• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Another BIND Flaw In IBM i

    March 28, 2018 Alex Woodie

    A serious flaw has been discovered in the BIND networking service that could be used to launch a denial of service attack against impacted servers, including IBM i. IBM patched the flaw in every version of the OS from IBM i 6.1 to 7.3 with a program temporary fix (PTF) made available earlier this month. IBM also patched a serious flaw in WebSphere that could let information leak out.

    According to the IBM security bulletin issued March 12, the ISC BIND flaw known as CVE-2017-3145 has the potential to allow a remote attacker to crash a vulnerable server by sending an improperly sequenced cleanup operation command to the BIND service. The flaw, which was first discovered in January, carries a CVSS Base Score of 7.5 on a scale of one to 10.

    BIND is the most widely used Domain Name System (DNS) software on the Internet. IBM uses the open source version of BIND, developed and distributed by the Internet Systems Consortium (ISC), in the IBM i OS. Certain releases of ISC BIND version 9 are vulnerable to the flaw.

    There are no workarounds to this ISC BIND flaw, according to IBM, which issued the following PTFs to fix the flaw:

    IBM i 6.1 – SI66815

    IBM i 7.1 – SI66814

    IBM i 7.2 – SI66813

    IBM i 7.3 – SI66812

    This was the second flaw in the IBM i ISC BIND implementation that IBM has patched in the past seven months. The company also patched a flaw that carried a CVSS Base Score of 7.5 back in August.

    IBM also patched a serious information disclosure flaw in the Apache-powered IBM HTTP Server as used in WebSphere Application Server. According to the March 16 security bulletin, the flaw known as CVE-2017-12613 could allow a remote attacker to obtain sensitive information by using an invalid month field value. The flaw, which carried a CVSS Base Score of 9.1, could also be used to cause a DOS attack.

    That flaw impacts all editions of WAS and associated or bundled products from version 7.0 to version 9.0, according to IBM. The fixes for the flaw vary according to what version of WAS a customer is using. IBM has several Interim Fixes available, but permanent fixes aren’t expected to be available for version 7 and version 8 releases until later this year.

    This has been an active year on the security front for IBM, which has issued several patches for security flaws in the IBM i operating system, Power Systems firmware, and various middleware products. Many, but not all, of these flaws have been in open source software that IBM uses, such as cryptographic libraries.

    The biggest flaws of the year so far were Meltdown and Spectre, which impacted nearly all processor architectures, including Intel X64 and IBM Power. By killing speculative execution functionality from the chips, processing performance has taken a hit, in some cases by up to 20 percent. However, the impact on IBM i servers is expected to be a more modest 5 percent, according to TPM’s analysis.

    Other IBM products getting patched recently, according to IBM’s PSIRT Blog, include Db2 for LUW, QRadar Network Security, Jazz Team Server, API Connect, Business Process Manager, Rational Performance Tester, Chassis Management Module (CMM), Rational Build Forge, the MQ Appliance, Fabric Manager, Security Network Protection, Tivoli Integrated Portal, and Spectrum Protect, among others.

    RELATED STORIES

    The Performance Impact Of Spectre And Meltdown

    IBM Patches ‘ROBOT’ Flaw in IBM i Crypto Library

    IBM i Gets More PTFs for Meltdown and Spectre

    IBM i Vulns Spotted in Node, BIND and HTTP Server

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: BIND, HTTP Server, IBM i, ISC BIND, Meltdown, PTF, PTF Guide, Spectre, WebSphere Application Server

    Sponsored by
    Raz-Lee Security

    iSecurity Multi Factor Authentication (MFA) helps organizations meet compliance standards and improve the existing security environment on IBM i. It requires a user to verify his identity with two or more credentials.

    Key Features:

    • iSecurity provides Multi Factor Authentication as part of the user’s initial program
    • Works with every Authenticator App available in the Market.

    Contact us at https://www.razlee.com/isecurity-multi-factor-authentication/

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, March 28 IBM To Resell VTLs With Better Fit Than ProtecTIER

    Leave a Reply Cancel reply

TFH Volume: 28 Issue: 24

This Issue Sponsored By

  • Rocket Software
  • Software Concepts
  • COMMON
  • WorksRight Software
  • Harkins & Associates

Table of Contents

  • SEA Launches New Job Scheduler For IBM i
  • IBM To Resell VTLs With Better Fit Than ProtecTIER
  • IBM Patches Another BIND Flaw In IBM i
  • Four Hundred Monitor, March 28
  • IBM i PTF Guide, Volume 20, Number 12

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Shield Builds on Success with Nagios for IBM i
  • Why You Should Be Concerned About the MGM ‘Vishing’ Attack
  • IBM Bolsters Database Security with Guardium 12.0
  • Four Hundred Monitor, September 27
  • The IBM i Marketplace Survey Needs Your Input
  • Rocket DevOps Now Supports VS Code
  • DR Testing As A Service: One More Thing That You Don’t Have To Do
  • The First Step In DevOps Is Not Tools, But Culture Change
  • As I See It: IT Come Home
  • IBM i PTF Guide, Volume 25, Number 39

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2023 IT Jungle