• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • More IBM i Security Flaws Revealed

    July 13, 2022 Alex Woodie

    The summer slowdown might have started in your particular business, but things are just getting warmed up IBM security researchers, who disclosed a series of new vulnerabilities across IBM i products over the past couple of weeks, including IBM i Merlin, WAS Liberty, OpenSSL, the Digital Certificate Manager, and Zlib.

    On June 27, IBM disclosed that the collection of open source and proprietary tools and technology it’s brought together as IBM i Modernization Engine for Lifecycle Integration (Merlin) suffers from no fewer than 16 separate security flaws.

    Among the most series of these flaws is a CVE-2022-22965, a data binding flaw in the Spring framework that could enable a remote attacker to execute arbitrary code on the system, which brought a CVSS base score of 9.6 (perfect 10s are exceedingly rare).

    Arbitrary code could also be executed on IBM i via CVE-2022-21724, which refers to “an unchecked class instantiation flaw” in the PostgreSQL JDBC driver when using plugin classes. This particular flaw carries a CVSS base score of 8.5, putting it comfortably in the “high risk” zone.

    There’s also a problem in the Spring Security authentication and access control framework that could allow an attacker to bypass authorization and obtain access to protected assets. This little nasty (CVE-2022-22978) is nothing to trifle with, thanks to a CVSS base score of 8.2.

    There are also a couple of flaws rating 7.5 on the CVSS base score, including an improper input validation method in Apache Commons IO could allow a remote attacker to traverse directories on the impacted system (CVE-2021-29425); and a Java stack overflow exemption in a FasterXML component that could lead to a denial of service attack (CVE-2020-36518).

    For more information on the 11 other flaws we didn’t discuss, as well as the specific patches for IBM i Merlin, which is now officially supported on IBM i 7.3 through 7.5, check out this link.

    A pair of security flaws were disclosed June 15 in IBM WebSphere Application Server Liberty for IBM i. The first flaw, identified as CVE-2022-22475, puts users at risk of identity spoofing by an authenticated user, and carries a CVSS base score of 5, making it an average threat.

    The second flaw, identified as CVE-2022-22393, could enable an authenticated user to obtain the status of HTTP/HTTPS ports that are accessible by the application server, and carries a CVSS base score of 3.1, making it less of a threat. You can find patches to both flaws, which impact IBM i 7.2 through 7.5, at this link.

    The IBM i implementation of OpenSSL is questionable once again thanks to a new flaw identified as CVE-2022-1292. The flaw, disclosed June 28, is caused by improper validation of user-supplied input by the c_rehasch script, could allow a remote authenticated attacker to execute arbitrary commands on the system. As such, it rated a CVSS base score of 6.3, making it a moderate threat. All versions of IBM i going back to version 7.2 are vulnerable. IBM patched the flaws. See this link for more details about the flaw and the PTFs IBM had made available for it.

    The Digital Certificate Manager for IBM i is also susceptible to a cross-site scripting attack as described in CVE-2022-34358. The flaw, disclosed July 12, exists in the “old web application,” according to IBM, which could allow arbitrary JavaScript code to be embedded in the Web client, “thus altering the intended functionality potentially leading to credentials disclosure within a trusted session,” IBM says. The flaw impacts IBM i version 7.2 through 7.5, and has a CVSS base score of 5.4. You can find more info about the flaws and patches at this link.

    There is a problem with the IBM i implementation of Zlib, an open source compression algorithm that IBM is now using for Geographic Mirroring in its PowerHA offering. The flaw, described as CVE-2018-25032 and disclosed by IBM on June 28, is caused by a memory corruption in the deflate operation, which could enable a cybercriminal to launch a denial of service attack on an impacted system. It afflicts all current releases of the OS (7.2 to 7.5) and has a CVSS base score of 7.5, making it a moderate-to-severe threat. Info about the flaw and the PTFs for IBM i 7.2 through 7.5 can be found here.

    It’s critical to stay up-to-date on IBM i PTFs. Doug Bidwell does a great job of compiling all of the PTFs (not just the security ones) in the weekly PTF Guide, which you can find elsewhere in this newsletter. Happy patching!

    RELATED STORIES

    Multiple Security Vulnerabilities Patched on IBM i

    IBM Delivers More Out-of-the-Box Security with IBM i 7.5

    Top Five Failures In State of IBM i Security For 2022

    Glimpsing Hope in the IBM i Security Situation

    With IBM i Security, You Don’t Know What You Don’t Know

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: FasterXML, IBM i, IBM i 7.2, IBM i 7.3, IBM i 7.4, IBM i 7.5, JDBC, Merlin, Modernization Engine for Lifecycle Integration, OpenSSL, PostgreSQL, PowerHA, PTF, the Digital Certificate Manager, WAS Liberty, Zlib

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Four Hundred Monitor, July 13 Give Me A Fulcrum And A Lever Long Enough, And I Can Move Your Data

    Leave a Reply Cancel reply

TFH Volume: 32 Issue: 48

This Issue Sponsored By

  • Maxava
  • LaserVault
  • Eradani
  • Raz-Lee Security
  • Krengeltech

Table of Contents

  • Exploring Security Applications for IBM i OLAP
  • Give Me A Fulcrum And A Lever Long Enough, And I Can Move Your Data
  • More IBM i Security Flaws Revealed
  • Four Hundred Monitor, July 13
  • IBM i PTF Guide, Volume 24, Number 28

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Big Blue Raises IBM i License Transfer Fees, Other Prices
  • Keep The IBM i Youth Movement Going With More Training, Better Tools
  • Remain Begins Migrating DevOps Tools To VS Code
  • IBM Readies LTO-10 Tape Drives And Libraries
  • IBM i PTF Guide, Volume 27, Number 23
  • SEU’s Fate, An IBM i V8, And The Odds Of A Power13
  • Tandberg Bankruptcy Leaves A Hole In IBM Power Storage
  • RPG Code Generation And The Agentic Future Of IBM i
  • A Bunch Of IBM i-Power Systems Things To Be Aware Of
  • IBM i PTF Guide, Volume 27, Numbers 21 And 22

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle