• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Another BIND Flaw In IBM i

    March 28, 2018 Alex Woodie

    A serious flaw has been discovered in the BIND networking service that could be used to launch a denial of service attack against impacted servers, including IBM i. IBM patched the flaw in every version of the OS from IBM i 6.1 to 7.3 with a program temporary fix (PTF) made available earlier this month. IBM also patched a serious flaw in WebSphere that could let information leak out.

    According to the IBM security bulletin issued March 12, the ISC BIND flaw known as CVE-2017-3145 has the potential to allow a remote attacker to crash a vulnerable server by sending an improperly sequenced cleanup operation command to the BIND service. The flaw, which was first discovered in January, carries a CVSS Base Score of 7.5 on a scale of one to 10.

    BIND is the most widely used Domain Name System (DNS) software on the Internet. IBM uses the open source version of BIND, developed and distributed by the Internet Systems Consortium (ISC), in the IBM i OS. Certain releases of ISC BIND version 9 are vulnerable to the flaw.

    There are no workarounds to this ISC BIND flaw, according to IBM, which issued the following PTFs to fix the flaw:

    IBM i 6.1 – SI66815

    IBM i 7.1 – SI66814

    IBM i 7.2 – SI66813

    IBM i 7.3 – SI66812

    This was the second flaw in the IBM i ISC BIND implementation that IBM has patched in the past seven months. The company also patched a flaw that carried a CVSS Base Score of 7.5 back in August.

    IBM also patched a serious information disclosure flaw in the Apache-powered IBM HTTP Server as used in WebSphere Application Server. According to the March 16 security bulletin, the flaw known as CVE-2017-12613 could allow a remote attacker to obtain sensitive information by using an invalid month field value. The flaw, which carried a CVSS Base Score of 9.1, could also be used to cause a DOS attack.

    That flaw impacts all editions of WAS and associated or bundled products from version 7.0 to version 9.0, according to IBM. The fixes for the flaw vary according to what version of WAS a customer is using. IBM has several Interim Fixes available, but permanent fixes aren’t expected to be available for version 7 and version 8 releases until later this year.

    This has been an active year on the security front for IBM, which has issued several patches for security flaws in the IBM i operating system, Power Systems firmware, and various middleware products. Many, but not all, of these flaws have been in open source software that IBM uses, such as cryptographic libraries.

    The biggest flaws of the year so far were Meltdown and Spectre, which impacted nearly all processor architectures, including Intel X64 and IBM Power. By killing speculative execution functionality from the chips, processing performance has taken a hit, in some cases by up to 20 percent. However, the impact on IBM i servers is expected to be a more modest 5 percent, according to TPM’s analysis.

    Other IBM products getting patched recently, according to IBM’s PSIRT Blog, include Db2 for LUW, QRadar Network Security, Jazz Team Server, API Connect, Business Process Manager, Rational Performance Tester, Chassis Management Module (CMM), Rational Build Forge, the MQ Appliance, Fabric Manager, Security Network Protection, Tivoli Integrated Portal, and Spectrum Protect, among others.

    RELATED STORIES

    The Performance Impact Of Spectre And Meltdown

    IBM Patches ‘ROBOT’ Flaw in IBM i Crypto Library

    IBM i Gets More PTFs for Meltdown and Spectre

    IBM i Vulns Spotted in Node, BIND and HTTP Server

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: BIND, HTTP Server, IBM i, ISC BIND, Meltdown, PTF, PTF Guide, Spectre, WebSphere Application Server

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, March 28 IBM To Resell VTLs With Better Fit Than ProtecTIER

    Leave a Reply Cancel reply

TFH Volume: 28 Issue: 24

This Issue Sponsored By

  • Rocket Software
  • Software Concepts
  • COMMON
  • WorksRight Software
  • Harkins & Associates

Table of Contents

  • SEA Launches New Job Scheduler For IBM i
  • IBM To Resell VTLs With Better Fit Than ProtecTIER
  • IBM Patches Another BIND Flaw In IBM i
  • Four Hundred Monitor, March 28
  • IBM i PTF Guide, Volume 20, Number 12

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • To Comfort The Afflicted And Afflict The Comfortable
  • How FalconStor Is Reinventing Itself, And Why IBM Noticed
  • Guru: When Procedure Driven RPG Really Works
  • Vendors Fill In The Gaps With IBM’s New MFA Solution
  • IBM i PTF Guide, Volume 27, Number 27
  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle