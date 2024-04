IBM i PTF Guide, Volume 26, Number 16

Doug Bidwell

It is an interesting time out there in PTF Land, so brace yourself. There are four security bulletins and two security warnings about potential denial of service vulnerabilities. Let’s do the security bulletins first and then the denial of service issues.

First, we have Security Bulletin: IBM i Access Client Solutions is vulnerable to an infinite loop or out of memory error due to vulnerabilities in Apache Commons Compress, which you can find out more about at this link. The affected product(s) include IBM i Access Family versions 1.1.2 – 1.1.4, and versions 1.1.4.3 – 1.1.9.4. The issue can be fixed by upgrading to version 1.1.9.5 or later.

Second, we have Security Bulletin: IBM i Access Client Solutions is vulnerable to a remote attacker bypassing integrity checks in Apache Mina SSHD Common (CVE-2023-48795), which you can see more details of at this link. Once again, the affected product(s) include IBM i Access Family versions 1.1.2 – 1.1.4, and versions 1.1.4.3 – 1.1.9.4. And once again, the issue can be fixed by upgrading to version 1.1.9.5 or later. (Are you sensing a theme here?)

Third, we have Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to server-side request forgery (CVE-2024-22329), which you can look at here. The affected products include:

Affected Product(s) Version(s) IBM WebSphere Application Server 8.5 IBM WebSphere Application Server 9.0 IBM WebSphere Application Server Liberty 17.0.0.3 - 24.0.0.3

Fourth, we have Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354), which you can find out more about here and which affects the same releases of WAS as mentioned above.

Here is one you need to know about, which is PH60146:IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2024-27268 CVSS 5.9). See this link for more information.

And here is another one you need to keep your eye on, which is PH60195: OIDC v1.5.2; IBM WebSphere Application Server is vulnerable to a denial of service due to jose4j (CVE-2023-51775 CVSS 7.5). You can get more information here on this issue with WAS. The fix for PH60195 is targeted for inclusion in fix pack 8.5.5.26 and 9.0.5.20.

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.5:

HIPERs (High Impact/Pervasive)

QMGTOOLS

PTF Groups 7.4:

HIPERs (High Impact/Pervasive)

High Availability for IBM i

Performance Tools

QMGTOOLS

PTF Groups 7.3:

HIPERs (High Impact/Pervasive)

Backup Recovery Solutions

Performance Tools

TCP/IP

QMGTOOLS

Tip O’ The Week: PCAP/WireShark: How to format IBM i TRCCNN and CMNTRC communication traces to .pcap files (Wireshark format), 667611. Find out more at this link.

New (or Updated) links added to the ‘Links’ tab in the guide this week:

None

New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:

None

New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:

None

New (or Updated) links added to the ‘Prtr Links’ tab in the guide this week:

None

New (or Updated) links Redbooks added this week:

None

The Guide at a glance: There are new defectives this week (04/20/24). Here is the defective PTF rundown, which is the last defective for each release:

Defect Defective APAR Fixing Date PTF PTF -------- -------- ------- ------------------------ 7.5 03/29/24 SI84775 SE80564 SI85069 (When available) 7.4 03/05/24 MF71521 MA50510 MF71656 (When available) 7.3 01/10/24 SI85576 SE81023 SI85663 (When available)

Be sure to access the link in the Guide for further details.

