• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Multiple Vulnerabilities Pop Up In Navigator For i

    January 23, 2023 Timothy Prickett Morgan

    Why do we network computers again? Remind me.

    A new security bulletin was released for the Navigator for i system management interface for the IBM i platform on January 18, which rolls up four different vulnerabilities for Navigator for i that leave it open to log file access, to obtaining file attributes, and to SQL Injection attacks due to multiple other vulnerabilities.

    You can read about this security bulletin at this link. The most severe of the issues is the SQL injection attack, which has a CVSS Base score of 6.3 out of 10. According to the bulletin: “IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface.”

    Access to log files for Navigator for i 7.3, 7.4, and 7.5 is unintentionally allowed when a remote authenticated user can bypass the interface checks in the tool and download log files by modifying the servlet filter for Navigator for i. This one has a CVSS rating of 4.3. Another vulnerability allows an authenticated user to get files they are authorized to get but not through the Navigator for i toll (this seems like a minor problem if you as me), and yet another one allowed attackers to see user profile attributes why performing an SQL injection.

    IBM is providing fixes for these vulnerabilities for IBM i 7.3, IBM i 7.4, and IBM i 7.5. The following PTFs patch Navigator for i up against these vulnerabilities:

    • For IBM i 7.5, HTTP Server for i Group PTF Level SF99952 – 05: SF99952 750 IBM HTTP Server for i – level 5
    • For IBM i 7.4, HTTP Server for i Group PTF Level SF99662 – 25: SF99662 740 IBM HTTP Server for i – level 25
    • For IBM i 7.3, HTTP Server for i Group PTF Level SF99722 – 42: SF99722 730 IBM HTTP Server for i – level 42

    The CVE record dates for these vulnerabilities was October 26, 2022, and we remind you that this record date is not necessarily when the vulnerability was first known to customers or IBM. But it certainly was not after that date!

    RELATED STORIES

    New Nav for i Brings New Stuff to You

    What’s New in IBM i Services and Networking

    IBM Delivers More Out-of-the-Box Security with IBM i 7.5

    Announcement Day: IBM Lifts The Veil On IBM i 7.5 And 7.4 TR6

    IBM Accelerates New Nav Development Following Log4j Issue

    No Plan To Support New Nav on Older IBM i Releases, IBM Says

    Log4j Hits Heritage Version of Navigator for i – No Patch Coming

    IBM Ships ACS Version 1.1.9.0

    New Nav Puts SQL Services Within Reach

    Navigator For IBM i On A Zigzag Journey

    IBM Navigator for i Increases Web and Mobile Effort

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: IBM i, IBM i 7.3, IBM i 7.4, IBM i 7.5, Navigator for i, SQL

    Sponsored by
    Midrange Dynamics North America

    With MDRapid, you can drastically reduce application downtime from hours to minutes. Deploying database changes quickly, even for multi-million and multi-billion record files, MDRapid is easy to integrate into day-to-day operations, allowing change and innovation to be continuous while reducing major business risks.

    Learn more.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Participate In The 2023 IBM i Marketplace Survey Discussion 2023 IBM i Predictions, Part 2

    Leave a Reply Cancel reply

TFH Volume: 33 Issue: 3

This Issue Sponsored By

  • ProData
  • New Generation Software
  • WorksRight Software
  • Raz-Lee Security
  • Manta Technologies

Table of Contents

  • It Is Time To Have A Group Chat About AI
  • 2023 IBM i Predictions, Part 2
  • Multiple Vulnerabilities Pop Up In Navigator For i
  • Participate In The 2023 IBM i Marketplace Survey Discussion
  • IBM i PTF Guide, Volume 25, Number 4

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Big Blue Raises IBM i License Transfer Fees, Other Prices
  • Keep The IBM i Youth Movement Going With More Training, Better Tools
  • Remain Begins Migrating DevOps Tools To VS Code
  • IBM Readies LTO-10 Tape Drives And Libraries
  • IBM i PTF Guide, Volume 27, Number 23
  • SEU’s Fate, An IBM i V8, And The Odds Of A Power13
  • Tandberg Bankruptcy Leaves A Hole In IBM Power Storage
  • RPG Code Generation And The Agentic Future Of IBM i
  • A Bunch Of IBM i-Power Systems Things To Be Aware Of
  • IBM i PTF Guide, Volume 27, Numbers 21 And 22

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle