• Summer of IBM i Vulnerabilities

  September 18, 2024 Alex Woodie

  IBM has patched more than two dozen software vulnerabilities in the IBM i stack over the past few months, including flaws in Merlin, MQ, OpenSSH, the Java stack, Db2, Performance Tools, and the HTTP Server (the one powered by Apache). Nine of the security vulnerabilities carry CVSS Base scores of 7 or higher, while one is above 8, making these serious security threats. If you haven’t applied the patches yet, you’re encouraged to do it soon.

  Working backwards from the most recent security bulletins, we start with September 5, when IBM issued patches for three vulnerabilities in Merlin, which officially …

  Read more

• Guru: Web Concepts For The RPG Developer, Part 3

  July 22, 2024 Chris Ringer

  Greetings everyone. Articles part one and two were both an introduction on how to build components in an HTTP request. In part three, we will begin to connect the dots and discuss how to asymmetrically sign a simple string. If you ever need to send a secure HTTP request to a government agency or financial institution, you likely will authenticate with a signed token. So, here we go!

  Base64 Take Two

  In part one, the SQL scalar function BASE64_ENCODE embedded in RPG converted a string to base64. This technique will cover most use cases, but what if you need …

  Read more

• IBM Patches New Security Vulns In IBM i Components, Power Firmware

  February 12, 2024 Alex Woodie

  IBM has patched a series of moderate security vulnerabilities in IBM i products and Power firmware over the past two weeks. The IBM i flaws span Rational Developer for i (RDi), Access Client Solutions (ACS), and the Java development kit and runtime, while the Power flaw involves PowerVM and its communications with the Hardware Management Console (HMC).

  Concerns over security hit an all-time high in the IBM i community according to the IBM i Marketplace 2024 study conducted by Fortra. The survey found that 79 percent of IBM i professionals considered security a top concern, a 10 percent increase …

  Read more

• Old PHP and Other PASE Apps Break on IBM i 7.5

  November 15, 2023 Alex Woodie

  Customers running old versions of PHP and other PASE applications like Node.JS may run into compatibility issues when running on IBM i 7.5. The issue is due to an upgrade in OpenSSL support in the latest release of the IBM i operating system, according to Alan Seiden.

  Seiden, the principle of Seiden Group, first sounded the alarm in July about the problems running older, non-RPM versions of PHP and Node.JS on IBM i 7.5, which was upgraded from OpenSSL version 1.0.2 to version 1.1. In October, he recently published a blog post restating the issue.

  “While [the OpenSSL upgrade …

  Read more

• Spooky New Security Vulns Lurking on IBM i

  November 1, 2023 Alex Woodie

  Halloween has come and gone, but the scares will stick around for a while for IBM i administrators, who have been given more than a dozen fixes by IBM to address some pretty serious security vulnerabilities recently revealed in the heart of the operating system, including in spooky old friends Java and OpenSSL.

  On October 27, IBM issued a security bulletin for two CVEs, including CVE-2023-40685 and CVE-2023-40686, which describe two separate but related security flaws in the Management Central component of IBM i Navigator in IBM i versions 7.2 through 7.5.

  The first privilege escalation vulnerability, CVE-2023-40685, could …

  Read more

• IBM i PTF Guide, Volume 25, Number 37

  September 18, 2023 Doug Bidwell

  There are a few things you can count on in life. Death. Taxes. Coffee. Beer. The love of a good woman. And a seemingly endless barrage of security vulnerabilities for every computing platform on Earth. There are a bunch of the latter that are new to the IBM i platform this week.

  First, we have Security Bulletin: OpenSSL and OpenSSH for IBM i are vulnerable to arbitrary code execution, denial of service, and security restrictions bypass due to multiple vulnerabilities, which you can find out more about at this link. The IBM i PTF number for 5733-SC1 contains the …

  Read more

• A Hacker’s Dozen: 11 New Security Vulns Reported in IBM i

  August 23, 2023 Alex Woodie

  IBM on August 18 reported 11 new security vulnerabilities in IBM i’s Java stack, including two critical Java flaws that should be patched immediately. The new batch of vulns continues what has been an active summer for security flaws on the platform.

  IBM revealed the existence of the 11 Java security flaws in IBM i version 7.2 through 7.5 and the availability of emergency program temporary fixes (PTFs) on the security bulletin section of its IBM Product Security Central webpage.

  The security bulletin shows 11 flaws, CVE-2022-21426 through CVE-2023-21968, impacting various components of the Java stack, including the Java Software …

  Read more

• OpenSSL Flaw No ‘Heartbleed,’ But Other New Vulns Detected

  November 2, 2022 Alex Woodie

  The cybersecurity world has been sitting on pins and needles for the past 48 hours, ever since news of a potentially devastating new flaw in OpenSSL started to leak out early Monday morning. That flaw turned out to be not as bad as initially feared, but that shouldn’t stop IBM i shops from patching other recent flaws, including some pretty serious ones in WebSphere Liberty, Java, the CCA, and Zlib.

  News started to emerge earlier this week of a critical OpenSSL flaw that required the utmost attention. The flaw could be a concern for just about everybody, including IBM, …

  Read more

• IBM i PTF Guide, Volume 24, Number 31

  August 3, 2022 Doug Bidwell

  As often happens with systems software these days, there are a bunch of new security vulnerabilities with the IBM i stack that you need to be aware of.

  First, there is Security Bulletin: OpenSSL for IBM i is vulnerable to arbitrary command execution (CVE-2022-2068), which you can find out more about at this link. The IBM i PTF numbers contain the fix for the vulnerability:

  IBM i Release	5733-SC1	PTF Number
  7.5		SI80588
  		7.4, 7.3, 7.2	SI80587
  

  Then there is Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476), which you can find out more …

  Read more

• More IBM i Security Flaws Revealed

  July 13, 2022 Alex Woodie

  The summer slowdown might have started in your particular business, but things are just getting warmed up IBM security researchers, who disclosed a series of new vulnerabilities across IBM i products over the past couple of weeks, including IBM i Merlin, WAS Liberty, OpenSSL, the Digital Certificate Manager, and Zlib.

  On June 27, IBM disclosed that the collection of open source and proprietary tools and technology it’s brought together as IBM i Modernization Engine for Lifecycle Integration (Merlin) suffers from no fewer than 16 separate security flaws.

  Among the most series of these flaws is a CVE-2022-22965, a data binding …

  Read more

Previous Articles