Multiple Security Vulnerabilities Reported In IBM i
April 30, 2018 Alex Woodie
IBM this month revealed an array of security vulnerabilities across IBM i middleware components, including OpenSSL, DHCP, and Java products. Most of the flaws were given a “high severity” rating, and all of them have been patched.
This week’s security fun starts with DHCP (Dynamic Host Configuration Protocol), which is used to automate the management and distribution of IP addresses within a network. According to the April 26 IBM security bulletin, IBM i 7.1, 7.2, and 7.3 are vulnerable to a pair of security vulnerabilities in the underlying DHCP protocol.
The first DHCP flaw, which is identified as CVE-2018-5732, could enable a hacker to execute a denial of service (DOS) attack by overflowing a buffer in the dhclient software. There is also a potential for the attacker to execute arbitrary code on the server and to cause the server to crash. The Common Vulnerabilities and Exposures (CVE) database gives this flaw a base score of 7.5, making it a severe flaw.
The second DHCP flaw, identified as CVE-2018-5733, also carries the potential for a DOS attack by sending an “overly large amount of packets,” IBM says. The CVE gives a CVSS base score of 5.9, making it a moderate threat.
There are no workarounds for either DHCP flaws, but luckily for you, there are program temporary fixes (PTFs) available. Users running IBM i can patch both DHCP flaws by installing PTF number SI67242. PTF number SI67240 fixes these flaws in IBM i 7.2, while SI67239 fixes it for 7.3.
The security fun continues with OpenSSL, the much-maligned cipher suite that was at the center of the giant “Heartbleed” vulnerability way back in 2014. According to IBM’s latest security bulletin from April 26, there are two new OpenSSL vulnerabilities that impact IBM i.
The first OpenSSL vulnerability, defined as CVE-2018-0739, could enable an attacker to launch a DOS attack by sending a specially crafted ASN.1 data with a recursive definition, which would consume excessive stack memory and cause bad things to happen. The CVSS base score is listed 5.3, making it a moderate threat.
The second OpenSSL flaw impacting IBM i, CVE-2018-0733, is an interesting one. According to the security bulletin, this flaw “could allow a remote attacker to bypass security restrictions, caused by the failure to properly compare byte values by the PA-RISC CRYPTO_memcmp() function used on HP-UX PA-RISC targets.”
An attacker could use this vulnerability to forge messages that would appear to be authenticated, which would wreak havoc with trusted communications. While Hewlett Packard Enterprise’s midrange Unix platform isn’t as widely used as it once was, ostensibly there are enough HP-UX systems still out there to make this a concern.
In any event, IBM has fixed the problem, which has no workarounds. Customers on IBM i 7.1 are encouraged to apply PTF number SI67433 while IBM i 7.2 and 7.3 customers need to apply PTF number SI67434.
Next come the Java vulnerabilities. Get ready, because there are a lot of them.
The first batch of Java vulns are described in this April 16 security bulletin. According to that bulletin, there are 19 security flaws that impact the IBM SDK Java Technology Edition software that ships with IBM i. All of the flaws originated with Oracle‘s Java Standard Edition software and related Java libraries.
The Java SE flaws range in severity from 3.7 to 8.3 on the CVSS 10-point scale, and could allow hackers to do all kinds of things, including allowing unauthenticated attackers to launch DOS attacks, obtain sensitive information, impact confidentiality of information, and even take control of an impacted system.
All of the flaws have been fixed in IBM i 7.1, 7.2, and 7.3. Users of IBM i should apply PTF number SF99572 level 31, while users of IBM i 7.2 and 7.3 should apply PTF numbers SF99716 level 16 and SF99725 level 8, respectively.
The second batch of 12 Java flaws and patches are described in this April 13 security bulletin from IBM. These flaws are previously identified flaws that impact IBM SDK Java Technology Edition, Versions 7 and 8, which are used in both Rational Developer for i (RDi) and Rational Developer for AIX and Linux products. Some of the flaws identified in this batch are duplicates of the flaws mentioned in the April 16 security bulletin, including CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, CVE-2018-2633, and CVE-2018-2634. But some were not. IBM says the flaws and patches were previously disclosed in a pair of releases, in October 2017 and in January 2018. These flaws are serious and now have the potential to impact IBM i via RDi. They range on the CVSS scale from 3.3 up to 8.3, which is a serious threat. The fixes for the flaws entail updating the RDi version 9.0 and 9.1 products. IBM recommends using the Installation Manager to get the latest bits. Alternatively, RDi customers can manually download and install the latest update, which is identified as the “IBM SDK Java Technology Edition Critical Patch Update – January 2018 – RDi.” IBM says to be sure to click on the Java 7.0 Update FC link to update to IBM Java 7 SR10 FP2. Details are in the security bulletin.
This has been a busy month for IBM i security patches. Earlier in April, IBM released a pair of patches for serious flaws in the IBM i Samba implementation. That comes on top of the BIND flaw it patched in March, the ROBOT flaw it patched in February, and of course the epic Meltdown and Spectre flaws disclosed in January.
To the patches!