IBM Patches 28 More Security Vulns In JDK
October 4, 2017 Alex Woodie
IBM on Saturday released patches to fix 28 flaws in the Java Development Kit (JDK) that ships with the IBM i operating system. Almost all of the flaws originated in Oracle’s underlying Java Standard Edition (SE) kit, and many of them are considered very severe.
Twenty-seven of the 28 flaws impact the IBM SDK Java Technology Edition software in all releases of IBM i, from version 6.1 to version 7.3, according to the September 28 security bulletin. The patches released by IBM fix the problems in all of these releases. While i5/OS V5R4 is likely impacted too, IBM will not be issuing fixes for this old OS.
The bad news is there are no workarounds for these security flaws, and many of them are potentially severe enough to allow attackers to take full control of an impacted server. The good news is that IBM has bundled all 28 of the patches into a single program temporary fix (PTF), one for each version of the operating system, so there’s really no excuse for not applying these little suckers pronto.
Eight of the patches fix security flaws that carry a CVSS Base Score of 9.6, indicating a very high severity and the potential for hackers to do immense harm with relatively few skills. The biggest problems were “unspecified vulnerabilities” found in the Embedded Libraries, Embedded JAXP, ImageIO, Embedded RMI, and AWT components. Most of these problems were first addressed by Oracle in its Critical Patch Update Advisory for July 2017.
This is the third mass delivery of patches for the IBM i Java environment this year. In April, IBM issued this security alert regarding fixes for 22 security flaws in various Oracle Java SE components used in all releases of IBM i. It followed that up in June with another 13 patches for security flaws in the JDK. It also hit that unlucky number with a batch of Java SDK fixes in June 2016; four of those flaws scored perfect 10s on the CVSS severity scale.
While you may not use the JDK to write Java applications, that doesn’t mean you’re safe from these flaws. Buried at the bottom of the announcement was patch number 28, which did not originate from Oracle. IBM wrote: “Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product.”
In the wake of the Equifax breach, which has been traced to an unpatched vulnerability in the credit reporting agency’s implementation of the Apache Struts Web development framework, IBM i shops should be very cognizant of the risks that vulnerabilities in open source software pose to the overall security of their critical business systems.
IBM has become more amenable and reliant on open source software in recent years. This is due to two main factors, including customer requests for new development tooling, as well as the cost savings that standardizing core components across various platforms can bring. However, that openness carries with it certain risks, which in 2015 landed IBM the dubious title of being the tech company with the most software vulnerabilities in its products.
You can access the IBM security bulletin issued September 28 here. There isn’t a lot of detail about the source of the flaws because nearly all of them were “unspecified” in nature, thanks to Oracle’s less-than-transparent approach to sharing details about security vulnerabilities in its products.
In any event, the patches are ready to be applied, which you should do so as quickly as possible to minimize potential exposure. The PTF numbers for each release of the OS are as follows:
IBM i 6.1 — SF99562 level 40
IBM i 7.1 — SF99572 level 29
IBM i 7.2 — SF99716 level 14
IBM i 7.3 — SF99725 level 6