IBM i PTF Guide, Volume 24, Number 14

Doug Bidwell

Get your PTF patching fingers ready to roll across the keyboard because there are some new security vulnerabilities in the IBM i platform. First up, Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493), which you can learn about here.

Release 2.2.0 can be fixed by upgrading to release 2.2.1 or 2.3.0, depending on your IBM i release level:

IBM i 7.4: Upgrade to Db2 Web Query for i 2.3.0

IBM i 7.3: Upgrade to Db2 Web Query for i 2.3.0

IBM i 7.2: Upgrade to Db2 Web Query for i 2.2.1

IBM i 7.1: Upgrade to Db2 Web Query for i 2.2.1

And then there is Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is affected by arbitrary code execution and other attacks due to multiple vulnerabilities. Read all about it at this link.

CVEID: CVE-2022-22310

CVEID: CVE-2021-23450

CVEID: CVE-2021-39038

CVEID: CVE-2021-39031

The IBM i PTF numbers containing the fix for the CVEs:

Release 5770-SS1 PTF PTF Download Link

7.4 SI78971 https://www.ibm.com/support/pages/ptf/SI78971

7.3 SI78972 https://www.ibm.com/support/pages/ptf/SI78972

7.2 SI78973 https://www.ibm.com/support/pages/ptf/SI78973

Important: Heritage Navigator Enable and Disable Instructions, found here. The heritage Navigator is no longer started by default. The heritage Navigator is stabilized and will be removed from support completely by the end of 2022. If you have a requirement to access the heritage Navigator, follow the instructions on this page. Note: Heritage Navigator is used at your own risk. Only start for a limited time.

IBM Navigator for i, see this link. Note important updates and changes to IBM Navigator: Function Usage ID QIBM_NAV_ALL_FUNCTION changed to default of *DENIED. With today’s increased focus on security, user profiles that previously were allowed to access IBM Navigator for i function may now be restricted. To allow users access, Refer to the Function Usage ID table at IBM Navigator for i – Function Usage IDs

The Heritage Navigator running in ADMIN2 is no longer started by default. If you have a requirement to access the heritage Navigator, follow the instructions found at https://www.ibm.com/support/pages/node/6556828.

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.4:

IBM MQ for IBM i – V7.1.0/V8.0.0/V9.0.0/V9.1.0

Java

QMGTools

Db2 Web Query for i V2.3.0

DB2 Web Query for i V2.2.1

PTF Groups 7.3:

IBM MQ for IBM i – V7.1.0/V8.0.0/V9.0.0/V9.1.0

Java

QMGTools

IBM i Support_Recommended Fixes – SMTP

Db2 Web Query for i V2.3.0

DB2 Web Query for i V2.2.1

PTF Groups 7.2:

Java

QMGTools

DB2 Web Query for i V2.2.1

PTF Groups 7.1:

DB2 Web Query for i V2.2.1

To help you with the Log4j security vulnerability, we have created a supplemental spreadsheet as a companion to the IBM i PTF Guide that has the latest information on what you need to worry about and do about it when it comes to this vulnerability. You can download the Log4j spreadsheet at this link. And by the way, it is the same sheet as last week because there were no changes this week, at least of publication date.

New (or Updated) links added to the ‘Links’ tab in the guide this week:

RTVSYSVAL: Retrieve System Value (RTVSYSVAL) N/A

WAS: How to download WebSphere Application Server – Express V8.5.5 from Passport Advantage Online 603469

New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:

New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:

Tips/Definitions: A reminder that there are no-cost versions of Java, and here are a few examples:

https://adoptopenjdk.net/

https://aws.amazon.com/corretto/

https://developer.ibm.com/languages/java/semeru-runtimes/downloads

https://adoptium.net/

The Guide at a glance: There are no new defectives this week (04/02/22). Here is the defective PTF rundown, which is the last defective for each release:

Defect Defective APAR Fixing Date PTF PTF -------- -------- ------- ------- 7.4 2/16/22 MF69373 MA49558 MF69650 (Read the link in the guide!) MF69241 7.3 2/16/22 SI78508 SE77164 SI78674 (Read the link in the guide!) 7.2 12/08/21 SI77634 SE73420 SI78039 (Read the link in the guide!) 7.1 07/29/19 SI69653 SE71807 SI70603 (5733SC1, OpenSSH, available!)

Be sure to access the link in the Guide for further details.

