IBM i PTF Guide, Volume 25, Number 21

May 22, 2023 Doug Bidwell

As we report elsewhere in this week’s edition of The Four Hundred, there is a critical security vulnerability in the PowerVM hypervisor when it is running on Power9 and Power10 systems.

This HIPER/Pervasive patch is described as fixing this: An internally discovered vulnerability in PowerVM on Power9 and Power10 systems could allow an attacker with privileged user access to a logical partition to perform an undetected violation of the isolation between logical partitions which could lead to data leakage or the execution of arbitrary code in other logical partitions on the same physical server.

The Common Vulnerability and Exposure number is CVE-2023-30438, which you can read about here. The MH PTFs for the systems without HMCs (Standalone systems) is/are expected on Monday, May 22 – we will publish details in the next edition of the IBM i PTF Guide. Keep an eye on this document for latest information from IBM.

There is also Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364), which you can read about here. Affected products: Versions 17.0.0.3 – 23.0.0.1.

Sorry it took us a few extra days to get this edition of the IBM i PTF Guide out the door. This week, you have three security vulnerabilities and one end of the road for updates to WebSphere Application Server V8.5. Let’s deal with the WebSphere situation first.

IBM WebSphere Application Server V8.5 Group PTFs for IBM i operating system will no longer be released. You can read more about it here. Here are the final IBM i Group PTF levels containing the 8.5.5.23 fix pack level:

IBM i 7.4: SF99661 level 10
IBM i 7.3: SF99581 level 16
IBM i 7.2: SF99481 level 23

Now, let’s go through the security issues.

First, we have Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161), which you can find out more about here.

Affected Product(s)							Version(s)	Plug-in Version
IBM WebSphere Application Server with Web Server Plug-ins		9.0		8.5, 9.0
IBM WebSphere Application Server with Web Server Plug-ins		8.5		8.5, 9.0
IBM WebSphere Application Server Liberty with Web Server Plug-ins		17.0.0.3 - current	8.5, 9.0

Second, there is Security Bulletin: IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554), and more details are available here.

Affected Product(s)			Version(s)
IBM WebSphere Application Server	9.0
IBM WebSphere Application Server	8.5

And third, there is Security Bulletin: OpenSSL for IBM i is vulnerable to denial of service attacks and the ability for remote attacker to obtain sensitive information due to multiple vulnerabilities, with more information at this link. The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed. The IBM i PTF numbers for OpenSSL in 5733-SC1 contain the fixes for the vulnerabilities.

IBM i Release	5733-SC1	PTF Number
7.5			SI83245	
7.4, 7.3, 7.2			SI83194

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.5:

HIPERs (High Impact/Pervasive)
IBM HTTP Server for i
IBM DB2 Mirror for i
DB2 for IBM i
SAP support required PTF list for IBM i 7.5

PTF Groups 7.4:

HIPERs (High Impact/Pervasive)
Security
DB2 for IBM i
IBM Db2 Mirror for i
IBM HTTP Server for i
SAP support required PTF list for IBM i 7.4

PTF Groups 7.3:

MQ for IBM i – v7.1.0/v8.0.0/V9.0.0/V9.1/V9.2
HIPERs (High Impact/Pervasive)
Security
IBM HTTP Server for i
SAP Support Required PTF List for IBM i 7.3

Tip O’ The Week: The “Help” About, Check for Updates only checks the first three digits. If you are on ACS 1.1.9.1, checking for updates will not tell you about 1.1.9.2 . . . .

New (or Updated) links added to the ‘Links’ tab in the guide this week:

Nothing

New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:

Nein

New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:

Nuthin’

New (or Updated) links added to the ‘Prtr Links’ tab in the guide this week:

Nothing here, either

New (or Updated) links Redbooks added this week:

Nothing here as well

The Guide at a glance: There are new defectives this week (05/20/23). Here is the defective PTF rundown, which is the last defective for each release:

Defective PTF rundown (The last defective for each release):

	Defect		Defective	APAR	Fixing
	Date		PTF			PTF
	--------	--------	-------	-------
7.5	02/24/23	MF70751		MA50112	MF70868 (When available)
7.4	02/24/23	MF70747		MA50112	MF70861 (When available)
7.3	02/22/23	MF70677		MA50059	MF70736 (When available)
			MF70600
			MF70440

Be sure to access the link in the Guide for further details.

Below is the usual archive of the IBM i PTF Guide to help you work through the PTFs in chronological order:

May 20, 2023: Volume 25, Number 21

May 13, 2023: Volume 25, Number 20

May 6, 2023: Volume 25, Number 19

April 29, 2023: Volume 25, Number 18

April 22, 2023: Volume 25, Number 17

April 15, 2023: Volume 25, Number 16

April 8, 2023: Volume 25, Number 15

April 1, 2023: Volume 25, Number 14

March 25, 2023: Volume 25, Number 13

March 18, 2023: Volume 25, Number 12