IBM i PTF Guide, Volume 27, Number 20

May 19, 2025 Doug Bidwell

Brace yourselves, everyone. There are seven security vulnerabilities that you have to pay attention to this week for the IBM i platform. Remember, as security guru Carol Woodbury is fond of saying: the IBM i platform is not the most secure platform in the world, but the most securable platform in the world. You must be ever-vigilant and keep it secure by patching holes and killing bugs.

So, without further fuss, let’s dive in and take them in order.

One is Security Bulletin: IBM i is vulnerable to a machine-in-the-middle attack due to mishandling error codes when verifying the host key by OpenSSH. [CVE-2025-26465]. More information at this link. The IBM i 5733-SC1 PTF number resolves the vulnerability, as follows:

IBM i Release	  5733-SC1
PTF Number	  PTF
7.6	          SJ05440	
7.5	          SJ05424	
7.4, 7.3, 7.2	  SJ05423

Two is Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the April 2025 CPU. More information at this link. There are multiple vulnerabilities in the IBM SDK, Java Technology Edition that is shipped with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty.

Three is Security Bulletin: This Power System update is being released to address CVE-2024-2511. More information at this link. The OpenSSL package is used by the Virtualization Management Interface in PowerVM to support network communication with the Hardware Management Console. This bulletin provides a remediation for the impacted vulnerability, CVE-2024-2511, by upgrading PowerVM and thus addressing the exposure to the kernel vulnerability.

Four is Security Bulletin: IBM i is vulnerable to a privilege escalation vulnerability in IBM TCP/IP Connectivity Utilities for i [CVE-2025-33103]. More information at this link. Patches are as below:

IBM i Release	5770-TC1	PTF Number
7.6			        SJ05513
7.5			        SJ05494
7.4			        SJ05505
7.3			        SJ05514
7.2			        SJ05525

Five is Security Bulletin: Vulnerability in OpenSSL (CVE-2024-13176) affects PowerVM. More information at this link. Check link for details on remediation.

Six is Security Bulletin: This Power System update is being released to address CVE-2024-41007. More information at this link. Check link for details on remediation.

And finally, lucky number Seven is Security Bulletin: IBM WebSphere Application Server is affected by a cross-site scripting vulnerability (CVE-2025-33104). More information at this link. The affected products are IBM WebSphere Application Server 8.5 and 9.0. Check link for details on remediation.

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.6:

SAP Support Required PTF List for IBM i 7.6

PTF Groups 7.5:

None

PTF Groups 7.4:

None

PTF Groups 7.3:

None

Tip O’ The Week, or Month more like: On April 18, Java 21 became generally available and is required by some licensed program products in the IBM i 7.6 stack. See more at this link. IBM Technology for Java 21 is released on IBM i 7.6 as option 21 (Java 21 64-bit) of product 5770-JV1. Here are the instructions on how to use Java 21 on IBM i:

Download Java 21 from the Entitled Software Support(ESS)
Install option 21 of 5770JV1 from the OS install image (i7.6). Refer to Download, Installation, and Usage of Java 21 on the IBM i OS for detailed information.
PTF Group SF99965 level 1 or higher is required for i 7.6.
Set JAVA_HOME to /QOpenSys/QIBM/ProdData/JavaVM/jdk21/64bit before invoking the Java.

New (or Updated) links added to the ‘Links’ tab in The Guide this week:

None

New (or Updated) links added to the ‘QMGtools’ tab in The Guide this week:

None

New (or Updated) links added to the ‘ACS_NAV’ tab in The Guide this week:

pkg mgmnt: Network Connections used by IBM i ACS Open Source Package Management, 6617443
pkg mgmnt: Getting started with Open Source Package Management in IBM i ACS, 706903
open source: IBM i Open Source Resources, N/A

New (or Updated) links added to the ‘Prtr Links’ tab in The Guide this week:

None

New (or Updated) links Redbooks added this week:

None

New (or Updated) stuff added to REF tab in The Guide this week:

None

New (or Updated) links in the TAPE tab in The Guide this week:

None

New (or Updated) links in the WAS tab in The Guide this week:

WAS: How To Install the IBM WebSphere Application Server (WAS) v8.0 and Later Product Using the IBM Web Administration for i Console, 645349 (Video)

The Guide at a glance: There were new defectives the week of 05/17/25. Defective PTF rundown – the latest defective for each release. Click on the Defective PTF link for your release in the Guide:

	Defect		Defective	APAR		Fixing
	Date		PTF				PTF
	--------	--------	---------	-----------------------	
7.6	No Entries										
7.5	05/14/25	SJ04698	        DT437849	SJ05538 (When available)(read the recommendations)
			SJ01967 			Read the cover letter-prerequisites!                   
7.4	05/14/25	SJ04446	        DT437849	SJ05537	Same as above, Please read the cover letter. (When available)(read the recommendations)
							Read the cover letter-prerequisites!
7.3	01/27/25	SJ03169	         DT422375	SJ03786 (When available)(read the recommendations)

Be sure to access the link in The Guide for further details.

Below is the usual archive of the IBM i PTF Guide to help you work through the PTFs in chronological order:

May 17, 2025: Volume 27, Number 20

May 10, 2025: Volume 27, Number 19

May 3, 2025: Volume 27, Number 18

April 26, 2025: Volume 27, Number 17

April 21, 2025: Volume 27, Number 16

April 12, 2025: Volume 27, Number 15

April 5, 2025: Volume 27, Number 14

March 29, 2025: Volume 27, Number 13

March 22, 2025: Volume 27, Number 12

March 15, 2025: Volume 27, Number 11