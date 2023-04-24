IBM i PTF Guide, Volume 25, Number 17

Doug Bidwell

There are a lot of PTFs that you need to be aware of this week, but before we get into them, there are two security vulnerabilities, one affecting the IBM i platform’s integrated Apache Web server and the other affecting the combination of IBM i Access Client Solutions combined with the IBM Toolbox for Java. Let’s get into the security bulletins to start.

First, we have Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to HTTP response splitting and denial of service attacks (CVE-2022-37436, CVE-2006-20001), which you can find out more about at this link. The PTF numbers contain the fix for the vulnerabilities, by IBM i release, are:

IBM i Release 5770-DG1 PTF Number 7.5 SI82700 SI82701 7.4 SI82702 SI82703 7.3 SI82704 SI82705 7.2 SI82706 SI82707

Second, we have Security Bulletin: IBM i Access Client Solutions is vulnerable to an attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928), which you can see all kinds of details about here. The issue can be fixed by upgrading to version 1.1.9.2 or later. See IBM i Access Client Solutions updates for the latest version available. The affected products are IBM i Access Client Solutions 1.1.2 – 1.1.4, 1.1.4.3 – 1.1.9.1.

In a rare occurrence, there are no updates to the PTF Groups for the currently supported releases – IBM i 7.5, IBM i 7.4, and IBM i 7.3 – but there sure are a whole bunch of security vulnerabilities that IBM i shops have to deal with.

First, there are two of them dealing with WebSphere Application Server Liberty. In PH50863:IBM WebSphere Application Server Liberty is vulnerable to a denial of service, which you can find out more about here and which deals with CVE-2023-24998 CVSS 7.5. Then there is PH52739:IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482 CVSS 5.3), which you can find out more about here.

Second, we have Security Bulletin: IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928), more of which you can learn about at this link. Patches are:

5770-DBM 5770-SS1 IBM Db2 Mirror for i 7.4 SI83019 SI82444 SI83028 SI82954 IBM Db2 Mirror for i 7.5 SI83018 SI82443 SI83029 SI82948

Third, there is Security Bulletin: IBM i components are affected by CVE-2021-4104 (Log4j version 1.x), for which more information is available at this link.

IBM i Release 5770-DG1 Level 7.4 SF99662 - 19 7.3 SF99722 - 38 7.2 SF99713 - 49

Fourth, you have Security Bulletin: IBM i DNS is affected by denial of service attacks due to flaws in ISC BIND (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924). More information available here, and the IBM i PTF numbers for 5770-SS1 Option 31 Domain Name System contain the fix for the vulnerabilities:

IBM i Release 5770-SS1 Option 31 PTF Number 7.5 SI82623 7.4 SI82624 7.3 SI82625 7.2 SI82626

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.5:

HIPERs (High Impact/Pervasive)

Security

Backup Recovery Solutions

High Availability for IBM i

SAP support required PTF list for IBM i 7.5

Memo to Users

What’s New!

IBM i Access Client Solutions V1.1.9.2

MustGather: How To Obtain and Install QMGTOOLS

RPG Café

PTF Groups 7.4:

HIPERs (High Impact/Pervasive)

Security

Backup Recovery Solutions

High Availability for IBM i

Memo to Users

What’s New!

IBM i Access Client Solutions V1.1.9.2

MustGather: How To Obtain and Install QMGTOOLS

RPG Café

PTF Groups 7.3:

HIPERs (High Impact/Pervasive)

Security

Backup Recovery Solutions

High Availability for IBM i

Memo to Users

What’s New!

IBM i Access Client Solutions V1.1.9.2

MustGather: How To Obtain and Install QMGTOOLS

RPG Café

New (or Updated) links added to the ‘Links’ tab in the guide this week:

Nyet, comrade

New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:

Nein

New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:

Nuthin’

New (or Updated) links added to the ‘Prtr Links’ tab in the guide this week:

Nothing here, either

New (or Updated) links Redbooks added this week:

Nothing here as well

Tips/Definitions: The “Help” About, Check for Updates only checks the first three digits. If you are on ACS 1.1.9.1, checking for updates will not tell you about 1.1.9.2 . . . .

The Guide at a glance: There are new defectives this week (04/22/23). Here is the defective PTF rundown, which is the last defective for each release:

Defect Defective APAR Fixing Date PTF PTF -------- -------- ------- ------- 7.5 02/24/23 MF70751 MA50112 MF70868 (When available) 7.4 02/24/23 MF70747 MA50112 MF70861 (When available) 7.3 02/22/23 MF70677 MA50059 MF70736 (When available) MF70600 MF70440

Be sure to access the link in the Guide for further details.

