IBM Patches New Security Flaws in Java, OpenSSL
April 3, 2019 Alex Woodie
IBM this week patched a series of flaws in IBM i’s Java environment, including a pair of very serious problems in the OpenJ9 runtime that could allow remote attackers to execute arbitrary code, in addition to a series of less-severe Java vulnerabilities. The company also fixed a new flaw found in IBM i’s OpenSSL implementation.
A total of seven Java flaws that impact IBM i versions 7.1 through 7.3 were addressed with one security bulletin issued by IBM on March 29. IBM issued Group PTFs for each release of the operating system to address them. A single OpenSSL flaw also impacts IBM i 7.1 through 7.3 and was dealt with using two PTFs, while a flaw in WebSphere Application Server gets one patch for IBM i.
The two most serious flaws both impact Eclipse OpenJ9, which is the new name that’s been applied to IBM’s pre-existing J9 Java Virtual Machine (JVM) that it has used across many of its products, including IBM i, Linux, and AIX operating systems, as well as various middleware products, such as the WebSphere Application Server.
With the first flaw, labeled CVE-2018-12547, a remote attacker could send a piece of malicious code to exploit a buffer overflow vulnerability in Eclipse OpenJ9 running on IBM i, and thereby gain the ability to execute arbitrary code on the system or cause the system to crash. The flaw carries a CVSS base score of 9.8 out of 10, meaning it’s an extremely serious threat.
The second flaw, labeled CVE-2018-12549, could enable a remote attacker to execute arbitrary code by exploiting a “failure to omit a null check on the receiver object of an Unsafe call when accelerating it,” the bug report says. This flaw also carries a CVSS base score of 9.8 and is considered a very dangerous vulnerability.
The remaining five flaws are not nearly as serious. The most serious among these is a flaw in version 8 of AIX’s IBM SDK, Java Technology Edition, which could allow an attacker to inject code or elevate their privilege. This flaw, which is known as CVE-2018-1890 and carries a CVSS base score of 5.6, mostly impacts AIX and Db2 for LUW, but IBM is including a patch in the IBM i PTFs anyway.
The Group PTFs include IBM i patches for three “unspecified vulnerabilities” in various Oracle Java Standard Edition (SE) components. A flaw in Oracle’s Java SE’s Libraries component (CVE-2019-2422) could allow an unauthenticated attacker to obtain sensitive information. A flaw in the Java SE’s Deployment component (CVE-2019-2449) could allow an unauthenticated attacker to cause a denial of service (DOS) attack. A flaw in Java SE’s Networking component (CVE-2019-2426) could allow an unauthenticated attacker to obtain sensitive information. These three flaws carry CVSS base scores of 3.1 to 3.7.
The final fix in the group PTF of Java security vulnerability fixes addresses a flaw in an obscure C library. CVE-2018-11212 address a flaw in libjpeg, which is a widely used C library used for reading and writing JPEG image files. The vulnerability was given a CVSS base score of 3.3.
All of the above security flaws were addressed with three Group PTFs. IBM i 7.1 users are encouraged to apply SF99572 level 35. IBM i 7.2 users should apply SF99716 level 20. And IBM i 7.3 customers should put SF99725 level 12 on their systems as soon as possible. There are no workarounds for any of these flaws.
On March 29, IBM issued another security bulletin informing IBM i customers that it has fixed a flaw in the OpenSSL encryption library, which has been one of the most bug-ridden pieces of community code on the system in recent memory.
The new OpenSSL flaw, labeled CVE-2019-1559, could allow a remote attacker to read encrypted data “caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding.” This vulnerability could be exploited by using a “0-byte record padding-oracle attack” to decrypt traffic, IBM says.
This OpenSSL flaw carries a CVSS base score of 5.8. Once again, there are no workarounds for this flaw. IBM recommends IBM i 7.1 users to apply PTF number SI69329, while IBM i 7.2 and 7.3 users are directed to PTF number SI69336.
Finally, IBM has issued a patch to fix a DOS vulnerability in WebSphere Application Server caused by improper handling of request headers. The flaw, labeled as CVE-2019-4046, impacts WAS versions 7.x, 8.x, and 9.x, and the Liberty server version 19.x, running on IBM i, AIX, Linux, HP-UX, Solaris, z/OS, Mac OS, and Windows operating systems.