• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • A Hacker’s Dozen: 11 New Security Vulns Reported in IBM i

    August 23, 2023 Alex Woodie

    IBM on August 18 reported 11 new security vulnerabilities in IBM i’s Java stack, including two critical Java flaws that should be patched immediately. The new batch of vulns continues what has been an active summer for security flaws on the platform.

    IBM revealed the existence of the 11 Java security flaws in IBM i version 7.2 through 7.5 and the availability of emergency program temporary fixes (PTFs) on the security bulletin section of its IBM Product Security Central webpage.

    The security bulletin shows 11 flaws, CVE-2022-21426 through CVE-2023-21968, impacting various components of the Java stack, including the Java Software Development Kit (SDK) and the Java Runtime for IBM i. The flaws could potentially expose IBM i users to a variety of threats, including denial of service (DOS) attacks, and loss of availability, integrity, and confidentiality of data, IBM’s website states.

    The most severe flaw is CVE-2023-21930, an unspecified vulnerability in Oracle Java SE (Standard Edition) and Oracle GraalVM Enterprise Edition that’s related to the Java Secure Socket Extension (JSSE) component. This flaw could allow an unauthenticated attacker to cause a high confidentiality impact and a high integrity impact, and carries a CVSS Base score of 7.4 (on a scale of 10).

    The second critical flaw is CVE-2023-2597, which is described as a buffer overflow flaw in Eclipse Openj9 caused by improper bounds checking. A local authenticated attacker could overflow a buffer and execute arbitrary code on the system by using specially crafted input, the security alert says. This flaw carries a CVSS Base score of 7

    Several other flaws carry moderate impacts, including CVE-2023-21967 and CVE-2023-21954, which carry CVSS Base scores of 5.9; and CVE-2022-21426, CVE-2023-21939, and CVE-2023-21830, with CVSS Base scores of 5.3. Four other flaws have a score of 3.7.

    There are no workarounds for any of these flaws, and users are encouraged to apply the available PTFs immediately. For each operating system release, there is a single PTF that will fix all 11 Java flaws. See this security bulletin for links to download the PTFs.

    IBM also gave this warning to users who run their own Java code: “If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code.”

    It’s been an active summer for security flaws on IBM i. Going back to May 1, there have been 28 individual security flaws impacting IBM i, according to a search of security bulletins on IBM’s Product Security Central. Many of these flaws impact open source components, such as Java and OpenSSL, which tend to attract the most attention from hackers. But many of the flaws have also impacted core components of the IBM i stack, including DDM, Performance Tools, and Facsimile Report.

    All told, the year has brought 52 known vulnerabilities to the IBM i platform. With more than four months left, that number is sure to grow.

    RELATED STORIES

    Midsummer Security Indicators: Hot and Gloomy

    A Decade of Data Breaches: Some Things Never Change

    Serious New IBM i Vulns Exposed by Silent Signal – More On the Way

    New “High Priority” DDM Vulnerability Affects IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: IBM i, Java, Java Runtime for IBM i, Java Secure Socket Extension, Java Software Development Kit, OpenSSL, PTF

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Say Sayonara To The IBM i Integrated Server Four Hundred Monitor, August 23

    Leave a Reply Cancel reply

TFH Volume: 33 Issue: 52

This Issue Sponsored By

  • Maxava
  • New Generation Software
  • Shield Advanced Solutions Ltd
  • Briteskies
  • Raz-Lee Security

Table of Contents

  • How Long Before Big Blue Brings Code Assist To IBM i?
  • Profound Logic Explores AI Paths for IBM i
  • New Run SQL Scripts Features in ACS Update
  • Four Hundred Monitor, August 23
  • A Hacker’s Dozen: 11 New Security Vulns Reported in IBM i

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25
  • Meet The Next Gen Of IBMers Helping To Build IBM i
  • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
  • Will Independent IBM i Clouds Survive PowerVS?
  • Now, IBM Is Jacking Up Hardware Maintenance Prices
  • IBM i PTF Guide, Volume 27, Number 24

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle