of 4.3.

    • CVE-2016-2177: A flaw in how OpenSSL uses pointer arithmetic for heap-buffer boundary checks could be leveraged by a malicious user to trigger an integer overflow and thereby cause the application to crash. Security researchers say this flaw, which was first discovered in June, carries a moderate risk; its CVSS base score is 5.9.

    • CVE-2016-2178: A flaw in the Digital Signature Algorithm (DSA) component of OpenSSL could enable an attacker to recover a private DSA key, thereby enabling him to recover encrypted data. This flaw was discovered by security researchers in June, and carries a moderate CVSS base score of 5.3.

    • CVE-2016-2179: A failure for the Datagram Transport Layer Service (DTLS) protocol to properly restrict the lifetime of queue entries associated with unused out-of-order messages could enable an attacker to open a large number of simultaneous connections and consume all available memory resources, thereby crashing the program. It was discovered in June, and carries a CVSS base score of 5.3.

    • CVE-2016-2180: A flaw in the TS_OBJ_print_bio function could enable an attacker to crash an affected application by submitting a specially crafted timestamp. The DOS flaw, first discovered in July, was assigned a relatively high CVSS base score of 7.5.

    • CVE-2016-2181: An error in the DTLS replay protection function could enable an attacker to cause valid packets to be dropped by sending a specially crafted sequence number. This DOS flaw was first spotted in August and carries a CVSS base score of 5.3.

    • CVE-2016-2182: Another flaw in TS_OBJ_print_bio function of OpenSSL could allow an attacker to crash an application. This flaw was found August and carries a CVSS base score of 4.3.

    • CVE-2016-2183: This error, known as the SWEET32 Birthday attack, is caused by an error in the Triple-DES on 64-bit block cipher that’s used as a part of the SSL/TLS protocol. A remote hacker could use this flaw to capture large amounts of encrypted traffic and possibly recover the unencrypted plaintext data, what’s known as a man-in-the-middle attack. This flaw was first described in August, and carries a low CVSS base score of 3.7.

    Now go patch those IBM i servers!

    RELATED STORIES

    IBM Patches Pair Of TLS Flaws In IBM i

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    IBM Patches More OpenSSL Flaws In IBM i

    Keeping Up With Security Threats To IBM i

    State of IBM i Security? Still Horrible, After All These Years

    IBM Blocks ‘Bar Mitzvah’ Attack In SSL/TLS

    IBM Patches BIND and OpenSSL Flaws in IBM i

    IBM And ISVs Fight POODLE Vulnerability In SSL 3.0

    Heartbleed Exposes The Vulnerability Of An IBM i Mentality

    IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    Heartbleed Postmortem: Time to Rethink Open Source Security?

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Maxava

    Migrate IBM i with Confidence

    Tired of costly and risky migrations? Maxava Migrate Live minimizes disruption with seamless transitions. Upgrading to Power10 or cloud hosted system, Maxava has you covered!

    Learn More

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    BCD:  Webinar: Rapid Node.js Web and Mobile Development with WebSmart. Oct. 6 at 1pm ET.
    Fresche:  IBM i staffing for all of your IT needs. Request a FREE estimate. 1-800-361-6782
    Manta Technologies Inc.:  The Leader in IBM i Education! Download catalog and take sample sessions!

    Raz-Lee Touts DB-Gate User Stories A Style Guide For Modern RPG And ILE, Part 1

    One thought on “Big Blue Patches 14 More OpenSSL Flaws In IBM i”

    • A number of Safety Vulnerabilities Described In IBM i - Global Tech Works says:
      April 30, 2018 at 2:03 am

      […] Large Blue Patches fourteen A lot more OpenSSL Flaws In IBM i […]

      Reply

    Leave a Reply Cancel reply

Volume 26, Number 42 -- October 3, 2016
THIS ISSUE SPONSORED BY:

BCD Software
Fresche Legacy
Chrono-Logic
Focal Point Solutions Group
COMMON

Table of Contents

  • IBM Prepping For October Power Systems Push
  • Private Big Iron Power8 Clouds To Puff Up With IBM i
  • Could IBM i And System z Share Easy Source?
  • Big Blue Patches 14 More OpenSSL Flaws In IBM i
  • Two Fall Conferences Are Must-See IT

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • POWERUp 2025 –Your Source For IBM i 7.6 Information
  • Maxava Consulting Services Does More Than HA/DR Project Management – A Lot More
  • Guru: Creating An SQL Stored Procedure That Returns A Result Set
  • As I See It: At Any Cost
  • IBM i PTF Guide, Volume 27, Number 19
  • IBM Unveils Manzan, A New Open Source Event Monitor For IBM i
  • Say Goodbye To Downtime: Update Your Database Without Taking Your Business Offline
  • i-Rays Brings Observability To IBM i Performance Problems
  • Another Non-TR “Technology Refresh” Happens With IBM i TR6
  • IBM i PTF Guide, Volume 27, Number 18

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle