IBM i PTF Guide, Volume 26, Number 16

April 22, 2024 Doug Bidwell

It is an interesting time out there in PTF Land, so brace yourself. There are four security bulletins and two security warnings about potential denial of service vulnerabilities. Let’s do the security bulletins first and then the denial of service issues.

First, we have Security Bulletin: IBM i Access Client Solutions is vulnerable to an infinite loop or out of memory error due to vulnerabilities in Apache Commons Compress, which you can find out more about at this link. The affected product(s) include IBM i Access Family versions 1.1.2 – 1.1.4, and versions 1.1.4.3 – 1.1.9.4. The issue can be fixed by upgrading to version 1.1.9.5 or later.

Second, we have Security Bulletin: IBM i Access Client Solutions is vulnerable to a remote attacker bypassing integrity checks in Apache Mina SSHD Common (CVE-2023-48795), which you can see more details of at this link. Once again, the affected product(s) include IBM i Access Family versions 1.1.2 – 1.1.4, and versions 1.1.4.3 – 1.1.9.4. And once again, the issue can be fixed by upgrading to version 1.1.9.5 or later. (Are you sensing a theme here?)

Third, we have Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to server-side request forgery (CVE-2024-22329), which you can look at here. The affected products include:

Affected Product(s)				Version(s)
IBM WebSphere Application Server		8.5
IBM WebSphere Application Server		9.0
IBM WebSphere Application Server Liberty		17.0.0.3 - 24.0.0.3

Fourth, we have Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354), which you can find out more about here and which affects the same releases of WAS as mentioned above.

Here is one you need to know about, which is PH60146:IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2024-27268 CVSS 5.9). See this link for more information.

And here is another one you need to keep your eye on, which is PH60195: OIDC v1.5.2; IBM WebSphere Application Server is vulnerable to a denial of service due to jose4j (CVE-2023-51775 CVSS 7.5). You can get more information here on this issue with WAS. The fix for PH60195 is targeted for inclusion in fix pack 8.5.5.26 and 9.0.5.20.

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.5:

• HIPERs (High Impact/Pervasive)
• QMGTOOLS

PTF Groups 7.4:

• HIPERs (High Impact/Pervasive)
• High Availability for IBM i
• Performance Tools
• QMGTOOLS

PTF Groups 7.3:

• HIPERs (High Impact/Pervasive)
• Backup Recovery Solutions
• Performance Tools
• TCP/IP
• QMGTOOLS

Tip O’ The Week: PCAP/WireShark: How to format IBM i TRCCNN and CMNTRC communication traces to .pcap files (Wireshark format), 667611. Find out more at this link.

New (or Updated) links added to the ‘Links’ tab in the guide this week:

• None

New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:

• None

New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:

• None

New (or Updated) links added to the ‘Prtr Links’ tab in the guide this week:

• None

New (or Updated) links Redbooks added this week:

• None

The Guide at a glance: There are new defectives this week (04/20/24). Here is the defective PTF rundown, which is the last defective for each release:

	Defect		Defective	APAR		Fixing
	Date		PTF				PTF
	--------		--------		-------		------------------------	
7.5	03/29/24		SI84775		SE80564	SI85069 (When available)
7.4	03/05/24		MF71521	MA50510	MF71656 (When available)
7.3	01/10/24		SI85576		SE81023	SI85663 (When available)

Be sure to access the link in the Guide for further details.

Below is the usual archive of the IBM i PTF Guide to help you work through the PTFs in chronological order:

