• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Keeping Up With Open Source Security Updates

    May 26, 2021 Alex Woodie

    Open source is a source of technological innovation on IBM i, in multiple respects. But it also opens the platform up to additional security vulnerabilities. That’s why it’s important to stay on top of security patches, for the core operating system as well as the open source technologies that are helping to transform it.

    IBM does a good job of keeping up with security vulnerabilities are found in the operating system as well as the multitude of open source technologies that are included with it. In the last five weeks, IBM has issued several security bulletins for core open source projects that it ships with IBM i.

    This includes one on May 13 for a Samba vulnerability (CVE-2021-20254) that impacts IBM i versions 7.2. to 7.4, one issued on April 20 for a SMTP flaw (CVE-2021-20501) that impacts IBM i 7.1 through 7.4, and another issued on April 15 for a pair of Open SSL flaws (CVE-2021-3449 and CVE-2021-3450) that impacts IBM i 7.1 through 7.4.

    March apparently was Java security awareness month, as it brought three PTFs for flaws in the Java SDK and Java runtime for IBM i. The first security bulletin covered CVE-2020-14803 and CVE-2020-27221, the second bulletin covered CVE-2020-2773, and third bulletin covered CVE-2020-14782. All four Java security flaws impacted IBM i 7.1 through 7.4.

    Aside from the removal of the obsolete QIBM path in IBM i NetServer and a fix for an API authorization problem with service programs in IBM i 7.1 through 7.4, all of the security PTFs issued by IBM this year have been for core open source components that it ships with the operating system.

    You can, of course, stay on top of security problems by reading Doug Bidwell’s IBM i PTF Guide here in IT Jungle. And you also can see all of the recommended fixes for the last four releases of IBM i, including security patches sent via Group Security PTFs, at this important website: https://www.ibm.com/support/pages/ibm-i-support-recommended-fixes.

    There are several other resources that IBM i shops can use to ensure they’re running with the fewest number of vulnerabilities. The closer the number is to zero, the better, although it’s not always possible to get to zero, since security vulnerabilities are not always a black and white issue. For companies operating in certain industries, they may be encouraged to avoid using specific products or releases of products.

    For example, companies that need to comply with the Payment Cardholder Industry (PCI) standard may have to go above and beyond what other companies do with regards to the software they use. IBM is making PCI compliance easier for customers by sharing a list of security fixes that it has made to the HTTP Server (the one powered by Apache) for the past four release of the operating system. Go to this website to see that list.

    However, IBM doesn’t ship every open source product with IBM i (that would be something!) and sometimes, IBM i shops run into situations where they need an update to an open source product that isn’t one of the core open source components that IBM ships with the operating system, like Java, OpenSSL, SMTP, and Samba (among others).

    For example, IBM used to ship the Apache Tomcat Web application server with IBM i, but it abandoned that practice more than a decade ago. A customer using Tomcat on IBM i will not be able to patch security flaws in Tomcat by applying a PTF from IBM. They’ll be on their own for that.

    However, for a little extra outlay, IBM i shops can get extra support from IBM when it comes to open source products. Big Blue will sell you a subscription to its Open Source Support package, which supports more than 240 different open source packages, including Apache Tomcat.

    Considering the security risks that open source brings, that may be a good insurance option. According to the “2021 Open Source Security and Risk Analysis Report” by Synopsys, the rate at which open source security vulnerabilities are impacting applications is growing.

    The report, which is based on the analysis of more than 1,500 codebases (or the various libraries that make up an application) in its Black Duck knowledgebase, 84 percent of codebases had at least one vulnerability (an increase of 11 percent from 2019), with an average of 158 open source vulnerabilities per codebase, the report found. When it comes to high-risk vulnerabilities, 64 percent of codebases had at least one vulnerability, also an 11 percent increase from 2019.

    “Paralleling the growth of open source is a growth in risk — specifically around open source security, code quality, and sustainability,” Synopsys concludes in its report. “To meet the challenge, development teams need to have reliable and timely vulnerability information, a comprehensive inventory of the open source dependencies their software uses, accurate guidance on vulnerability severity and exploitability, and clear direction on how to patch the affected open source.”

