Multiple Vulnerabilities Pop Up In Navigator For i
January 23, 2023 Timothy Prickett Morgan
Why do we network computers again? Remind me.
A new security bulletin was released for the Navigator for i system management interface for the IBM i platform on January 18, which rolls up four different vulnerabilities for Navigator for i that leave it open to log file access, to obtaining file attributes, and to SQL Injection attacks due to multiple other vulnerabilities.
You can read about this security bulletin at this link. The most severe of the issues is the SQL injection attack, which has a CVSS Base score of 6.3 out of 10. According to the bulletin: “IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface.”
Access to log files for Navigator for i 7.3, 7.4, and 7.5 is unintentionally allowed when a remote authenticated user can bypass the interface checks in the tool and download log files by modifying the servlet filter for Navigator for i. This one has a CVSS rating of 4.3. Another vulnerability allows an authenticated user to get files they are authorized to get but not through the Navigator for i toll (this seems like a minor problem if you as me), and yet another one allowed attackers to see user profile attributes why performing an SQL injection.
IBM is providing fixes for these vulnerabilities for IBM i 7.3, IBM i 7.4, and IBM i 7.5. The following PTFs patch Navigator for i up against these vulnerabilities:
- For IBM i 7.5, HTTP Server for i Group PTF Level SF99952 – 05: SF99952 750 IBM HTTP Server for i – level 5
- For IBM i 7.4, HTTP Server for i Group PTF Level SF99662 – 25: SF99662 740 IBM HTTP Server for i – level 25
- For IBM i 7.3, HTTP Server for i Group PTF Level SF99722 – 42: SF99722 730 IBM HTTP Server for i – level 42
The CVE record dates for these vulnerabilities was October 26, 2022, and we remind you that this record date is not necessarily when the vulnerability was first known to customers or IBM. But it certainly was not after that date!
RELATED STORIES
New Nav for i Brings New Stuff to You
What’s New in IBM i Services and Networking
IBM Delivers More Out-of-the-Box Security with IBM i 7.5
Announcement Day: IBM Lifts The Veil On IBM i 7.5 And 7.4 TR6
IBM Accelerates New Nav Development Following Log4j Issue
No Plan To Support New Nav on Older IBM i Releases, IBM Says
Log4j Hits Heritage Version of Navigator for i – No Patch Coming
New Nav Puts SQL Services Within Reach