OpenSSL Flaw No ‘Heartbleed,’ But Other New Vulns Detected
November 2, 2022 Alex Woodie
The cybersecurity world has been sitting on pins and needles for the past 48 hours, ever since news of a potentially devastating new flaw in OpenSSL started to leak out early Monday morning. That flaw turned out to be not as bad as initially feared, but that shouldn’t stop IBM i shops from patching other recent flaws, including some pretty serious ones in WebSphere Liberty, Java, the CCA, and Zlib.
News started to emerge earlier this week of a critical OpenSSL flaw that required the utmost attention. The flaw could be a concern for just about everybody, including IBM, which uses OpenSSL extensively in its products, including in IBM i. IBM has a long history of patching flaws in OpenSSL, going all the way back to the Heartbleed epidemic in 2014.
However, the that flaw, dubbed CVE-2022-3602, is not as bad as first feared. Thankfully, it’s not Heartbleed Take Two. Nevertheless, the flaw–which involves a buffer overflow in the X.509 certificate verification that could enable remote code execution and a DOS attack–is still considered to have a high severity, and users are encouraged to apply a patch as soon as one is available.
The second OpenSSL flaw, CVE-2022-3786, was discovered during research of the first flaw. It too is a buffer overflow flaw, and it too carries the risk of a DOS attack when an attacker sends a malformed response in a certificate. However, it is not considered as severe as the first one. The two flaws are so new that CVSS Base scores are not yet available.
IBM will be looking into the latest OpenSSL flaw, according to a message posted yesterday on its PSIRT Blog:
“IBM is responding to the reported buffer overflow vulnerability that the OpenSSL open-source community disclosed for OpenSSL versions 3.0.0 – 3.0.6. We are taking action as an enterprise, and for IBM products and services that may potentially be impacted, as we do for all vulnerabilities rated High.”
While a worst-case scenario with OpenSSL appears to have been averted, that doesn’t mean it’s completely smooth sailing for IBM i shops, who have several other serious flaws to content with. That includes a pair of flaws in the Zlib compression algorithm.
Zlib has been the focus of hackers over the past month, as a series of flaws have been uncovered in this open source library, which is used in several IBM i processes, including save/restore operations, main storage dump, and GeoMirror data replication.
On October 25, IBM issued a security bulletin for IBM i 7.4 and 7.5 pertaining to Zlib and its vulnerability to CVE-2018-25032, which is a denial of service (DOS) attack due to a memory corruption in Zlib’s deflate operation. The flaw was given a CVSS score of 7.5, making it a serious threat.
Yesterday, IBM followed that initial Zlib security bulletin with a second security bulletin concerning another flaw in Zlib. This particular flaw relates to CVE-2022-37434, which describes a buffer overflow condition in Zlib’s inflate operation that could allow an attacker to execute arbitrary code on the system. This particular flaw carries a CVSS score of 7.3. IBM has issued PTFs for IBM i releases 7.2 through 7.5.
On October 24, IBM issued a security bulletin for a flaw in the IBM Java SDK and IBM Java Runtime for IBM i. Details of the flaw, which goes by CVE-2021-2163, were not shared, but IBM assures us that it could allow an unauthenticated attacker to have a “high integrity impact.” The flaw carries a CVSS base score of 5.3, and IBM issued patches to correct the problem for IBM i versions 7.2 through 7.5.
On September 22, IBM issued a security bulletin for a flaw in the Common Cryptographic Architecture (CCA) that could impact the Hardware Security Module (HSM). The flaw, identified as CVE-2022-22423, could allow an attacker to launch a DOS attack impacting Power environments, including IBM i, AIX, and Linux, and carries a CVSS base score of 6.5. The flaw can be addressed by applying a PTF for IBM i versions 7.2 through 7.5.
On September 12, IBM issued a security bulletin for a pair of flaws in WebSphere Application Server Liberty for IBM i. The flaws include CVE-2022-22476, which is an identify spoofing flaw that carries a CVSS base score of 5, and CVE-2019-11777, which could allow an attacker to impersonate another user and carries a CVSS base score of 7.5. IBM addressed the security vulnerabilities with PTFs for IBM i versions 7.2 through 7.5.
As always, stay tuned to Doug Bidwell’s IBM i PTF Guide, now published every Monday in The Four Hundred, for the latest news on the latest patches for IBM i.