• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Security Vulnerability In VIOS, AIX, And Maybe IBM i

    November 23, 2020 Timothy Prickett Morgan

    IBM i shops that use the Virtual I/O Server, which is a cut-down version of the AIX implementation of Unix created by Big Blue, have to be aware that there is a security vulnerability that affects recent releases of AIX and VIOS.

    The vulnerability, announced in Security Vulnerability CVE-2020-4788, affects Power9 machinery running VIOS 3.1 or AIX 7.1 and AIX 7.2, and under what are called “extenuating circumstances” the vulnerability could allow a local user on the system to obtain sensitive information stored on the L1 cache on the Power9 cores.

    The vulnerability was reported on November 18, and the Openwall security site published a more detailed, English language description of the issue at this link. The vulnerability appears to be in the same class as other speculative execution vulnerabilities that are part of most modern processors and labelled under the Spectre and Meltdown vulnerabilities that came to light out of Google a few years back. Here is the description from Openwall:

    “IBM Power9 processors can speculatively operate on data in the L1 cache before it has been completely validated, via a way-prediction mechanism. It is not possible for an attacker to determine the contents of impermissible memory using this method, since these systems implement a combination of hardware and software security measures to prevent scenarios where protected data could be leaked. However, these measures don’t address the scenario where an attacker induces the operating system to speculatively execute instructions using data that the attacker controls. This can be used for example to speculatively bypass “kernel user access prevention” techniques, as discovered by Anthony Steinhauser of Google’s Safeside Project. This is not an attack by itself, but there is a possibility it could be used in conjunction with side-channels or other weaknesses in the privileged code to construct an attack. This issue can be mitigated by flushing the L1 cache between privilege boundaries of concern.”

    IBM’s own page describing the fixes for AIX and VIOS is at this link. The patches were turned around fast and were available on November 20. The Linux community has also been notified and pushed some fixes upstream to the Linux kernel developers in the open source community. IBM is also researching what impact, if any, might affect IBM i itself and we will be keeping an eye on that. Check the IBM i PTF Guide in the coming days for more on that.

    As far as we know, no one has created a malware exploit that takes advantage of this vulnerability on any of the IBM platforms mentioned above.

    RELATED STORIES

    The Herculean Task Of Applying Spectre/Meltdown Patches

    Power Systems And The Spectre And Meltdown Threats

    Update On The Spectre And Meltdown Patches For Power

    The Performance Impact Of Spectre And Meltdown

    IBM i Gets More PTFs for Meltdown and Spectre

    IBM i PTF Guide, Volume 20, Number 4, The Spectre Of Meltdowns

    IBM i PTF Guide, Volume 20, Number 3: Important Update For Spectre/Meltdown

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: AIX, IBM i, IBM i PTF Guide, Linux, Malware, Meltdown, Openwall, Power9, Spectre, Spectre/Meltdown, Unix, VIOS, Virtual I/O Server

    Sponsored by
    Manta Technologies

    The Leader in IBM i Education!
    Need training on anything i?
    Manta is all you need.

    Save 30% During Manta’s Year-End Sale!

    Sale ends January 31.

    130 courses and competency exams on:
    · IBM i operations
    · System Management and Security
    · IBM i Programming Tools
    · Programming in RPG, COBOL, CL, Java
    · Web Development
    · SQL, DB2, Query

    Product features:
    · Runs in every popular browser
    · Available 24/7/365
    · Free Student Reference Guides
    · Free Student Administration
    · Concurrent User License
    · Built-In IBM i Simulator

    You can download our 200-page catalog and take sample sessions at MantaTech.com.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    IBM i PTF Guide, Volume 22, Number 47 IBM Reveals Power10 Rollout Plan, Begins Power11

    Leave a Reply Cancel reply

TFH Volume: 30 Issue: 75

This Issue Sponsored By

  • Blair Technology Solutions
  • IBM
  • Computer Keyes
  • Profound Logic Software
  • UCG Technologies

Table of Contents

  • Frank Soltis Discusses A Possible Future for Single-Level Storage
  • Why POWER8 Is Sometimes The Best Platform To Run SAP HANA
  • IBM Reveals Power10 Rollout Plan, Begins Power11
  • Security Vulnerability In VIOS, AIX, And Maybe IBM i
  • IBM i PTF Guide, Volume 22, Number 47

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • N2i Gains Traction Among IBM i Newbies
  • Realizing The Promise Of Cross Platform Development With VS Code
  • 2023 IBM i Predictions, Part 3
  • Four Hundred Monitor, January 25
  • Join The 2023 IBM i Marketplace Survey Webinar Tomorrow
  • It Is Time To Have A Group Chat About AI
  • 2023 IBM i Predictions, Part 2
  • Multiple Vulnerabilities Pop Up In Navigator For i
  • Participate In The 2023 IBM i Marketplace Survey Discussion
  • IBM i PTF Guide, Volume 25, Number 4

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.