• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches 28 More Security Vulns In JDK

    October 4, 2017 Alex Woodie

    IBM on Saturday released patches to fix 28 flaws in the Java Development Kit (JDK) that ships with the IBM i operating system. Almost all of the flaws originated in Oracle’s underlying Java Standard Edition (SE) kit, and many of them are considered very severe.

    Twenty-seven of the 28 flaws impact the IBM SDK Java Technology Edition software in all releases of IBM i, from version 6.1 to version 7.3, according to the September 28 security bulletin. The patches released by IBM fix the problems in all of these releases. While i5/OS V5R4 is likely impacted too, IBM will not be issuing fixes for this old OS.

    The bad news is there are no workarounds for these security flaws, and many of them are potentially severe enough to allow attackers to take full control of an impacted server. The good news is that IBM has bundled all 28 of the patches into a single program temporary fix (PTF), one for each version of the operating system, so there’s really no excuse for not applying these little suckers pronto.

    Eight of the patches fix security flaws that carry a CVSS Base Score of 9.6, indicating a very high severity and the potential for hackers to do immense harm with relatively few skills. The biggest problems were “unspecified vulnerabilities” found in the Embedded Libraries, Embedded JAXP, ImageIO, Embedded RMI, and AWT components. Most of these problems were first addressed by Oracle in its Critical Patch Update Advisory for July 2017.

    This is the third mass delivery of patches for the IBM i Java environment this year. In April, IBM issued this security alert regarding fixes for 22 security flaws in various Oracle Java SE components used in all releases of IBM i. It followed that up in June with another 13 patches for security flaws in the JDK. It also hit that unlucky number with a batch of Java SDK fixes in June 2016; four of those flaws scored perfect 10s on the CVSS severity scale.

    While you may not use the JDK to write Java applications, that doesn’t mean you’re safe from these flaws. Buried at the bottom of the announcement was patch number 28, which did not originate from Oracle. IBM wrote: “Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product.”

    In the wake of the Equifax breach, which has been traced to an unpatched vulnerability in the credit reporting agency’s implementation of the Apache Struts Web development framework, IBM i shops should be very cognizant of the risks that vulnerabilities in open source software pose to the overall security of their critical business systems.

    IBM has become more amenable and reliant on open source software in recent years. This is due to two main factors, including customer requests for new development tooling, as well as the cost savings that standardizing core components across various platforms can bring. However, that openness carries with it certain risks, which in 2015 landed IBM the dubious title of being the tech company with the most software vulnerabilities in its products.

    You can access the IBM security bulletin issued September 28 here. There isn’t a lot of detail about the source of the flaws because nearly all of them were “unspecified” in nature, thanks to Oracle’s less-than-transparent approach to sharing details about security vulnerabilities in its products.

    In any event, the patches are ready to be applied, which you should do so as quickly as possible to minimize potential exposure. The PTF numbers for each release of the OS are as follows:

    IBM i 6.1 — SF99562 level 40

    IBM i 7.1 — SF99572 level 29

    IBM i 7.2 — SF99716 level 14

    IBM i 7.3 — SF99725 level 6

    Happy patching!

    RELATED STORIES

    Why Encryption Is Not A Silver Bullet

    Three Lessons IBM i Shops Can Learn From The Equifax Hack

    Have You Patched Those 35 Java Vulns on IBM i?

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: IBM i, Java Development Kit, Java Standard Edition, JDK, SE

    Sponsored by
    VISUAL LANSA 16 WEBINAR

    Trying to balance stability and agility in your IBM i environment?

    Join this webinar and explore Visual LANSA 16 – our enhanced professional low-code platform designed to help organizations running on IBM i evolve seamlessly for what’s next.

    🎙️VISUAL LANSA 16 WEBINAR

    Break Monolithic IBM i Applications and Unlock New Value

    Explore modernization without rewriting. Decouple monolithic applications and extend their value through integration with modern services, web frameworks, and cloud technologies.

    🗓️ July 10, 2025

    ⏰ 9 AM – 10 AM CDT (4 PM to 5 PM CEST)

    See the webinar schedule in your time zone

    Register to join the webinar now

    What to Expect

    • Get to know Visual LANSA 16, its core features, latest enhancements, and use cases
    • Understand how you can transition to a MACH-aligned architecture to enable faster innovation
    • Discover native REST APIs, WebView2 support, cloud-ready Azure licensing, and more to help transform and scale your IBM i applications

    Read more about V16 here.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, October 4 IBM Adds Support For Publishing JSON In DB2

    Leave a Reply Cancel reply

TFH Volume: 27 Issue: 64

This Issue Sponsored By

  • ProData Computer Services
  • WorksRight Software
  • HiT Software, Inc. a BackOffice Associates Company
  • T.L. Ashford
  • Manta Technologies

Table of Contents

  • TRs for IBM i 7.3 and 7.2: Enhancements, No Big Surprises
  • IBM Adds Support For Publishing JSON In DB2
  • IBM Patches 28 More Security Vulns In JDK
  • Four Hundred Monitor, October 4
  • IBM i PTF Guide, Volume 19, Number 39

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25
  • Meet The Next Gen Of IBMers Helping To Build IBM i
  • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
  • Will Independent IBM i Clouds Survive PowerVS?
  • Now, IBM Is Jacking Up Hardware Maintenance Prices
  • IBM i PTF Guide, Volume 27, Number 24

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle