• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Security Flaws In IBM i

    September 12, 2018 Alex Woodie

    IBM last week shared details of two new OpenSSL vulnerabilities that are impacting all supported versions of IBM i. That came on the heels of two more vulnerabilities that were disclosed last month in IBM i’s Python implementation and the HTTP Server. All of the flaws have been patched by IBM.

    IBM i 7.1, 7.2, and 7.3 are impacted by the pair of OpenSSL vulnerabilities disclosed by IBM on August 30. Neither of the flaws, which include CVE-2018-0732 and CVE-2018-0737, are particularly nasty, but they do open gaps in the platform’s security apparatus just the same, so it’s important to patch them as soon as possible.

    The flaw described in CVE-2018-0732 was first reported in June and can be exploited to launch a denial of service attack on an impacted system. The flaw, which carries a CVSS base score of 3.7, stems from the delay caused when “a very large prime value” is sent to a client by a malicious server during the key agreement portion of a TLS handshake. The client will take a long time to create a key from that value, which will cause the client to hang.

    The second flaw, described in CVE-2018-0737, was first reported in April and can be exploited to launch a “cache-timing side channel attack” in the RSA Key generation algorithm. According to security researchers, an attacker could utilize this vulnerability to recover the private key. It carries a CVSS base score of 3.3.

    Both of these OpenSSL flaws can be fixed by applying the appropriate PTF. Customers on IBM i 7.1 should look for PTF number SI68252 while customers on 7.2 and 7.3 should look for PTF number SI68251. For more information, see the IBM security bulletin on the topic.

    Earlier in August, IBM disclosed that it had patched two flaws discovered in Python, including CVE-2018-1060 and CVE-2018-1061. Both of these flaws are more severe than the OpenSSL flaws that were recently fixed.

    The first Python flaw, which is described in CVE-2018-1060, was first identified in December 2017 and results from a “catastrophic backtracking” in Python’s POP3 email library, which could allow an attacker to launch a denial of service attack. It carries a CVSS base score of 6.5, which is an elevated security risk.

    The second Python flaw, described in CVE-2018-1061, was also identified last December and also carries DOS risk through a catastrophic backtracking vulnerability, but this time in a different library. The CVSS base score is also 6.5.

    IBM has fixed both of these catastrophic backtracking flaws in Python. But depending on how IBM i customers get their open source software, the fix is delivered in different ways.

    For those IBM i folks who run 7.1, 7.2, or 7.3 who get their Python the old way – that is, from the 5733-OPS product — they can download SI68164 for 5733-OPS Option 2 (Python 3.4) or SI67937 for 5733-OPS Option 4 (for Python 2.7).

    For those on 7.2 or 7.3 who are using the new RPM delivery method, IBM recommends getting the upgraded versions of Python from the IBM i Access Client Solutions product. Alternatively, they can run the “QOpenSys/pkgs/bin/yum upgrade python2 python3” command, according to IBM. For more information on the Python flaws, see the IBM security bulletin.

    Finally, IBM also patched a pair of flaws in HTTP Server (the one powered by Apache) in early August. The first HTTP Server vulnerability, referred to as CVE-2018-8011, was discovered in March and is caused by a NULL pointer in a portion of the software that could let an attacker launch a DOS attack. The second vulnerability, CVE-2018-1333, was reported in December and also could cause a DOS attack, as well “worker exhaustion,” through a malicious HTTP/2 request.

    Both flaws carry a CVSS base score of 5.3, and both flaws have been fixed. Interestingly, the HTTP Server flaws only impact IBM i 7.3. The PTF number to fix it is SI68124. For more information on the recent HTTP Server flaws, see the security bulletin.

    RELATED STORIES

    Multiple Security Vulnerabilities Reported In IBM i

    IBM Patches ‘ROBOT’ Flaw in IBM i Crypto Library

    Security Awareness: Eight More Patches For IBM i Vulns

    Big Blue Patches 14 More OpenSSL Flaws In IBM i

    IBM Patches More OpenSSL Flaws In IBM i

    IBM Patches BIND and OpenSSL Flaws in IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: BIND, HTTP, IBM i, OpenSSL, PTF, Python

    Sponsored by
    Manta Technologies

    The Leader in IBM i Education!
    Need training on anything i?
    Manta is all you need.

    During the month of May, when you purchase a license for the Free-Form RPG Programming series for any term (one, two, or three years) and any user license level, and you will get the equivalent license for the Coding Free-Form RPG course for FREE.

    130 courses and competency exams on:
    · IBM i operations
    · System Management and Security
    · IBM i Programming Tools
    · Programming in RPG, COBOL, CL, Java
    · Web Development
    · SQL, DB2, Query

    Product features:
    · Runs in every popular browser
    · Available 24/7/365
    · Free Student Reference Guides
    · Free Student Administration
    · Concurrent User License
    · Built-In IBM i Simulator

    You can download our 200-page catalog and take sample sessions at MantaTech.com.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, September 12 Archive Migration A Success For County Clerk

    Leave a Reply Cancel reply

TFH Volume: 28 Issue: 60

This Issue Sponsored By

  • ProData Computer Services
  • Profound Logic Software
  • ARCAD Software
  • WorksRight Software
  • ML Software

Table of Contents

  • Why Curbstone Picked iSam Blue for HA
  • Archive Migration A Success For County Clerk
  • IBM Patches Security Flaws In IBM i
  • Four Hundred Monitor, September 12
  • IBM i PTF Guide, Number 20, Volumes 34, 35, 36

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • COMMON Set for First Annual Conference in Three Years
  • API Operations Management for Safe, Powerful, and High Performance APIs
  • What’s New in IBM i Services and Networking
  • Four Hundred Monitor, May 18
  • IBM i PTF Guide, Volume 24, Number 20
  • IBM i 7.3 TR12: The Non-TR Tech Refresh
  • IBM i Integration Elevates Operational Query and Analytics
  • Simplified IBM i Stack Bundling Ahead Of Subscription Pricing
  • More Price Hikes From IBM, Now For High End Storage
  • Big Blue Readies Power10 And IBM i 7.5 Training for Partners

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.