IBM fixes nine security vulnerabilities in IBM i
September 29, 2021
IBM patched released three security bulletins on Friday alerting IBM i users to the availability of patches for nine newly disclosed security vulnerabilities in OpenSSL, HTTP Server and a WebSphere Liberty component. Some of the vulnerabilities are potentially serious and should be addressed immediately.
IBM fixed two security flaws in its OpenSSL API that could potentially have devastating consequences on affected systems, including allowing a hacker to take control of the server, read sensitive information, and execute a denial-of-access attack. service (DOS). IBM fixed these flaws in IBM i 7.1 through 7.4, according to the security bulletin, which you can read here. (The fact that IBM patched version 7.1 is telling, given that it is no longer supported by the general public. However, IBM has committed to supporting version 7.1 through 2024 in as part of its program support extension. [PSE] program in October 2020.)
The most critical of these two OpenSSL vulnerabilities is CVE-2021-3711 which is a buffer overflow error caused by incorrect limit checking. An attacker could exploit this flaw in the SM2 elliptical curve algorithm by sending a specially crafted packet, thus overflowing the buffer and allowing the execution of arbitrary code. This flaw carries a CVSS base score of 9.8, making it a particularly dangerous vulnerability that should be addressed immediately.
IBM also corrected CVE-2021-3712, which is a flaw in the Abstract Syntax Notation One (ASN.1) chain structure that OpenSSL uses to serialize and deserialize data in a cross-platform fashion. By sending specially crafted data, an attacker could exploit this vulnerability to read the contents of memory on the system or perform a DOS attack, according to IBM. This flaw carries a CVSS base score of 6.5.
IBM fixed five flaws in the HTTP server (the one powered by Apache) that could lead to DOS attacks, allow a hacker to bypass security measures, launch web cache poisoning attacks or cross script attacks. sites, and have other negative consequences for a user. IBM fixed all five security vulnerabilities in IBM i versions 7.2 through 7.4. You can access this security bulletin here.
The most serious of the HTTP server vulnerabilities is CVE-2021-33193, which is a flaw in the HTTPd and HTTP / 2 libraries that carries a CVSS base score of 6.1, making it a moderate threat. Other flaws corrected by IBM, in particular CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, and CVE-2021-30641 carry CVSS baseline scores between 3.7 and 5.9.
IBM fixed two flaws in the Apache Commons Compress library, which is used by WebSphere Application Server Liberty on IBM i. The fixes apply to IBM i versions 7.2 through 7.3, according to the security bulletin, which you can read here.
The more serious of the two corrected faults is CVE-2021-36090, which is caused by an out of memory error that can be triggered with a specially crafted ZIP archive. This vulnerability can be exploited by a remote attacker to trigger a DOS attack. It has been given a CVSS base score of 7.5, which means it is a medium to high threat.
A similar defect, CVE-2021-35517 is caused by an out of memory error that can be exploited with a malicious TAR archive. It can also be used to launch a DOS attack and has a CVSS base score of 5.5.
Patches were released for these nine vulnerabilities on September 24. A week earlier, IBM fixed another security flaw in DHCPd, the Dynamic Host Configuration Protocol daemon, which is part of the IBM i network stack. The fix was for IBM i 7.1 through 7.4, according to the security bulletin. The specific defect, CVE-2021-25217, is a buffer overflow that could allow an attacker to crash a DHCP server or a client. He received a CVSS baseline score of 6.5.
As always, you can find out which particular PTFs you need to apply by reading Doug Bidwell’s PTF Guide, which is published most Wednesdays in The four hundred. To read this week’s PTF guide, click here.
Track Open Source Security Updates
Locking out exit point and IFS vulnerabilities on IBM i
Weighing the hidden costs of open source
IBM i and its Decade Of Crisis RPG
Rocket Maps IBM i applications for modernization companies