• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Pair Of TLS Flaws In IBM i

    March 7, 2016 Alex Woodie

    IBM i shops are encouraged to be vigilant following a pair of security vulnerabilities that have emerged in the encryption protocols used by the platform. This includes the SLOTH vulnerability in the IBM i JVM that IBM patched February 15. But a bigger threat looms in the form of DROWN, a potentially significant vulnerability in the SSL/TLS stack that IBM patched on March 1.

    IBM issued a series of patches to address the SLOTH vulnerability in the IBM i JVMs. According to IBM’s Security Bulletin for SLOTH, a problem with the IBM i JVM’s implementation of the TLS 1.2 protocol and how it processes MD5 hash algorithms could weaken security during the TLS handshake with the server. “An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials,” the company says.

    The security vulnerability, which is identified by the Common Vulnerabilities and Exposures database as CVE-2015-7575, carries a Common Vulnerability Scoring System (CVSS) base score of 7.1, which is relatively high. Karthikeyan Bhargavan, a security researcher with miTLS, is credited with discovering the SLOTH flaw in 2015, although its presence was not disclosed until this year. The TLS working group is reportedly working to remove the MD5 hash algorithm from TLS 1.3.

    IBM issued nearly two dozen PTFs to address the SLOTH vulnerability across all supported versions of IBM i (versions 6.1, 7.1, and 7.2); across all supported versions of Java and the associated JVM (Java versions 6.0, 6.26, 7.0, 7.1, and version 8); and in both 32-bit and 64-bit versions. There are no workarounds and IBM recommends applying the patches immediately.

    But a potentially more significant problem with TLS emerged last week when security researchers disclosed the existence of the DROWN vulnerability. On Friday morning, IBM’s Product Security Incident Response team issued the following note on its PSIRT blog:

    “OpenSSL vulnerabilities were disclosed on March 1, 2016, by the OpenSSL Project. OpenSSL is used by IBM i. IBM i has addressed the applicable CVEs including the ‘DROWN: Decrypting RSA with Obsolete and Weakened eNcryption’ vulnerability.”

    Eight individual OpenSSL vulnerabilities collectively compose the DROWN problem, according to IBM’s Security Bulletin for DROWN. While the flaws exist in OpenSSL, they can be used to weaken TLS security, which is the latest encryption protocol used for ecommerce and is considerably more robust than early SSL standards and the open source OpenSSL standard that have caused so much trouble.

    Taken together, the DROWN flaws could allow a remote attacker to bypass security restrictions. “By using a server that supports SSLv2 and EXPORT cipher suites. . . an attacker could exploit this vulnerability to decrypt TLS sessions between clients and non-vulnerable servers,” IBM says in its security bulletin. Three of the individual DROWN flaws carry CVSS base scores of 7.4, indicating a potent threat.

    TLS is the latest and most secure version of Secure Sockets Layer (SSL) encryption protocol standard that has been in use for decades. Following the critical Heartbleed vulnerabilities in OpenSSL that were disclosed in 2014 and additional flaws found in SSL version 3, organizations across the world were encouraged to upgrade their encryption capabilities to TLS.

    With DROWN making headlines across the security world, experts are emphasizing the need to disable SSL version 2, which was first released in 1995 and has long been obsolete. Ivan Ristic, a security researcher with the security software company Qualys, explains the complexity of the DROWN problem.

    “The especially bad aspect of this attack is that it can be used to exploit TLS, even in cases when client devices don’t support SSL v2, and sometimes even in cases when the servers don’t support SSL v2 (but use the same RSA key as some other server that does),” Ristic says in a March 1 blog post. “The researchers estimate that up to 22 percent of servers could be impacted by this problem.”

    It is unclear how the DROWN or SLOTH vulnerabilities might impact third-party products in the IBM i ecosystem. Emulators and managed file transfer (MFT) tools tend to use these protocols fairly extensively to encrypt remote communications with the server. It’s likely that if IBM is patching these problems in its IBM i products, that the exposures exist elsewhere too, which means IBM i shops should contact their vendors to see if patches might be coming down the pike.

    In any event, the lesson to remember is that obsolete cryptography is dangerous. “For many years the argument for not disabling SSL v2 was that there was no harm because no browsers used it anyway,” Ristic says. “This approach is obviously not working. Instead, in the future we must ensure that all obsolete crypto is aggressively removed from all systems. If it’s not, it’s going to come back to bite us, sooner or later.”

    RELATED STORIES

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    IBM Patches More OpenSSL Flaws In IBM i

    Keeping Up With Security Threats To IBM i

    State of IBM i Security? Still Horrible, After All These Years

    IBM Blocks ‘Bar Mitzvah’ Attack In SSL/TLS

    IBM Patches BIND and OpenSSL Flaws in IBM i

    IBM And ISVs Fight POODLE Vulnerability In SSL 3.0

    Heartbleed Exposes The Vulnerability Of An IBM i Mentality

    IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    Heartbleed Postmortem: Time to Rethink Open Source Security?

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    DRV Tech

    Get More Out of Your IBM i

    With soaring costs, operational data is more critical than ever. IBM shops need faster, easier ways to distribute IBM applications-based data to users more efficiently, no matter where they are.

    The Problem:

    For Users, IBM Data Can Be Difficult to Get To

    IBM Applications generate reports as spooled files, originally designed to be printed. Often those reports are packed together with so much data it makes them difficult to read. Add to that hardcopy is a pain to distribute. User-friendly formats like Excel and PDF are better, offering sorting, searching, and easy portability but getting IBM reports into these formats can be tricky without the right tools.

    The Solution:

    IBM i Reports can easily be converted to easy to read and share formats like Excel and PDF and Delivered by Email

    Converting IBM i, iSeries, and AS400 reports into Excel and PDF is now a lot easier with SpoolFlex software by DRV Tech.  If you or your users are still doing this manually, think how much time is wasted dragging and reformatting to make a report readable. How much time would be saved if they were automatically formatted correctly and delivered to one or multiple recipients.

    SpoolFlex converts spooled files to Excel and PDF, automatically emailing them, and saving copies to network shared folders. SpoolFlex converts complex reports to Excel, removing unwanted headers, splitting large reports out for individual recipients, and delivering to users whether they are at the office or working from home.

    Watch our 2-minute video and see DRV’s powerful SpoolFlex software can solve your file conversion challenges.

    Watch Video

    DRV Tech

    www.drvtech.com

    866.378.3366

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    COMMON:  2016 Annual Meeting & Expo, May 15 - 18, in New Orleans! Great Power Systems event!
    System i Developer:  RPG & DB2 Summit - March 22-24 in Dallas. Check out the session grid!
    BCD:  On-Demand Webinar: Introduction to Node.js for IBM i web and mobile development

    The Three Sources Of RUNSQLSTM No More Java 6 Support in Next Version of IBM i

    Leave a Reply Cancel reply

Volume 26, Number 10 -- March 7, 2016
THIS ISSUE SPONSORED BY:

ProData Computer Services
Fresche Legacy
BCD Software
Linoma Software
WorksRight Software

Table of Contents

  • A Possibly Coherent Future Power Hybrid System
  • A Change Of Heart: IBM i Shops More Willing To Share
  • The Most Precious IBM i Resource . . . Women
  • IBM Patches Pair Of TLS Flaws In IBM i
  • IBM Kills Off Flex p260+ Node, Offers PureSystems Trade-In

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Meet The Next Gen Of IBMers Helping To Build IBM i
  • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
  • Will Independent IBM i Clouds Survive PowerVS?
  • Now, IBM Is Jacking Up Hardware Maintenance Prices
  • IBM i PTF Guide, Volume 27, Number 24
  • Big Blue Raises IBM i License Transfer Fees, Other Prices
  • Keep The IBM i Youth Movement Going With More Training, Better Tools
  • Remain Begins Migrating DevOps Tools To VS Code
  • IBM Readies LTO-10 Tape Drives And Libraries
  • IBM i PTF Guide, Volume 27, Number 23

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle