IBM Patches Another BIND Flaw In IBM i
March 28, 2018 Alex Woodie
A serious flaw has been discovered in the BIND networking service that could be used to launch a denial of service attack against impacted servers, including IBM i. IBM patched the flaw in every version of the OS from IBM i 6.1 to 7.3 with a program temporary fix (PTF) made available earlier this month. IBM also patched a serious flaw in WebSphere that could let information leak out.
According to the IBM security bulletin issued March 12, the ISC BIND flaw known as CVE-2017-3145 has the potential to allow a remote attacker to crash a vulnerable server by sending an improperly sequenced cleanup operation command to the BIND service. The flaw, which was first discovered in January, carries a CVSS Base Score of 7.5 on a scale of one to 10.
BIND is the most widely used Domain Name System (DNS) software on the Internet. IBM uses the open source version of BIND, developed and distributed by the Internet Systems Consortium (ISC), in the IBM i OS. Certain releases of ISC BIND version 9 are vulnerable to the flaw.
There are no workarounds to this ISC BIND flaw, according to IBM, which issued the following PTFs to fix the flaw:
IBM i 6.1 – SI66815
IBM i 7.1 – SI66814
IBM i 7.2 – SI66813
IBM i 7.3 – SI66812
This was the second flaw in the IBM i ISC BIND implementation that IBM has patched in the past seven months. The company also patched a flaw that carried a CVSS Base Score of 7.5 back in August.
IBM also patched a serious information disclosure flaw in the Apache-powered IBM HTTP Server as used in WebSphere Application Server. According to the March 16 security bulletin, the flaw known as CVE-2017-12613 could allow a remote attacker to obtain sensitive information by using an invalid month field value. The flaw, which carried a CVSS Base Score of 9.1, could also be used to cause a DOS attack.
That flaw impacts all editions of WAS and associated or bundled products from version 7.0 to version 9.0, according to IBM. The fixes for the flaw vary according to what version of WAS a customer is using. IBM has several Interim Fixes available, but permanent fixes aren’t expected to be available for version 7 and version 8 releases until later this year.
This has been an active year on the security front for IBM, which has issued several patches for security flaws in the IBM i operating system, Power Systems firmware, and various middleware products. Many, but not all, of these flaws have been in open source software that IBM uses, such as cryptographic libraries.
The biggest flaws of the year so far were Meltdown and Spectre, which impacted nearly all processor architectures, including Intel X64 and IBM Power. By killing speculative execution functionality from the chips, processing performance has taken a hit, in some cases by up to 20 percent. However, the impact on IBM i servers is expected to be a more modest 5 percent, according to TPM’s analysis.
Other IBM products getting patched recently, according to IBM’s PSIRT Blog, include Db2 for LUW, QRadar Network Security, Jazz Team Server, API Connect, Business Process Manager, Rational Performance Tester, Chassis Management Module (CMM), Rational Build Forge, the MQ Appliance, Fabric Manager, Security Network Protection, Tivoli Integrated Portal, and Spectrum Protect, among others.