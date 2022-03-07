IBM i PTF Guide, Volume 24, Number 10

Doug Bidwell

This week, there are a bunch of security bulletins about yet more new vulnerabilities, this time in the HTTP Server and the Samba Windows file server clone that are embedded in the IBM i operating system. There is also a partial mitigation against Log4j/Log4Shell vulnerabilities, and you may get a laugh or a cry out of this one. Maybe both. OK, probably both. Let’s go through them all.

First, there is Security Bulletin: IBM HTTP Server (powered by Apache) for i is vulnerable to CVE-2021-44224, which you can read about here at this link. With this vulnerability, the Apache Web server bundled with IBM i is vulnerable to a denial of service or server-side request forgery. The fixing PTFs are:

IBM i 7.4: SI78295, SI78296

IBM i 7.3: SI78298, SI78299

IBM i 7.2: SI78297

Then there is Security Bulletin: IBM i is vulnerable to bypass security restrictions due to Samba SMB1 (CVE-2021-43566 and CVE-2021-44141), which you can find out more about in this link here. Here is what IBM has to say: “Samba could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink race error. By using a specially-crafted SMB1 or NFS symlink, an attacker could exploit this vulnerability to create a directory in a part of the server file system not exported under the share definition.” The fixing PTFs are:

IBM i 7.4: SI78680

IBM i 7.3: SI78679

Then, of course, there is Security Bulletin: IBM i components are affected by CVE-2021-4104 (Log4j version 1.x), which we have seen before. However, IBM has updated the group PTFs and added 7.2 mitigation, which you can read about here. The neat bit is the cover letter for the HTTP Server for IBM i 7.2, IBM i 7.3, and IBM i 7.4, which reads as follows: “ *** ADMIN SERVER INFORMATION *** With the latest updates to the HTTP PTF Group, the ADMIN2 server will no longer be started or enabled by default. This means that the Heritage Navigator will no longer be accessible without the user manually enabling and starting the ADMIN2 server. See the following page for details: https://www.ibm.com/support/pages/node/6556828.”

Yes, IBM has stopped up the Log4j security vulnerability by turning off the ADMIN2 server that the heritage Navigator for i administrative console requires. So the Log4j hole is plugged by not letting Navigator for i work. So, good luck managing your IBM i instances if you are on IBM i 7.1 or IBM i 7.2, which are both on extended support.

To help you with the Log4j security vulnerability, we have created a supplemental spreadsheet as a companion to the IBM i PTF Guide that has the latest information on what you need to worry about and do about it when it comes to this vulnerability. You can down the Log4j spreadsheet at this link.

And just another reminder that there is a new version of Navigator for i, which you can find out more about at this link. This modern user interface can be accessed from http://hostname:2002/Navigator.

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.4:

IBM HTTP Server for i

Content Manager OnDemand for i – 5770-RD1

PTF Groups 7.3:

IBM HTTP Server for i

Content Manager OnDemand for i – 5770-RD1

PTF Groups 7.2:

IBM HTTP Server for i

PTF Groups 7.1:

Nothing here.

New (or Updated) links added to the ‘Links’ tab in the guide this week:

The “Links” tab

The “QMGTools” tab

The “ACS” tab

Tips/Definitions: Download the Log4j mitigation document from IT Jungle, it is brought current every week! Take a look at the tabs in the IBM i PTF Guide, we have added a couple that may be helpful!

The Guide at a glance: There are no new defectives this week (03/05/22). Here is the defective PTF rundown, which is the last defective for each release:

Defect Defective APAR Fixing Date PTF PTF -------- -------- ------- ------- 7.4 2/16/22 SI78509 SE77164 SI78675 (Read the link in the guide!) 7.3 2/16/22 SI78508 SE77164 SI78674 (Read the link in the guide!) 7.2 12/08/21 SI77634 SE73420 SI78039 (Read the link in the guide!) 7.1 07/29/19 SI69653 SE71807 SI70603 (5733SC1, OpenSSH, available!)

Be sure to access the link in the Guide for further details.

