More IBM i Security Flaws Revealed
July 13, 2022 Alex Woodie
The summer slowdown might have started in your particular business, but things are just getting warmed up IBM security researchers, who disclosed a series of new vulnerabilities across IBM i products over the past couple of weeks, including IBM i Merlin, WAS Liberty, OpenSSL, the Digital Certificate Manager, and Zlib.
On June 27, IBM disclosed that the collection of open source and proprietary tools and technology it’s brought together as IBM i Modernization Engine for Lifecycle Integration (Merlin) suffers from no fewer than 16 separate security flaws.
Among the most series of these flaws is a CVE-2022-22965, a data binding flaw in the Spring framework that could enable a remote attacker to execute arbitrary code on the system, which brought a CVSS base score of 9.6 (perfect 10s are exceedingly rare).
Arbitrary code could also be executed on IBM i via CVE-2022-21724, which refers to “an unchecked class instantiation flaw” in the PostgreSQL JDBC driver when using plugin classes. This particular flaw carries a CVSS base score of 8.5, putting it comfortably in the “high risk” zone.
There’s also a problem in the Spring Security authentication and access control framework that could allow an attacker to bypass authorization and obtain access to protected assets. This little nasty (CVE-2022-22978) is nothing to trifle with, thanks to a CVSS base score of 8.2.
There are also a couple of flaws rating 7.5 on the CVSS base score, including an improper input validation method in Apache Commons IO could allow a remote attacker to traverse directories on the impacted system (CVE-2021-29425); and a Java stack overflow exemption in a FasterXML component that could lead to a denial of service attack (CVE-2020-36518).
A pair of security flaws were disclosed June 15 in IBM WebSphere Application Server Liberty for IBM i. The first flaw, identified as CVE-2022-22475, puts users at risk of identity spoofing by an authenticated user, and carries a CVSS base score of 5, making it an average threat.
The second flaw, identified as CVE-2022-22393, could enable an authenticated user to obtain the status of HTTP/HTTPS ports that are accessible by the application server, and carries a CVSS base score of 3.1, making it less of a threat. You can find patches to both flaws, which impact IBM i 7.2 through 7.5, at this link.
The IBM i implementation of OpenSSL is questionable once again thanks to a new flaw identified as CVE-2022-1292. The flaw, disclosed June 28, is caused by improper validation of user-supplied input by the c_rehasch script, could allow a remote authenticated attacker to execute arbitrary commands on the system. As such, it rated a CVSS base score of 6.3, making it a moderate threat. All versions of IBM i going back to version 7.2 are vulnerable. IBM patched the flaws. See this link for more details about the flaw and the PTFs IBM had made available for it.
There is a problem with the IBM i implementation of Zlib, an open source compression algorithm that IBM is now using for Geographic Mirroring in its PowerHA offering. The flaw, described as CVE-2018-25032 and disclosed by IBM on June 28, is caused by a memory corruption in the deflate operation, which could enable a cybercriminal to launch a denial of service attack on an impacted system. It afflicts all current releases of the OS (7.2 to 7.5) and has a CVSS base score of 7.5, making it a moderate-to-severe threat. Info about the flaw and the PTFs for IBM i 7.2 through 7.5 can be found here.
It’s critical to stay up-to-date on IBM i PTFs. Doug Bidwell does a great job of compiling all of the PTFs (not just the security ones) in the weekly PTF Guide, which you can find elsewhere in this newsletter. Happy patching!