Multiple Security Vulnerabilities Patched on IBM i
June 22, 2022 Alex Woodie
In recent weeks, IBM has disclosed a handful of vulnerabilities in its IBM i operating system and related IBM i products, including Db2 Mirror, WebSphere, Navigator for i, the Java development and runtime tools, and OmniFind Text Search Server. IBM has shipped PTFs for the security problems, which range in severity from medium to high.
IBM warned of security holes in the HTTP Server (the one powered by Apache) in a June 13 security bulletin. The flaws, identified as CVE-2022-22720 and CVE-2022-22721, carry the risk of a HTTP request smuggling that could poison the Web cache, bypass firewalls, and conduct cross-site scripting attacks (CVSS Base score 7.3) and a buffer overflow attack that could enable an attacker to execute arbitrary code on an affected system (also CVSS base score of 7.3). IBM has fixed the problems with PTFs for IBM i 7.2 through 7.5.
In a June 15 security bulletin, IBM warned of identity spoofing and port status query vulnerabilities in WebSphere Application Server Liberty versions 17.0.0.3 through 22.0.0.5. The vulnerabilities are tied to CVE-2022-22475 and CVE-2022-22393, and carry CVSS Base scores of 5 and 3.1, respectively. Affected operating systems include IBM i versions 7.2 through 7.5, all of which have PTFs available for them.
IBM issued another security bulletin on June 15 warning of denial of service and cache poisoning attack vulnerabilities in IBM i 7.2 through 7.5 that are due to flaws in ISC BIND. These vulnerabilities are tied to CVE-2022-0396, which is a denial of service (DOS) vulnerability with a CVSS base score of 5.3, and CVE-2021-25220, which is a record poisoning vulnerability with a base score of 6.8. IBM has patched the flaws with a PTF for all current versions of IBM i.
Db2 Mirror for i also had its share of security problems in June, starting with a June 8 security announcement about a security flaw in the Db2 Mirror for i GUI, which uses a vulnerable version of Chart.js. The vulnerability, identified as CVE-2022-24785, could allow a remote attacker could traverse directories on the system, IBM says. The flaw carries a CVSS base score of 7.5, making it a rather severe threat. IBM fixed it with PTFs for IBM i 7.4 and 7.5, the only versions of the operating system that support Db2 Mirror.
The same security flaw was at the center of a June 9 security bulletin that warned users that Moment.js, a JavaScript-based presentation and charting framework used by Db2 Mirror, is also susceptible to CVE-2022-24785. IBM offered patches to fix the problems in 7.4 and 7.5.
IBM also warned on June 9 that Db2 Mirror is susceptible to a cross-site scripting vulnerability in the Angular JavaScript framework used by the high availability product’s GUI that could allow an attacker to steal a victim’s cookie-based authentication credentials. The flaw, which was given the X-Force ID 220414, carries a CVSS base score of 5.3. IBM fixed it with PTFs for IBM i 7.4. and 7.5.
Another Db2 Mirror flaw was disclosed on June 9 relating to a denial of service flaw in gson, an open-source Java library used by Db2 Mirror that serializes and deserializes Java objects to JSON. The flaw, given the X-Force ID 217225, carries a CVSS base score of 7.7, and was patched in IBM i 7.4 and 7.5.
On June 2, IBM warned of a series of security vulnerabilities in the IBM Java SDK and IBM Java Runtime for IBM i that could allow an attacker to obtain sensitive information. The flaws — which include CVE-2021-35603, 2022-21365, 2022-21360, 2022-21349, 2022-21341, 2022-21340, 2022-21305, -2022-21294, 2022-21293, 2022-21291, 2022-21248, and 2021-35550–carry CVSS base scores between 3.7 and 5.9. IBM patched IBM i versions 7.2 through 7.5 with a Group PTFs.
On May 23, IBM disclosed a vulnerability in IBM Navigator for i, or New Nav, that could make the system susceptible to a SQL injection attack that could allow an attacker to make view, add, modify, or delete information in Db2 for i. The vulnerability is identified as CVE-2022-22495, which carries a CVSS base score of 6.3. The issue can be resolved by applying the latest group PTF for the HTTP Server for i (the one Powered by Apache) in IBM i 7.3, 7.4. and 7.5.
The Log4j issue reared its ugly head again last month when IBM issued a security alert for OmniFind Text Search Server for Db2 for i. The vulnerability, which is identified by CVE-2021-4104, could enable attackers to do all sorts of bad things, hence the CVSS base score of 8.1. IBM fixed the issue in V1R3 through V1R6 of the product, which runs on IBM i 7.2 through 7.5.
IBM has done a lot to improve security with IBM i 7.5. But the best security in the world won’t protect you from these known security vulnerabilities.
RELATED STORIES
IBM Delivers More Out-of-the-Box Security with IBM i 7.5
Great post Alex. This is why we tell people to keep all OpenSource, HTTP, Java, Hiper and Security Group PTFs Current. This is what PTF Currency means.