IBM i PTF Guide, Volume 24, Number 10
March 7, 2022 Doug Bidwell
This week, there are a bunch of security bulletins about yet more new vulnerabilities, this time in the HTTP Server and the Samba Windows file server clone that are embedded in the IBM i operating system. There is also a partial mitigation against Log4j/Log4Shell vulnerabilities, and you may get a laugh or a cry out of this one. Maybe both. OK, probably both. Let’s go through them all.
First, there is Security Bulletin: IBM HTTP Server (powered by Apache) for i is vulnerable to CVE-2021-44224, which you can read about here at this link. With this vulnerability, the Apache Web server bundled with IBM i is vulnerable to a denial of service or server-side request forgery. The fixing PTFs are:
- IBM i 7.4: SI78295, SI78296
- IBM i 7.3: SI78298, SI78299
- IBM i 7.2: SI78297
Then there is Security Bulletin: IBM i is vulnerable to bypass security restrictions due to Samba SMB1 (CVE-2021-43566 and CVE-2021-44141), which you can find out more about in this link here. Here is what IBM has to say: “Samba could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink race error. By using a specially-crafted SMB1 or NFS symlink, an attacker could exploit this vulnerability to create a directory in a part of the server file system not exported under the share definition.” The fixing PTFs are:
- IBM i 7.4: SI78680
- IBM i 7.3: SI78679
Then, of course, there is Security Bulletin: IBM i components are affected by CVE-2021-4104 (Log4j version 1.x), which we have seen before. However, IBM has updated the group PTFs and added 7.2 mitigation, which you can read about here. The neat bit is the cover letter for the HTTP Server for IBM i 7.2, IBM i 7.3, and IBM i 7.4, which reads as follows: “ *** ADMIN SERVER INFORMATION *** With the latest updates to the HTTP PTF Group, the ADMIN2 server will no longer be started or enabled by default. This means that the Heritage Navigator will no longer be accessible without the user manually enabling and starting the ADMIN2 server. See the following page for details: https://www.ibm.com/support/pages/node/6556828.”
Yes, IBM has stopped up the Log4j security vulnerability by turning off the ADMIN2 server that the heritage Navigator for i administrative console requires. So the Log4j hole is plugged by not letting Navigator for i work. So, good luck managing your IBM i instances if you are on IBM i 7.1 or IBM i 7.2, which are both on extended support.
To help you with the Log4j security vulnerability, we have created a supplemental spreadsheet as a companion to the IBM i PTF Guide that has the latest information on what you need to worry about and do about it when it comes to this vulnerability. You can down the Log4j spreadsheet at this link.
And just another reminder that there is a new version of Navigator for i, which you can find out more about at this link. This modern user interface can be accessed from http://hostname:2002/Navigator.
Here is the rundown of PTF Groups by IBM i release level since we last published:
PTF Groups 7.4:
- IBM HTTP Server for i
- Content Manager OnDemand for i – 5770-RD1
PTF Groups 7.3:
- IBM HTTP Server for i
- Content Manager OnDemand for i – 5770-RD1
PTF Groups 7.2:
- IBM HTTP Server for i
PTF Groups 7.1:
- Nothing here.
New (or Updated) links added to the ‘Links’ tab in the guide this week:
- The “Links” tab
- The “QMGTools” tab
- The “ACS” tab
Tips/Definitions: Download the Log4j mitigation document from IT Jungle, it is brought current every week! Take a look at the tabs in the IBM i PTF Guide, we have added a couple that may be helpful!
The Guide at a glance: There are no new defectives this week (03/05/22). Here is the defective PTF rundown, which is the last defective for each release:
Defect Defective APAR Fixing Date PTF PTF -------- -------- ------- ------- 7.4 2/16/22 SI78509 SE77164 SI78675 (Read the link in the guide!) 7.3 2/16/22 SI78508 SE77164 SI78674 (Read the link in the guide!) 7.2 12/08/21 SI77634 SE73420 SI78039 (Read the link in the guide!) 7.1 07/29/19 SI69653 SE71807 SI70603 (5733SC1, OpenSSH, available!)
Be sure to access the link in the Guide for further details.
Below is the usual archive of the IBM i PTF Guide to help you work through the PTFs in chronological order:
March 5, 2022: Volume 24, Number 10
February 26, 2022: Volume 24, Number 9
February 19, 2022: Volume 24, Number 8
February 12, 2022: Volume 24, Number 7
February 5, 2022: Volume 24, Number 6
January 29, 2022: Volume 24, Number 5
January 22, 2022: Volume 24, Number 4
January 15, 2022: Volume 24, Number 3
January 8, 2022: Volume 24, Number 2
January 1, 2022: Volume 24, Number 1
December 6, 2021: Volume 23, Number 48
November 20, 2021: Volume 23, Number 47
November 13, 2021: Volume 23, Number 46
November 6, 2021: Volume 23, Number 45
October 30, 2021: Volume 23, Number 44
October 23, 2021: Volume 23, Number 43
October 16, 2021: Volume 23, Number 42
October 9, 2021: Volume 23, Number 41
October 2, 2021: Volume 23, Number 40
September 25, 2021: Volume 23, Number 39
September 18, 2021: Volume 23, Number 38
September 11, 2021: Volume 23, Number 37
September 4, 2021: Volume 23, Number 36
August 28, 2021: Volume 23, Number 35
August 21, 2021: Volume 23, Number 34
August 14, 2021: Volume 23, Number 33
August 7, 2021: Volume 23, Number 32
July 31, 2021: Volume 23, Number 31
July 24, 2021: Volume 23, Number 30
July 17, 2021: Volume 23, Number 29
July 10, 2021: Volume 23, Number 28
July 3, 2021: Volume 23, Number 27
June 26, 2021: Volume 23, Number 26
June 19, 2021: Volume 23, Number 25
June 12, 2021: Volume 23, Number 24
June 5, 2021: Volume 23, Number 23
June 5, 2021: Volume 23, Number 22
May 22, 2021: Volume 23, Number 21
May 15, 2021: Volume 23, Number 20
May 8, 2021: Volume 23, Number 19
May 1, 2021: Volume 23, Number 18
April 24, 2021: Volume 23, Number 17
April 17, 2021: Volume 23, Number 16
April 10, 2021: Volume 23, Number 15
April 3, 2021: Volume 23, Number 14
March 27, 2021: Volume 23, Number 13
March 20, 2021: Volume 23, Number 12
March 13, 2021: Volume 23, Number 11
March 6, 2021: Volume 23, Number 10
February 27, 2021: Volume 23, Number 9
February 20, 2021: Volume 23, Number 8
February 13, 2021: Volume 23, Number 7
February 6, 2021: Volume 23, Number 6
January 31, 2021: Volume 23, Number 5
January 23, 2021: Volume 23, Number 4
January 16, 2021: Volume 23, Number 3
January 9, 2021: Volume 23, Number 2
January 2, 2021: Volume 23, Number 1
December 26, 2020: Volume 22, Number 52
December 19, 2020: Volume 22, Number 51
December 12, 2020: Volume 22, Number 50
December 5, 2020: Volume 22, Number 49
November 28, 2020: Volume 22, Number 48
November 20, 2020: Volume 22, Number 47
November 14, 2020: Volume 22, Number 46
November 7, 2020: Volume 22, Number 45
October 31, 2020: Volume 22, Number 44
October 24, 2020: Volume 22, Number 43
October 17, 2020: Volume 22, Number 42
October 10, 2020: Volume 22, Number 41
October 3, 2020: Volume 22, Number 40
September 26, 2020: Volume 22, Number 39
September 19, 2020: Volume 22, Number 38
September 12, 2020: Volume 22, Number 37
September 5, 2020: Volume 22, Number 36
August 29, 2020: Volume 22, Number 35
August 22, 2020: Volume 22, Number 34
August 15, 2020: Volume 22, Number 33
August 9, 2020: Volume 22, Number 32
August 1, 2020: Volume 22, Number 31
July 25, 2020: Volume 22, Number 30
July 18, 2020: Volume 22, Number 29
July 11, 2020: Volume 22, Number 28
July 4, 2020: Volume 22, Number 27
June 27, 2020: Volume 22, Number 26
June 20, 2020: Volume 22, Number 25
June 13, 2020: Volume 22, Number 24
June 6, 2020: Volume 22, Number 23
May 30, 2020: Volume 22, Number 22
May 23, 2020: Volume 22, Number 21
May 16, 2020: Volume 22, Number 20
May 9, 2020: Volume 22, Number 19
May 2, 2020: Volume 22, Number 18
April 25, 2020: Volume 22, Number 17
April 18, 2020: Volume 22, Number 16
April 11, 2020: Volume 22, Number 15
April 4, 2020: Volume 22, Number 14
March 30, 2020: Volume 22, Number 13
March 23, 2020: Volume 22, Number 12
