IBM Patches Nine Security Flaws in IBM i
September 29, 2021 Alex Woodie
IBM patched issued three security bulletins Friday alerting IBM i users to the availability of patches for nine newly disclosed security vulnerabilities in OpenSSL, HTTP Server, and a WebSphere Liberty components. Some of the vulnerabilities are potentially serious and should be patched immediately.
IBM patched two security flaws its OpenSSL API that potentially could have devastating consequences on impacted systems, including enabling a hacker to take over the server, to read sensitive information, and execute a denial of service (DOS) attack. IBM patched these flaws in IBM i 7.1 through 7.4, according to the security bulletin, which you can read here. (The fact that IBM patched 7.1 is telling, considering it’s no longer under mainstream support. However, IBM committed to supporting 7.1 through 2024 under its Program Support Extension [PSE] program in October 2020.)
The most critical of these two OpenSSL vulnerabilities is CVE-2021-3711 which is a buffer overflow error caused by improper bounds checking. An attacker could exploit this flaw in the SM2 elliptic curve algorithm by sending a specially crafted packet, thereby overflowing the buffer and enabling the execution of arbitrary code. This flaw carries a CVSS base score of 9.8, making it a particularly dangerous vulnerability that should be patched immediately.
IBM also patched CVE-2021-3712, which is a flaw in the Abstract Syntax Notation One (ASN.1) string structure that OpenSSL uses to serialize and deserialize data in a cross-platform manner. By sending specially crafted data, an attacker could exploit this vulnerability to read contents of memory on the system or perform a DOS attack, IBM says. This flaw carries a CVSS base score of 6.5.
IBM patched five flaws in the HTTP Server (the one powered by Apache) that could lead to DOS attacks, enable a hacker to bypass security measures, launch Web cache poisoning or cross-site scripting attacks, and have other negative consequences for a user. IBM patched the five security vulnerabilities in IBM i versions 7.2 through 7.4. You can access this security bulletin here.
The most severe of the HTTP Server vulnerabilities is CVE-2021-33193, which is a flaw in the HTTPd and HTTP/2 libraries that carries a CVSS base score of 6.1, making it a moderate threat. The other flaws that IBM patched, including CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, and CVE-2021-30641 carry CVSS base scores of between 3.7 and 5.9.
IBM patched two flaws in the Apache Commons Compress library, which is used by WebSphere Application Server Liberty on IBM i. The patches apply to IBM i versions 7.2 through 7.3, according to the security bulletin, which you can read here.
The more severe of the two patched flaws is CVE-2021-36090, which is caused by an out-of-memory error that can be triggered with a specially crafted ZIP archive. This vulnerability can be exploited by a remote attacker to cause a DOS attack. It was given a CVSS base score of 7.5, which means it’s a medium-to-high threat.
A similar flaw, CVE-2021-35517 is caused by an out-of-memory error that can be exploited with a malicious TAR archive. It can also be used to launch a DOS attack, and carries a CVSS base score of 5.5.
Patches were issued for these nine vulnerabilities on September 24. One week earlier, IBM patched another security flaw in DHCPd, the daemon for the Dynamic Host Configuration Protocol, which is part of IBM i’s networking stack. The patch was for IBM i 7.1 through 7.4, according to the security bulletin. The specific flaw, CVE-2021-25217, is a buffer overflow that could enable an attacker to crash a DHCP server or a client. It was given a CVSS base score of 6.5.
As always, you can find out which particular PTFs you need to apply by reading Doug Bidwell’s PTF Guide, which is published most Wednesdays in The Four Hundred. To read this week’s PTF Guide, click here.