• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM i Vulns Spotted in Node, BIND and HTTP Server

    September 6, 2017 Alex Woodie

    IBM last month moved to patch several critical security vulnerabilities related to the BIND service in IBM i that could allow attackers unauthorized access to IBM i servers running any release of the OS from IBM 6.1 to 7.3. Security glitches were also patched for the IBM i implementation of Node.js, the HTTP Server bundled with IBM i, the hardware management console (HMC), and WebSphere.

    Both ISC BIND vulnerabilities work in a similar way and enabled similar paths into affected systems – namely by allowing an attacker to craft a specially crafted request packet to bypass authentication and therefore gain some degree of control over the impacted server. The difference is in severity. The first BIND vulnerability, CVE-2017-3142, carried a CVSS base score of 5.3, while the second ISC BIND vulnerability, CVE-2017-3143, carried a CVSS base score of 7.5, which is nothing you want to fool around with.

    There is no workaround for these flaws, according to this August 21 security bulletin. But the good news is IBM has patched them going all the way back to IBM i 6.1, which is under extended support. IBM issued four PTFs to fix the ISC BIND flaws, including SI65339 for IBM i 6.1, SI65338 for IBM i 7.1, SI65337 for IBM i 7.2, and SI65336 for IBM i 7.3. The chances are good that this flaw also exists in i5/OS V5R4, but IBM will be issuing no patches for this unsupported operating system.

    The BIND vulnerabilities also extend to IBM’s Power Hardware Management Console (HMC). Six security glitches are revealed to have been patched in this August 28 security bulletin, while 10 more show up in this security bulletin posted on August 29. It appears there could be several more security flaws impacting the HMC, which runs Linux.

    IBM also patched a pair of security holes in the Node.js implementations for IBM i 7.1 through 7.3. The pair of denial of service (DOS) vulnerabilities, identified as CVE-2017-1000381and CVE-2017-11499, carry CVSS base scores of 6.5 and 7.5, respectively, indicating moderate to severe risks for IBM i shops running Node.js.

    IBM bundled patches for both flaws into a single PTF for all releases of IBM i. However, because IBM offers support for two versions of Node.js, including 4.8.4 (in 5733OPS Option 5) and version 6.11.2 (in 5733OPS Option 10) there are two patches. If you’re running 5733OPS Option 5, get PTF number SI65492, while if you’re running (in 5733OPS Option 10, get PTF number SI65493. See this August 21 security bulletin for more details.

    In late July, IBM patched five more security vulnerabilities in the HTTP Server. The security flaws, which are detailed in this July 28 security bulletin, could enable attackers to launch DOS attacks, obtain sensitive information, or bypass authentication requirements to get access to the server. All of the vulnerabilities carry a CVSS base score of 5.3, indicating a medium severity level. IBM issued PTF numbers SI65281 and SI65282 to fix the issues on IBM i 7.1; SI65279 and SI65280 to fix the issues on IBM i 7.2; and SI65194 and SI65201 to fix the issues on IBM i 7.3.

    IBM also revealed multiple vulnerabilities discovered in the Java SDK that impact WebSphere Application Server running on multiple platforms, including IBM i. The three vulnerabilities, which are disclosed in this security bulletin posted on August 30, range in severity from 7.5 on the CVSS score up to 9.6, indicating that an unauthenticated attacker could take complete control of the system.

    According to an IT Jungle review of the IBM Product Security Incident Response (PSIRT) blog, these were the only security issues directly affecting IBM i since mid-July, which is when we told you about those 35 Java vulnerabilities impacting IBM i, among other security problems.

    RELATED STORIES

    Have You Patched Those 35 Java Vulns on IBM i?

    Security Awareness: Eight More Patches For IBM i Vulns

    IBM Patches OpenSSH Security Flaws That Impact IBM i

    Keeping Up With Security Threats To IBM i

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: Hardware Management Console, HMC, IBM i, Java, Java SDK, Node.js, WebSphere

    Sponsored by
    FalconStor

    Begin Your Journey to the Cloud with Hybrid Cloud Date Protection and Disaster Recovery

    FalconStor StorSafe optimizes and modernizes your IBM i on-premises and in the IBM Power Virtual Server Cloud

    FalconStor powers secure and encrypted IBM i backups on-premise and now, working with IBM, powers migration to the IBM PowerVS cloud and on-going backup to IBM cloud object storage.

    Now you can use the IBM PowerVS Cloud as your secure offsite copy and take advantage of a hybrid cloud architecture or you can migrate workloads – test & development or even production apps – to the Power VS Cloud with secure cloud-native backup, powered by FalconStor and proven IBM partners.

    Learn More

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, September 6 ARCAD Magnifies The i In Its Multi-Platform Array

    Leave a Reply Cancel reply

TFH Volume: 27 Issue: 56

This Issue Sponsored By

  • ProData Computer Services
  • Linoma Software
  • MAGiC
  • WorksRight Software
  • HiT Software, Inc. a BackOffice Associates Company

Table of Contents

  • IBM i Salaries Drop Vs. Other Platforms, But It’s Not All Bad
  • ARCAD Magnifies The i In Its Multi-Platform Array
  • IBM i Vulns Spotted in Node, BIND and HTTP Server
  • Four Hundred Monitor, September 6
  • IBM i PTF Guide, Volume 19, Number 35

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • To Comfort The Afflicted And Afflict The Comfortable
  • How FalconStor Is Reinventing Itself, And Why IBM Noticed
  • Guru: When Procedure Driven RPG Really Works
  • Vendors Fill In The Gaps With IBM’s New MFA Solution
  • IBM i PTF Guide, Volume 27, Number 27
  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle