• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Serious Security Vulns Patched In IBM i

    September 19, 2018 Alex Woodie

    No good deed goes unpunished. Such as it is with cybersecurity, which demands unceasing attention paid to a never-ending stream of flaws and patches as the cost of remaining off the front page. To that end, IBM patched several more security flaws in IBM i last week, including two serious flaws in Node.js, five critical vulnerabilities in Samba, and one moderate flaw in OpenSSH.

    It’s easy to get lulled into a false state of security on the IBM i server, thanks to its unique architecture, cryptic file names, and reputation for strong security. It’s hard enough to find programmers, administrators, and operators who are fluent in the ways of IBM i, so how could hackers know their way around?

    If you’re clinging to the “security through obscurity” blanket, you’re living on borrowed time. Don’t underestimate the amount of free time cybercriminals have on their hands. One only has to look back 12 months, to the massive Equifax hack to see how quickly an unpatched security vulnerability in an obscure piece of technology (Apache Struts) can do lasting damage do the reputation of a Fortune 500 firm.

    Ironically, IBM yesterday patched another serious Struts flaw, this time in IBM Connections, a social media tool that plays in the Notes/Domino space and can connect to IBM i servers. But that’s the least of the worries for IBM i professionals, who have several more critical flaws to fix for software running directly on their servers.

    The fun starts with the security flaws in Node.js, which is quickly become a popular tool for developing Web applications on the IBM i.  This IBM security bulletin from September 12 describes the two flaws impacting Node.js on IBM i 7.1 through 7.3, including a denial of service (DOS) attack caused by an out-of-bounds write to a buffer, and the risk of losing sensitive data due to the return of uninitiated memory by the buffer function.

    Both risks are serious, but the first flaw, described in CVE-2018-12115, carries a CVSS base score of 8.2, while the second flaw, described in CVE-2018-7166, carries a CVSS base score of 7.5. IBM encourages IBM i users who get their Node.JS through the 5733-OPS product to apply PTF number SI68287, while those using the new RPM delivery method are encouraged to download Node.JS version 10.

    On Monday, IBM patched five security flaws in Samba, which is a free re-implementation of the SMB/CIFS networking protocol. According to the IBM security bulletin, the flaws range in severity from 4.3 to 6.5 and carry a variety of risks, ranging from crashing the Samba service and launching a DOS attack to allowing an attacker to obtain confidential attribute values.

    The Samba flaws impact IBM i 7.2 and 7.3, and can be patched by applying PTF number SI68291 (for 7.2) and SI68292 (for 7.3).

    IBM issued another security bulletin Monday for newly patched flaws in the IBM i’s OpenSSH implementation, which is used to enable people to securely log-in to machines remotely. According to IBM, an attacker could obtain sensitive information by sending a specially crafted request to obtain valid user names. The flaw brings a CVSS Base score of 5.3.

    The OpenSSH flaw impacts IBM i 7.1 through 7.3. The PTF number for 7.1 is SI68325, while the PTF number of versions 7.2 and 7.3 is SI68326. As with all security patches, IBM i shops are encouraged to apply the PTFs immediately to minimize their exposure to hackers.

    As always, IT Jungle encourages you to keep up to date with security flaws by reading Doug Bidwell’s PTF Guide, which is published periodically on these Web pages.

    RELATED STORIES

    Three Lessons IBM i Shops Can Learn From The Equifax Hack

    IBM Patches Security Flaws In IBM i

    IBM Patches Samba Vulnerabilities In IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: Denial of Service, DOS, IBM i, Node.js, Notes/Domino, OpenSSH, PTF, PTF Guide

    Sponsored by
    VISUAL LANSA 16 WEBINAR

    Trying to balance stability and agility in your IBM i environment?

    Join this webinar and explore Visual LANSA 16 – our enhanced professional low-code platform designed to help organizations running on IBM i evolve seamlessly for what’s next.

    🎙️VISUAL LANSA 16 WEBINAR

    Break Monolithic IBM i Applications and Unlock New Value

    Explore modernization without rewriting. Decouple monolithic applications and extend their value through integration with modern services, web frameworks, and cloud technologies.

    🗓️ July 10, 2025

    ⏰ 9 AM – 10 AM CDT (4 PM to 5 PM CEST)

    See the webinar schedule in your time zone

    Register to join the webinar now

    What to Expect

    • Get to know Visual LANSA 16, its core features, latest enhancements, and use cases
    • Understand how you can transition to a MACH-aligned architecture to enable faster innovation
    • Discover native REST APIs, WebView2 support, cloud-ready Azure licensing, and more to help transform and scale your IBM i applications

    Read more about V16 here.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    New Option for 24/7 IBM i Monitoring County Battles IBM i Server’s Legacy Image – And It’s a Problem

    Leave a Reply Cancel reply

TFH Volume: 28 Issue: 62

This Issue Sponsored By

  • Profound Logic Software
  • UCG Technologies
  • Seiden Group
  • SEA
  • ML Software

Table of Contents

  • County Battles IBM i Server’s Legacy Image – And It’s a Problem
  • Serious Security Vulns Patched In IBM i
  • New Option for 24/7 IBM i Monitoring
  • Four Hundred Monitor, September 19
  • IBM i PTF Guide, Volume 20, Number 37

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25
  • Meet The Next Gen Of IBMers Helping To Build IBM i
  • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
  • Will Independent IBM i Clouds Survive PowerVS?
  • Now, IBM Is Jacking Up Hardware Maintenance Prices
  • IBM i PTF Guide, Volume 27, Number 24

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle