• Summer of IBM i Vulnerabilities

  September 18, 2024 Alex Woodie

  IBM has patched more than two dozen software vulnerabilities in the IBM i stack over the past few months, including flaws in Merlin, MQ, OpenSSH, the Java stack, Db2, Performance Tools, and the HTTP Server (the one powered by Apache). Nine of the security vulnerabilities carry CVSS Base scores of 7 or higher, while one is above 8, making these serious security threats. If you haven’t applied the patches yet, you’re encouraged to do it soon.

  Working backwards from the most recent security bulletins, we start with September 5, when IBM issued patches for three vulnerabilities in Merlin, which officially …

  Read more

• Guru: Web Concepts For The RPG Developer, Part 3

  July 22, 2024 Chris Ringer

  Greetings everyone. Articles part one and two were both an introduction on how to build components in an HTTP request. In part three, we will begin to connect the dots and discuss how to asymmetrically sign a simple string. If you ever need to send a secure HTTP request to a government agency or financial institution, you likely will authenticate with a signed token. So, here we go!

  Base64 Take Two

  In part one, the SQL scalar function BASE64_ENCODE embedded in RPG converted a string to base64. This technique will cover most use cases, but what if you need …

  Read more

• Guru: Web Concepts For The RPG Developer, Part 2

  June 10, 2024 Chris Ringer

  Hello again! Part 1 of Web Concepts for the RPG Developer was an introduction on how to build components in an HTTP request and I hope you enjoyed it. Part 2 is just a continuation of that vast topic because there is so much to learn. I encourage you to click on the links in this article and explore on your own too.

  JSON

  A web API endpoint may require the data in the body of an HTTP POST request to be constructed as JSON (“jay sahn,” short for JavaScript Object Notation). JSON is formatted text (a string) containing key:value …

  Read more

• Guru: Web Concepts For The RPG Developer, Part 1

  April 22, 2024 Chris Ringer

  Way back in the 1990s, I recall accessing data with only RPG III F-Specs. But nowadays some of that critical data may live in the cloud. The good news is tools like HTTPAPI and RXS and SQL functions like SQL HTTP are available to access that remote data from the IBM i. But what you may not know is how to actually format components in those HTTP requests.

  Here I will discuss some techniques to build those components in an HTTP request before sending it across the web.

  HTTP Get Versus Post

  The two most common methods for an HTTP …

  Read more

• Zero-Day Vulnerability in Fortra’s GoAnywhere MFT Being Actively Exploited

  February 15, 2023 Alex Woodie

  A critical security vulnerability in Fortra’s (formerly HelpSystems) managed file transfer (MFT) solution, GoAnywhere MFT, is being actively exploited to steal data from companies and possibly even to spread ransomware according to published reports. Fortra told customers to consider every managed credential in their GoAnywhere environment to be compromised, shut down cloud instances of the service, and issued an emergency patch for the zero-day security vulnerability.

  Security reporter Brian Krebs was the first to share news of the vulnerability, which is described as remote code injection flaw that requires administrative console access for successful exploitation. In a February 2 post …

  Read more

• Log4j Hits Heritage Version of Navigator for i – No Patch Coming

  January 12, 2022 Alex Woodie

  IBM i shops running the old version of the Navigator for i client should be aware that the software is vulnerable to the Log4j security vulnerability, and there will be no patch to fix it, IBM says in a new security bulletin. There will, however, be fixes coming to other vulnerable components, including IWS, IAS, and IBM i Access Client Solutions (ACS), IBM says.

  Just before we hit the holiday break, the extremely severe Apache Log4j security vulnerability was disclosed to the world, resulting in a frantic effort to patch servers, desktops, refrigerators – just about anything with a …

  Read more

• IBM Patches Nine Security Flaws in IBM i

  September 29, 2021 Alex Woodie

  IBM patched issued three security bulletins Friday alerting IBM i users to the availability of patches for nine newly disclosed security vulnerabilities in OpenSSL, HTTP Server, and a WebSphere Liberty components. Some of the vulnerabilities are potentially serious and should be patched immediately.

  IBM patched two security flaws its OpenSSL API that potentially could have devastating consequences on impacted systems, including enabling a hacker to take over the server, to read sensitive information, and execute a denial of service (DOS) attack. IBM patched these flaws in IBM i 7.1 through 7.4, according to the security bulletin, which you can read …

  Read more

• Kisco Locks Down IBM i Report Distribution

  October 28, 2020 Alex Woodie

  Users will gain more control over how their IBM i spool files are distributed and displayed, with a new release of WebReport/i, which is Kisco Information Systems’ spool file utility automatically reformatting and distributing spool files.

  WebReport/i can reformat IBM i spool files in a variety of different ways. It can change them into HTML, RTF, PDF, XLS, XLSX, TIF or CSV formats, and it can also distribute them via HTTP, FTP, email, Google Drive, Dropbox, and even fax.

  With Release 14, which was unveiled earlier this month, Kisco has shored up the security of the product. Specifically, when posting …

  Read more

• IBM i PTF Guide, Volume 22, Number 28

  July 20, 2020 Doug Bidwell

  The action never stops here at the IBM i PTF Guide. Which is probably a good thing because if a platform isn’t being constantly updated, expanded, tweaked, and fixed, then it probably is not going to live for much longer in this fast-changing world. No one can say that about the IBM i platform. Nope.

  So for you security buffs, check this out. Security Bulletin: BIND for IBM i is affected by CVE-2020-8616 and CVE-2020-8617, which has an insanely long link buried here. The link above provides details, but the gist of it is also here by release: …

  Read more

• Why You Need To Implement Exit Point Security – Now

  June 15, 2020 Rich Loeber

  As everyone knows, the only truly secure computer is one that is not networked to any other system or any client, and that has no users doing anything at all on the system. And if you really want to be honest about it, you should probably turn its power off. Then, it would be perfectly secure – and perfectly useless as well.

  To make any system useful, it has to be opened up so it can be reached by the world, and it may be hard to remember this now, three decades after the client/server and Internet revolutions, but there …

  Read more

Previous Articles