IBM i PTF Guide, Volume 25, Number 8

February 27, 2023 Doug Bidwell

We are playing catch up a bit here at the IBM i PTF Guide, and apologies for that but it goes that way sometime. There are a bunch of security vulnerabilities that you need to be aware of, including one that covers systems software not from IBM, as we usually track, but file transfer software from Forta (formerly known as HelpSystems). We are going to be keeping a closer eye on third party software security bulletins going forward.

So first, we have CVE-2023-0669, which explains that GoAnywhere MFT from Fortra (formerly HelpSystems) suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2. So get your upgrade going on.

Second, we have Security Bulletin: IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities, which you can read about here. The patches by release for this software (IBM HTTP Server for i, 5770-DG1) are:

• IBM i 7.5: SF99952 – 05
• IBM i 7.4: SF99662 – 25
• IBM i 7.3: SF99722 – 42

Third, we have Security Bulletin: IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to Apache Commons Text [CVE-2022-42889], which you can see here.

Affected Product 5733WQX	Version	 PTFs to Apply for Remediation
Db2 Web Query for i		2.3.0	 SI82437
					 SI82438
					 SI82440
					 SI82324
Db2 Web Query for i		2.4.0	 SI82206
					 SI82208 
					 SI82209
					 SI82146

Fourth, we have Security Bulletin: Vulnerability in IBM Java (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619) affects Power HMC, which is detailed here.

Product		VRMF			APAR		Remediation/Fix
Power HMC	V9.2.950.0 SP3 ppc	MB04377		MH01949
Power HMC	V9.2.950.0 SP3 x86	MB04376		MH01948
Power HMC	V10.1.1020.0 SP1 ppc	MB04383		MF70699
Power HMC	V10.1.1020.0 SP1 x86	MB04382		MF70398
Power HMC	V10.2.1030.0 ppc	MB04381		MF70632
Power HMC	V10.2.1030.0 SP1 x86	MB04380		MF70631

And finally, fifth we have ADMIN4 Job Terminates Suddenly When A User Profile Without *ALLOBJ and *IOSYSCFG Authority Accesses the IBM Web Administration GUI, which you can look at here.

Issue is introduced after applying the following IBM i HTTP Group PTF levels:

• IBM i 7.5: SF99952 level 5
• IBM i 7.4: SF99662 level 25
• IBM i 7.3: SF99722 level 42

Download and apply the following 5770SS1 PTF to prevent the ADMIN4 job from ending suddenly.  The PTF can be applied immediate.

• IBM i 7.5: SI82677
• IBM i 7.4: SI82679
• IBM i 7.3: SI82681

Now, here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.5:

• MGTOOLS

PTF Groups 7.4:

• MGTOOLS

PTF Groups 7.3:

• MGTOOLS

PTF Groups 7.2:

• MGTOOLS

New (or Updated) links added to the ‘Links’ tab in the guide this week:

• PowerHA: How to Change the DataPort Internet Addresses for a Node in a CRG to be used in a Geographic Mirroring Environment, 685547

New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:

• Nothing

New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:

• Nothing here

New (or Updated) links added to the ‘Prtr Links’ tab in the guide this week:

• Nothing here as well

New (or Updated) links Redbooks added this week:

• And nothing here, too

Tips/Definitions: How long has it been since you did a SAVE 21? Do I have to keep reminding you every week? Have you done it yet?

The Guide at a glance: There are new defectives this week (02/18/23). Here is the defective PTF rundown, which is the last defective for each release:

	Defect		Defective	APAR	Fixing
	Date		PTF			PTF
	--------	--------	-------	-------
7.5	02/08/23	MF70682		MA50037	MF70684 (When available)
			MF70583
			MF70581
			MF70504
			MF70402
7.4	02/08/23	MF70686		MA50037	MF70688 (When available)
			MF70573
			MF70571
			MF70506
			MF70457
7.3	01/13/23	MH01946		MB04386	MH01947 (5733-910, When available)
			MH01945
7.2	12/08/21	SI77634		SE73420	SI78039	(Read the link in the guide!)

Be sure to access the link in the Guide for further details.

Below is the usual archive of the IBM i PTF Guide to help you work through the PTFs in chronological order:

February 18, 2023: Volume 25, Number 8

February 13, 2023: Volume 25, Number 7

February 4, 2023: Volume 25, Number 6

January 28, 2023: Volume 25, Number 5

January 21, 2023: Volume 25, Number 4

January 14, 2023: Volume 25, Number 3

January 7, 2023: Volume 25, Number 2

January 1, 2023: Volume 25, Number 1

December 10, 2022: Volume 24, Number 50

December 3, 2022: Volume 24, Number 49

November 26, 2022: Volume 24, Number 48

November 19, 2022: Volume 24, Number 47

November 12, 2022: Volume 24, Number 46

November 5, 2022: Volume 24, Number 45

October 29, 2022: Volume 24, Number 44

October 22, 2022: Volume 24, Number 43

October 15, 2022: Volume 24, Number 42

October 8, 2022: Volume 24, Number 41

October 1, 2022: Volume 24, Number 40

September 24, 2022: Volume 24, Number 39

September 17, 2022: Volume 24, Number 38

September 10, 2022: Volume 24, Number 37

September 3, 2022: Volume 24, Number 36

August 27, 2022: Volume 24, Number 35

August 20, 2022: Volume 24, Number 34

August 13, 2022: Volume 24, Number 33

August 6, 2022: Volume 24, Number 32

July 30, 2022: Volume 24, Number 31

July 23, 2022: Volume 24, Number 30

July 16, 2022: Volume 24, Number 29

July 9, 2022: Volume 24, Number 28

June 25, 2022: Volume 24, Number 26

June 18, 2022: Volume 24, Number 25

June 11, 2022: Volume 24, Number 24

June 4, 2022: Volume 24, Number 23

May 28, 2022: Volume 24, Number 22

May 25, 2022: Volume 24, Number 21

May 14, 2022: Volume 24, Number 20

May 7, 2022: Volume 24, Number 19

April 30, 2022: Volume 24, Number 18

April 23, 2022: Volume 24, Number 17

April 16, 2022: Volume 24, Number 16

April 2, 2022: Volume 24, Number 14

March 26, 2022: Volume 24, Number 13

March 19, 2022: Volume 24, Number 12

March 12, 2022: Volume 24, Number 11

March 5, 2022: Volume 24, Number 10

February 26, 2022: Volume 24, Number 9

February 19, 2022: Volume 24, Number 8

February 12, 2022: Volume 24, Number 7

February 5, 2022: Volume 24, Number 6

January 29, 2022: Volume 24, Number 5

January 22, 2022: Volume 24, Number 4

January 15, 2022: Volume 24, Number 3

January 8, 2022: Volume 24, Number 2

January 1, 2022: Volume 24, Number 1

December 6, 2021: Volume 23, Number 48

November 20, 2021: Volume 23, Number 47

November 13, 2021: Volume 23, Number 46

November 6, 2021: Volume 23, Number 45

October 30, 2021: Volume 23, Number 44

October 23, 2021: Volume 23, Number 43

October 16, 2021: Volume 23, Number 42

October 9, 2021: Volume 23, Number 41

October 2, 2021: Volume 23, Number 40

September 25, 2021: Volume 23, Number 39

September 18, 2021: Volume 23, Number 38

September 11, 2021: Volume 23, Number 37

September 4, 2021: Volume 23, Number 36

August 28, 2021: Volume 23, Number 35

August 21, 2021: Volume 23, Number 34

August 14, 2021: Volume 23, Number 33

August 7, 2021: Volume 23, Number 32

July 31, 2021: Volume 23, Number 31

July 24, 2021: Volume 23, Number 30

July 17, 2021: Volume 23, Number 29

July 10, 2021: Volume 23, Number 28

July 3, 2021: Volume 23, Number 27

June 26, 2021: Volume 23, Number 26

June 19, 2021: Volume 23, Number 25

June 12, 2021: Volume 23, Number 24

June 5, 2021: Volume 23, Number 23

June 5, 2021: Volume 23, Number 22

May 22, 2021: Volume 23, Number 21

May 15, 2021: Volume 23, Number 20

May 8, 2021: Volume 23, Number 19

May 1, 2021: Volume 23, Number 18

April 24, 2021: Volume 23, Number 17

April 17, 2021: Volume 23, Number 16

April 10, 2021: Volume 23, Number 15

April 3, 2021: Volume 23, