• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Security Vulnerability In VIOS, AIX, And Maybe IBM i

    November 23, 2020 Timothy Prickett Morgan

    IBM i shops that use the Virtual I/O Server, which is a cut-down version of the AIX implementation of Unix created by Big Blue, have to be aware that there is a security vulnerability that affects recent releases of AIX and VIOS.

    The vulnerability, announced in Security Vulnerability CVE-2020-4788, affects Power9 machinery running VIOS 3.1 or AIX 7.1 and AIX 7.2, and under what are called “extenuating circumstances” the vulnerability could allow a local user on the system to obtain sensitive information stored on the L1 cache on the Power9 cores.

    The vulnerability was reported on November 18, and the Openwall security site published a more detailed, English language description of the issue at this link. The vulnerability appears to be in the same class as other speculative execution vulnerabilities that are part of most modern processors and labelled under the Spectre and Meltdown vulnerabilities that came to light out of Google a few years back. Here is the description from Openwall:

    “IBM Power9 processors can speculatively operate on data in the L1 cache before it has been completely validated, via a way-prediction mechanism. It is not possible for an attacker to determine the contents of impermissible memory using this method, since these systems implement a combination of hardware and software security measures to prevent scenarios where protected data could be leaked. However, these measures don’t address the scenario where an attacker induces the operating system to speculatively execute instructions using data that the attacker controls. This can be used for example to speculatively bypass “kernel user access prevention” techniques, as discovered by Anthony Steinhauser of Google’s Safeside Project. This is not an attack by itself, but there is a possibility it could be used in conjunction with side-channels or other weaknesses in the privileged code to construct an attack. This issue can be mitigated by flushing the L1 cache between privilege boundaries of concern.”

    IBM’s own page describing the fixes for AIX and VIOS is at this link. The patches were turned around fast and were available on November 20. The Linux community has also been notified and pushed some fixes upstream to the Linux kernel developers in the open source community. IBM is also researching what impact, if any, might affect IBM i itself and we will be keeping an eye on that. Check the IBM i PTF Guide in the coming days for more on that.

    As far as we know, no one has created a malware exploit that takes advantage of this vulnerability on any of the IBM platforms mentioned above.

    RELATED STORIES

    The Herculean Task Of Applying Spectre/Meltdown Patches

    Power Systems And The Spectre And Meltdown Threats

    Update On The Spectre And Meltdown Patches For Power

    The Performance Impact Of Spectre And Meltdown

    IBM i Gets More PTFs for Meltdown and Spectre

    IBM i PTF Guide, Volume 20, Number 4, The Spectre Of Meltdowns

    IBM i PTF Guide, Volume 20, Number 3: Important Update For Spectre/Meltdown

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: AIX, IBM i, IBM i PTF Guide, Linux, Malware, Meltdown, Openwall, Power9, Spectre, Spectre/Meltdown, Unix, VIOS, Virtual I/O Server

    Sponsored by
    LaserVault

    Integrate Virtual Tape For Better Backups, Faster Recovery, And More Flexibility

    Virtual tape and virtual tape libraries offer a way to both simplify and strengthen backup and recovery operations. By incorporating virtual tape technology, automation of backups becomes possible resulting in hundreds of hours saved annually for IT departments and personnel.

    LaserVault ViTL is a virtual tape and tape library solution developed specifically for use with IBM Power Systems (from AS/400 to iSeries to Power 9s). See a demo and get a $50 gift card.

    With ViTL you can:

    • Replace physical tape and tape libraries and associated delays
    • Automate backup operations, including the ability to purge or archive backups
    • Remotely manage your backups – no need to be onsite with your server
    • Save backups to a dedupe appliance and the cloud
    • Recover your data at lightspeed greatly improving your ability to recover from cyberattacks
    • And so much more

    “The ViTL tapeless solution has truly made my job easier. It has given me more confidence in our full system recovery ability – but at the same time I hope it is never needed.” IBM i Administrator at a financial services company

    Sign-up now to see a ViTL online demo and get a $50 Amazon e-gift card when the demo is complete as our way of saying thanks for your time. Plus when you sign-up you’ll receive a free facts comparison sheet on using virtual tape vs tape so you can compare the functionality for yourself.

    LaserVault.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    IBM i PTF Guide, Volume 22, Number 47 IBM Reveals Power10 Rollout Plan, Begins Power11

    Leave a Reply Cancel reply

TFH Volume: 30 Issue: 75

This Issue Sponsored By

  • Blair Technology Solutions
  • IBM
  • Computer Keyes
  • Profound Logic Software
  • UCG Technologies

Table of Contents

  • Frank Soltis Discusses A Possible Future for Single-Level Storage
  • Why POWER8 Is Sometimes The Best Platform To Run SAP HANA
  • IBM Reveals Power10 Rollout Plan, Begins Power11
  • Security Vulnerability In VIOS, AIX, And Maybe IBM i
  • IBM i PTF Guide, Volume 22, Number 47

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • COMMON Set for First Annual Conference in Three Years
  • API Operations Management for Safe, Powerful, and High Performance APIs
  • What’s New in IBM i Services and Networking
  • Four Hundred Monitor, May 18
  • IBM i PTF Guide, Volume 24, Number 20
  • IBM i 7.3 TR12: The Non-TR Tech Refresh
  • IBM i Integration Elevates Operational Query and Analytics
  • Simplified IBM i Stack Bundling Ahead Of Subscription Pricing
  • More Price Hikes From IBM, Now For High End Storage
  • Big Blue Readies Power10 And IBM i 7.5 Training for Partners

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.