April 20, 2024: Volume 26, Number 16

April 13, 2024: Volume 26, Number 15

April 6, 2024: Volume 26, Number 14

March 30, 2024: Volume 26, Number 13

March 24, 2024: Volume 26, Number 12

March 16, 2024: Volume 26, Number 11

March 9, 2024: Volume 26, Number 10

March 2, 2024: Volume 26, Number 9

February 24, 2024: Volume 26, Number 8

February 17, 2024: Volume 26, Number 7

February 10, 2024: Volume 26, Number 6

February 3, 2024: Volume 26, Number 5

January 27, 2024: Volume 26, Number 4

January 20, 2024: Volume 26, Number 3

January 13, 2024: Volume 26, Number 2

January 6, 2024: Volume 26, Number 1

December 30, 2023: Volume 25, Number 53

December 30, 2023: Volume 25, Number 53

December 23, 2023: Volume 25, Number 52

December 16, 2023: Volume 25, Number 51

December 9, 2023: Volume 25, Number 50

December 2, 2023: Volume 25, Number 49

November 25, 2023: Volume 25, Number 48

November 18, 2023: Volume 25, Number 47

November 11, 2023: Volume 25, Number 46

November 4, 2023: Volume 25, Number 45

October 28, 2023: Volume 25, Number 44

October 21, 2023: Volume 25, Number 43

October 14, 2023: Volume 25, Number 42

October 7, 2023: Volume 25, Number 41

September 30, 2023: Volume 25, Number 40

September 23, 2023: Volume 25, Number 39

September 16, 2023: Volume 25, Number 38

September 9, 2023: Volume 25, Number 37

September 2, 2023: Volume 25, Number 36

August 26, 2023: Volume 25, Number 35

August 19, 2023: Volume 25, Number 34

August 12, 2023: Volume 25, Number 33

August 5, 2023: Volume 25, Number 32

July 29, 2023: Volume 25, Number 31

July 22, 2023: Volume 25, Number 30

July 15, 2023: Volume 25, Number 29

July 8, 2023: Volume 25, Number 28

July 1, 2023: Volume 25, Number 27

June 24, 2023: Volume 25, Number 26

June 17, 2023: Volume 25, Number 25

June 10, 2023: Volume 25, Number 24

June 3, 2023: Volume 25, Number 23

May 27, 2023: Volume 25, Number 22

May 20, 2023: Volume 25, Number 21

May 13, 2023: Volume 25, Number 20

May 6, 2023: Volume 25, Number 19

April 29, 2023: Volume 25, Number 18

April 22, 2023: Volume 25, Number 17

April 15, 2023: Volume 25, Number 16

April 8, 2023: Volume 25, Number 15

April 1, 2023: Volume 25, Number 14

March 25, 2023: Volume 25, Number 13

March 18, 2023: Volume 25, Number 12

March 11, 2023: Volume 25, Number 11

March 4, 2023: Volume 25, Number 10

February 25, 2023: Volume 25, Number 9

February 18, 2023: Volume 25, Number 8

February 13, 2023: Volume 25, Number 7

February 4, 2023: Volume 25, Number 6

January 28, 2023: Volume 25, Number 5

January 21, 2023: Volume 25, Number 4

January 14, 2023: Volume 25, Number 3

January 7, 2023: Volume 25, Number 2

January 1, 2023: Volume 25, Number 1

December 10, 2022: Volume 24, Number 50

December 3, 2022: Volume 24, Number 49

November 26, 2022: Volume 24, Number 48

November 19, 2022: Volume 24, Number 47

November 12, 2022: Volume 24, Number 46

November 5, 2022: Volume 24, Number 45

October 29, 2022: Volume 24, Number 44

October 22, 2022: Volume 24, Number 43

October 15, 2022: Volume 24, Number 42

October 8, 2022: Volume 24, Number 41

October 1, 2022: Volume 24, Number 40

September 24, 2022: Volume 24, Number 39

September 17, 2022: Volume 24, Number 38

September 10, 2022: Volume 24, Number 37

September 3, 2022: Volume 24, Number 36

August 27, 2022: Volume 24, Number 35

August 20, 2022: Volume 24, Number 34

August 13, 2022: Volume 24, Number 33

August 6, 2022: Volume 24, Number 32

July 30, 2022: Volume 24, Number 31

July 23, 2022: Volume 24, Number 30

July 16, 2022: Volume 24, Number 29

July 9, 2022: Volume 24, Number 28

June 25, 2022: Volume 24, Number 26

June 18, 2022: Volume 24, Number 25

June 11, 2022: Volume 24, Number 24

June 4, 2022: Volume 24, Number 23

May 28, 2022: Volume 24, Number 22

May 25, 2022: Volume 24, Number 21

May 14, 2022: Volume 24, Number 20

May 7, 2022: Volume 24, Number 19

April 30, 2022: Volume 24, Number 18

April 23, 2022: Volume 24, Number 17

April 16, 2022: Volume 24, Number 16

April 2, 2022: Volume 24, Number 14