Below is the usual archive of the IBM i PTF Guide to help you work through the PTFs in chronological order:

April 22, 2023: Volume 25, Number 17

April 15, 2023: Volume 25, Number 16

April 8, 2023: Volume 25, Number 15

April 1, 2023: Volume 25, Number 14

March 25, 2023: Volume 25, Number 13

March 18, 2023: Volume 25, Number 12

March 11, 2023: Volume 25, Number 11

March 4, 2023: Volume 25, Number 10

February 25, 2023: Volume 25, Number 9

February 18, 2023: Volume 25, Number 8

February 13, 2023: Volume 25, Number 7

February 4, 2023: Volume 25, Number 6

January 28, 2023: Volume 25, Number 5

January 21, 2023: Volume 25, Number 4

January 14, 2023: Volume 25, Number 3

January 7, 2023: Volume 25, Number 2

January 1, 2023: Volume 25, Number 1

December 10, 2022: Volume 24, Number 50

December 3, 2022: Volume 24, Number 49

November 26, 2022: Volume 24, Number 48

November 19, 2022: Volume 24, Number 47

November 12, 2022: Volume 24, Number 46

November 5, 2022: Volume 24, Number 45

October 29, 2022: Volume 24, Number 44

October 22, 2022: Volume 24, Number 43

October 15, 2022: Volume 24, Number 42

October 8, 2022: Volume 24, Number 41

October 1, 2022: Volume 24, Number 40

September 24, 2022: Volume 24, Number 39

September 17, 2022: Volume 24, Number 38

September 10, 2022: Volume 24, Number 37

September 3, 2022: Volume 24, Number 36

August 27, 2022: Volume 24, Number 35

August 20, 2022: Volume 24, Number 34

August 13, 2022: Volume 24, Number 33

August 6, 2022: Volume 24, Number 32

July 30, 2022: Volume 24, Number 31

July 23, 2022: Volume 24, Number 30

July 16, 2022: Volume 24, Number 29

July 9, 2022: Volume 24, Number 28

June 25, 2022: Volume 24, Number 26

June 18, 2022: Volume 24, Number 25

June 11, 2022: Volume 24, Number 24

June 4, 2022: Volume 24, Number 23

May 28, 2022: Volume 24, Number 22

May 25, 2022: Volume 24, Number 21

May 14, 2022: Volume 24, Number 20

May 7, 2022: Volume 24, Number 19

April 30, 2022: Volume 24, Number 18

April 23, 2022: Volume 24, Number 17

April 16, 2022: Volume 24, Number 16

April 2, 2022: Volume 24, Number 14

March 26, 2022: Volume 24, Number 13

March 19, 2022: Volume 24, Number 12

March 12, 2022: Volume 24, Number 11

March 5, 2022: Volume 24, Number 10

February 26, 2022: Volume 24, Number 9

February 19, 2022: Volume 24, Number 8

February 12, 2022: Volume 24, Number 7

February 5, 2022: Volume 24, Number 6

January 29, 2022: Volume 24, Number 5

January 22, 2022: Volume 24, Number 4

January 15, 2022: Volume 24, Number 3

January 8, 2022: Volume 24, Number 2

January 1, 2022: Volume 24, Number 1

December 6, 2021: Volume 23, Number 48

November 20, 2021: Volume 23, Number 47

November 13, 2021: Volume 23, Number 46

November 6, 2021: Volume 23, Number 45

October 30, 2021: Volume 23, Number 44

October 23, 2021: Volume 23, Number 43

October 16, 2021: Volume 23, Number 42

October 9, 2021: Volume 23, Number 41

October 2, 2021: Volume 23, Number 40

September 25, 2021: Volume 23, Number 39

September 18, 2021: Volume 23, Number 38

September 11, 2021: Volume 23, Number 37

September 4, 2021: Volume 23, Number 36

August 28, 2021: Volume 23, Number 35

August 21, 2021: Volume 23, Number 34

August 14, 2021: Volume 23, Number 33

August 7, 2021: Volume 23, Number 32

July 31, 2021: Volume 23, Number 31

July 24, 2021: Volume 23, Number 30

July 17, 2021: Volume 23, Number 29

July 10, 2021: Volume 23, Number 28

July 3, 2021: Volume 23, Number 27

June 26, 2021: Volume 23, Number 26

June 19, 2021: Volume 23, Number 25

June 12, 2021: Volume 23, Number 24

June 5, 2021: Volume 23, Number 23

June 5, 2021: Volume 23, Number 22

May 22, 2021: Volume 23, Number 21

May 15, 2021: Volume 23, Number 20

May 8, 2021: Volume 23, Number 19

May 1, 2021: Volume 23, Number 18

April 24, 2021: Volume 23, Number 17

April 17, 2021: Volume 23, Number 16

April 10, 2021: Volume 23, Number 15

April 3, 2021: Volume 23, Number 14