• Summer of IBM i Vulnerabilities

  September 18, 2024 Alex Woodie

  IBM has patched more than two dozen software vulnerabilities in the IBM i stack over the past few months, including flaws in Merlin, MQ, OpenSSH, the Java stack, Db2, Performance Tools, and the HTTP Server (the one powered by Apache). Nine of the security vulnerabilities carry CVSS Base scores of 7 or higher, while one is above 8, making these serious security threats. If you haven’t applied the patches yet, you’re encouraged to do it soon.

  Working backwards from the most recent security bulletins, we start with September 5, when IBM issued patches for three vulnerabilities in Merlin, which officially …

  Read more

• April Showers Bring May IBM i Security Vulnerabilities

  May 8, 2024 Alex Woodie

  IBM has patched more than a dozen security flaws in IBM i and related products this spring, including serious flaws in the operating system proper and the compilers, and a critical vulnerability in Administrative Runtime Expert that landed a nearly perfect CVSS Base score.

  In the interest of time, let’s cover the security vulnerabilities in descending order of severity. That means we’re starting with the worst and then moving on to the slightly less worse.

  ARE Flaw

  The flaw reported in the Administration Runtime Expert for i (ARE), which IBM launched in 2010 to make it easier to manage IBM …

  Read more

• More Critical Security Vulns Reported In IBM i Components

  March 4, 2024 Alex Woodie

  The run of serious security vulnerabilities in IBM i components continues in early 2024, as IBM reported 10 new flaws exist across OpenSSH, the Apache Web Server, ISC, and Facsimile Support for IBM i in February and early March. All of the flaws impact IBM i 7.2 through 7.5 and all have been patched by IBM via PTFs.

  The most critical of the recent batch of security flaws exists in OpenSSH, the open source security utility for establishing encrypted communications between hosts and clients. As described by IBM in this February 23 security bulletin, the vulnerability (CVE-2023-51385) is caused …

  Read more

• Spooky New Security Vulns Lurking on IBM i

  November 1, 2023 Alex Woodie

  Halloween has come and gone, but the scares will stick around for a while for IBM i administrators, who have been given more than a dozen fixes by IBM to address some pretty serious security vulnerabilities recently revealed in the heart of the operating system, including in spooky old friends Java and OpenSSL.

  On October 27, IBM issued a security bulletin for two CVEs, including CVE-2023-40685 and CVE-2023-40686, which describe two separate but related security flaws in the Management Central component of IBM i Navigator in IBM i versions 7.2 through 7.5.

  The first privilege escalation vulnerability, CVE-2023-40685, could …

  Read more

• IBM i PTF Guide, Volume 25, Number 37

  September 18, 2023 Doug Bidwell

  There are a few things you can count on in life. Death. Taxes. Coffee. Beer. The love of a good woman. And a seemingly endless barrage of security vulnerabilities for every computing platform on Earth. There are a bunch of the latter that are new to the IBM i platform this week.

  First, we have Security Bulletin: OpenSSL and OpenSSH for IBM i are vulnerable to arbitrary code execution, denial of service, and security restrictions bypass due to multiple vulnerabilities, which you can find out more about at this link. The IBM i PTF number for 5733-SC1 contains the …

  Read more

• Guru: The Finer Points of Exit Points

  June 27, 2022 Bruce Bading

  Many years ago, we received a call from an IBM i customer stating that all exit points were gone and the QAUDJRN and receivers were missing. Then the question, “Do you think we’ve been hacked?” Truth was, the exit points weren’t gone; the associated programs had been de-registered. Conclusion, they had most likely been compromised.

  The IBM i platform is a very securable system that can be secured (Secure vs Secured – What’s the difference?, WikiDiff), if you take steps to secure it.

  On the IBM i, a limited number of functions provide an exit so that your …

  Read more

• Red Hat’s Ansible Automation Comes To IBM i

  August 3, 2020 Alex Woodie

  Big Blue is now supporting IBM i with Ansible, the open source configuration management software developed by Red Hat. By including IBM i and AIX as a supported target in Ansible, companies that run IBM i will be able to remotely configure and manage IBM i and AIX servers using the same Ansible tools and techniques that they use to manage mainstream X86 and cloud server environments.

  Ansible was created back in 2012 by Michael DeHaan, the author of the Cobbler provisioning server and co-author of the Fedora Unified Network Controller (Func) framework for remote administration. It’s been widely adopted …

  Read more

• What’s New With IBM i Customer Support

  September 25, 2019 Alex Woodie

  IBM is making big changes to its support program that will have a major impact on how IBM i customers interact with Big Blue, for both software and hardware support. Two weeks ago it announced that IBM i customers would be switched over from the old IBM Service Request tool to the new IBM My Support site. IBM is also expanding support for open source software on IBM i.

  IBM has been testing the new IBM Support site, www.ibm.com/mysupport, for over a year for various customer groups and geographies. On September 14, the company announced that it was cutting …

  Read more

• IBM i PTF Guide, Volume 21, Number 13

  April 3, 2019 Doug Bidwell

  This week in the IBM i PTF Guide, we are obsessing about security. There is a security bulletin out that explains that there are multiple vulnerabilities in IBM Java SDK and IBM Java Runtime that affect IBM i. There is consequently a new Java Group for all three releases – IBM i 7.1, IBM i 7.2, and IBM i 7.3. See this link for further details.

  There is also a separate security bulletin, CVE-2018-14647, relating to Python that affects IBM i, and this affects all three currently supported releases as well. See this link for the scoop. For Python 2.7 …

  Read more

• Serious Security Vulns Patched In IBM i

  September 19, 2018 Alex Woodie

  No good deed goes unpunished. Such as it is with cybersecurity, which demands unceasing attention paid to a never-ending stream of flaws and patches as the cost of remaining off the front page. To that end, IBM patched several more security flaws in IBM i last week, including two serious flaws in Node.js, five critical vulnerabilities in Samba, and one moderate flaw in OpenSSH.

  It’s easy to get lulled into a false state of security on the IBM i server, thanks to its unique architecture, cryptic file names, and reputation for strong security. It’s hard enough to find programmers, administrators, …

  Read more

Previous Articles