IBM Patches Security Flaws In IBM i
September 12, 2018 Alex Woodie
IBM last week shared details of two new OpenSSL vulnerabilities that are impacting all supported versions of IBM i. That came on the heels of two more vulnerabilities that were disclosed last month in IBM i’s Python implementation and the HTTP Server. All of the flaws have been patched by IBM.
IBM i 7.1, 7.2, and 7.3 are impacted by the pair of OpenSSL vulnerabilities disclosed by IBM on August 30. Neither of the flaws, which include CVE-2018-0732 and CVE-2018-0737, are particularly nasty, but they do open gaps in the platform’s security apparatus just the same, so it’s important to patch them as soon as possible.
The flaw described in CVE-2018-0732 was first reported in June and can be exploited to launch a denial of service attack on an impacted system. The flaw, which carries a CVSS base score of 3.7, stems from the delay caused when “a very large prime value” is sent to a client by a malicious server during the key agreement portion of a TLS handshake. The client will take a long time to create a key from that value, which will cause the client to hang.
The second flaw, described in CVE-2018-0737, was first reported in April and can be exploited to launch a “cache-timing side channel attack” in the RSA Key generation algorithm. According to security researchers, an attacker could utilize this vulnerability to recover the private key. It carries a CVSS base score of 3.3.
Both of these OpenSSL flaws can be fixed by applying the appropriate PTF. Customers on IBM i 7.1 should look for PTF number SI68252 while customers on 7.2 and 7.3 should look for PTF number SI68251. For more information, see the IBM security bulletin on the topic.
Earlier in August, IBM disclosed that it had patched two flaws discovered in Python, including CVE-2018-1060 and CVE-2018-1061. Both of these flaws are more severe than the OpenSSL flaws that were recently fixed.
The first Python flaw, which is described in CVE-2018-1060, was first identified in December 2017 and results from a “catastrophic backtracking” in Python’s POP3 email library, which could allow an attacker to launch a denial of service attack. It carries a CVSS base score of 6.5, which is an elevated security risk.
The second Python flaw, described in CVE-2018-1061, was also identified last December and also carries DOS risk through a catastrophic backtracking vulnerability, but this time in a different library. The CVSS base score is also 6.5.
IBM has fixed both of these catastrophic backtracking flaws in Python. But depending on how IBM i customers get their open source software, the fix is delivered in different ways.
For those IBM i folks who run 7.1, 7.2, or 7.3 who get their Python the old way – that is, from the 5733-OPS product — they can download SI68164 for 5733-OPS Option 2 (Python 3.4) or SI67937 for 5733-OPS Option 4 (for Python 2.7).
For those on 7.2 or 7.3 who are using the new RPM delivery method, IBM recommends getting the upgraded versions of Python from the IBM i Access Client Solutions product. Alternatively, they can run the “QOpenSys/pkgs/bin/yum upgrade python2 python3” command, according to IBM. For more information on the Python flaws, see the IBM security bulletin.
Finally, IBM also patched a pair of flaws in HTTP Server (the one powered by Apache) in early August. The first HTTP Server vulnerability, referred to as CVE-2018-8011, was discovered in March and is caused by a NULL pointer in a portion of the software that could let an attacker launch a DOS attack. The second vulnerability, CVE-2018-1333, was reported in December and also could cause a DOS attack, as well “worker exhaustion,” through a malicious HTTP/2 request.
Both flaws carry a CVSS base score of 5.3, and both flaws have been fixed. Interestingly, the HTTP Server flaws only impact IBM i 7.3. The PTF number to fix it is SI68124. For more information on the recent HTTP Server flaws, see the security bulletin.