IBM i PTF Guide, Volume 24, Number 23

Doug Bidwell

Welcome to this week’s edition of the IBM i PTF Guide. We start out with a correction to the Technology Refresh tab in the spreadsheet, where the “LIC Resave” values that were for 7.4 TR6 and 7.3 TR12 were based on an IBM site that was itself incorrect. That site has since been corrected, and now we have corrected the information in the sheet. Many thanks to Jeff at IBM for catching this!

And now, a bevy of Security Bulletins – four different vulnerabilities that affect the IBM i platform, to be specific.

First, we have Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414), see here for details. The PTFs by release to fix this are:

Desc Rls Grp PTF IBM Db2 Mirror for i 7.5 SF99951 level 1 SI79449 IBM Db2 Mirror for i 7.4 SF99668 level 19 SI79448

Second, there is Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785), which you can analyze here. The PTFs by release to fix this are:

Desc Rls Grp PTF IBM Db2 Mirror for i 7.5 SF99951 level 1 SI79449 IBM Db2 Mirror for i 7.4 SF99668 level 19 SI79448

Third, take a look at Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225. More information at this link. The PTFs by release to fix this are:

Desc Rls Grp PTF IBM Db2 Mirror for i 7.5 SF99951 level 1 SI77900 IBM Db2 Mirror for i 7.4 SF99668 level 17 SI77899

And finally, fourth, take a gander at Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker obtaining sensitive information and other attacks due to multiple vulnerabilities. You can get the details at this link. The PTFs by release to fix this are:

IBM i Release, 5770-JV1 Group PTF Number Level 7.5 SF99955 Level 1 7.4 SF99665 Level 14 7.3 SF99725 Level 25 7.2 SF99716 Level 35

Here is the rundown of PTF Groups by IBM i release level since we last published, with IBM i 7.5 added in since it has been shipping for two weeks now:

PTF Groups 7.5:

HIPERs (High Impact/Pervasive)

IBM HTTP Server for i

QMGTOOLS

PTF Groups 7.4:

HIPERs (High Impact/Pervasive)

DB2 for IBM i

QMGTOOLS

PTF Groups 7.3:

HIPERs (High Impact/Pervasive)

DB2 for IBM i

QMGTOOLS

PTF Groups 7.2:

QMGTOOLS

PTF Groups 7.1:

Nothing here.

New (or Updated) links added to the ‘Links’ tab in the guide this week:

Nope

New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:

Nadda

New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:

You have enough to do already, right?

The Guide at a glance: There are no new defectives this week (06/04/22). Here is the defective PTF rundown, which is the last defective for each release:

Defect Defective APAR Fixing Date PTF PTF -------- -------- ------- ------- 7.5 06/03/22 SI78809 SE78003 SI80094 (When available) 7.4 06/03/22 SI79097 SE78003 SI80093 (When available) 7.3 06/03/22 SI79186 SE78003 SI80092 (When available) 7.2 12/08/21 SI77634 SE73420 SI78039 (Read the link in the guide!) 7.1 07/29/19 SI69653 SE71807 SI70603 (5733SC1, OpenSSH, available!)

Be sure to access the link in the Guide for further details.

