Keeping Up With Open Source Security Updates
May 26, 2021 Alex Woodie
Open source is a source of technological innovation on IBM i, in multiple respects. But it also opens the platform up to additional security vulnerabilities. That’s why it’s important to stay on top of security patches, for the core operating system as well as the open source technologies that are helping to transform it.
IBM does a good job of keeping up with security vulnerabilities are found in the operating system as well as the multitude of open source technologies that are included with it. In the last five weeks, IBM has issued several security bulletins for core open source projects that it ships with IBM i.
This includes one on May 13 for a Samba vulnerability (CVE-2021-20254) that impacts IBM i versions 7.2. to 7.4, one issued on April 20 for a SMTP flaw (CVE-2021-20501) that impacts IBM i 7.1 through 7.4, and another issued on April 15 for a pair of Open SSL flaws (CVE-2021-3449 and CVE-2021-3450) that impacts IBM i 7.1 through 7.4.
March apparently was Java security awareness month, as it brought three PTFs for flaws in the Java SDK and Java runtime for IBM i. The first security bulletin covered CVE-2020-14803 and CVE-2020-27221, the second bulletin covered CVE-2020-2773, and third bulletin covered CVE-2020-14782. All four Java security flaws impacted IBM i 7.1 through 7.4.
Aside from the removal of the obsolete QIBM path in IBM i NetServer and a fix for an API authorization problem with service programs in IBM i 7.1 through 7.4, all of the security PTFs issued by IBM this year have been for core open source components that it ships with the operating system.
You can, of course, stay on top of security problems by reading Doug Bidwell’s IBM i PTF Guide here in IT Jungle. And you also can see all of the recommended fixes for the last four releases of IBM i, including security patches sent via Group Security PTFs, at this important website: https://www.ibm.com/support/pages/ibm-i-support-recommended-fixes.
There are several other resources that IBM i shops can use to ensure they’re running with the fewest number of vulnerabilities. The closer the number is to zero, the better, although it’s not always possible to get to zero, since security vulnerabilities are not always a black and white issue. For companies operating in certain industries, they may be encouraged to avoid using specific products or releases of products.
For example, companies that need to comply with the Payment Cardholder Industry (PCI) standard may have to go above and beyond what other companies do with regards to the software they use. IBM is making PCI compliance easier for customers by sharing a list of security fixes that it has made to the HTTP Server (the one powered by Apache) for the past four release of the operating system. Go to this website to see that list.
However, IBM doesn’t ship every open source product with IBM i (that would be something!) and sometimes, IBM i shops run into situations where they need an update to an open source product that isn’t one of the core open source components that IBM ships with the operating system, like Java, OpenSSL, SMTP, and Samba (among others).
For example, IBM used to ship the Apache Tomcat Web application server with IBM i, but it abandoned that practice more than a decade ago. A customer using Tomcat on IBM i will not be able to patch security flaws in Tomcat by applying a PTF from IBM. They’ll be on their own for that.
However, for a little extra outlay, IBM i shops can get extra support from IBM when it comes to open source products. Big Blue will sell you a subscription to its Open Source Support package, which supports more than 240 different open source packages, including Apache Tomcat.
Considering the security risks that open source brings, that may be a good insurance option. According to the “2021 Open Source Security and Risk Analysis Report” by Synopsys, the rate at which open source security vulnerabilities are impacting applications is growing.
The report, which is based on the analysis of more than 1,500 codebases (or the various libraries that make up an application) in its Black Duck knowledgebase, 84 percent of codebases had at least one vulnerability (an increase of 11 percent from 2019), with an average of 158 open source vulnerabilities per codebase, the report found. When it comes to high-risk vulnerabilities, 64 percent of codebases had at least one vulnerability, also an 11 percent increase from 2019.
“Paralleling the growth of open source is a growth in risk — specifically around open source security, code quality, and sustainability,” Synopsys concludes in its report. “To meet the challenge, development teams need to have reliable and timely vulnerability information, a comprehensive inventory of the open source dependencies their software uses, accurate guidance on vulnerability severity and exploitability, and clear direction on how to patch the affected open source.”
Open source isn’t going away, on IBM i or the IT industry in general. For IBM, open source software is a key part of the strategy for increasing innovation and delivering value to its IBM i customers. But to minimize the risk of a security or regulatory blunder, IBM i shops should do their best to keep track of which open source components they’re using.