    Open source isn’t going away, on IBM i or the IT industry in general. For IBM, open source software is a key part of the strategy for increasing innovation and delivering value to its IBM i customers. But to minimize the risk of a security or regulatory blunder, IBM i shops should do their best to keep track of which open source components they’re using.

    RELATED STORIES

    What The Open Source Roadmap Holds For IBM i In 2021

    Weighing The Hidden Costs Of Open Source

    Open Source The Path To Software Riches For IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: Apache, API, IBM i, Java, Java SDK, Open Source, OpenSSL, Payment Cardholder Industry, PCI, PTF, Samba, SMTP

    Sponsored by
    UCG Technologies

    Strategic Partnerships Add Value

    A Case for On-Prem IBM i Deployment

    As organizations decide where to run their IBM i workloads with a growing range of strategies, it becomes more important to have strong differentiators in the various options to help make prudent IT decisions. Cloud options are now becoming more widely considered, but as UCG Technologies explains in a recent IT Jungle article, these options should be weighed in comparison to purchasing or leasing your own IBM Power Server and installing it on premises or at a Co-location facility.

    On premise (on-prem) deployments largely remain most cost-effective and appropriate for midrange systems, especially when factoring in backup and disaster recovery. One way to maximize this approach is to capitalize on long-standing partnerships with complimentary expertise as in the case with IBM and UCG Technologies. The IBM i Solution Edition for UCG’s VAULT400 cloud backup & DRaaS is an offering that allows organizations the ability to combine the power of IBM Power Systems and IBM i with the strengths of business applications, along with superior services and support. The leads to improved productivity and responsiveness, adaptability and competitive Total Cost of Ownership (TCO).

    Benefits to the end user include:

    • Discounted single or unlimited user entitlements – Save $6,000 to $60,000
    • No-charge IBM i processor core entitlements
    • No-charge IBM i access unlimited user entitlements
    • Discounted Rational Developer for i
    • No-charge service vouchers – 4 hours or 8 hours – Value of up to $ 1,800
    • IBM Spec Sheet for IBM i Solution Edition

    To receive the above benefits, end user client must meet IBM requirements including contracting for a minimum of $6,000 of VAULT400 cloud backup services for P05 or $25,000 for P10 with UCG Technologies.  The IBM i Solution Edition may be purchased directly from UCG Technologies or from another qualified – authorized IBM partner.

    The IBM i Solution Edition for VAULT400 cloud backup & DRaaS is available for both the IBM Power System S914 and S924. Leverage a platform that utilizes the full power of IBM i while deploying a complete backup and disaster recovery solution that delivers rapid ROI. That is an on-prem win-win for mid-market organizations.

    Request Complimentary POWER9 System Upgrade Analysis

    Please visit ucgtechnologies.com/IBM-POWER9-systems for more information.

    800.211.8798 | info@ucgtechnologies.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, May 26 Malware Threats and Cyber-Recovery on IBM i

    Leave a Reply Cancel reply

TFH Volume: 31 Issue: 38

This Issue Sponsored By

  • Maxava
  • Entrepid
  • UCG Technologies
  • Comarch
  • New Generation Software

Table of Contents

  • Modern Tools For A Modern IBM i
  • Malware Threats and Cyber-Recovery on IBM i
  • Keeping Up With Open Source Security Updates
  • Four Hundred Monitor, May 26
  • IBM i PTF Guide, Volume 23, Number 21

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • How Committed Is Big Blue To The IBM Cloud?
  • Immutable Copies Are Only As Good As Your Validation
  • Guru: IBM i *USRPRF Security
  • ERP Transitions Loom for SAP on IBM i Customers
  • Inflation Pumps Up Global IT Spending, Supply Chain Deflates It
  • COMMON Set for First Annual Conference in Three Years
  • API Operations Management for Safe, Powerful, and High Performance APIs
  • What’s New in IBM i Services and Networking
  • Four Hundred Monitor, May 18
  • IBM i PTF Guide, Volume 24, Number 20

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.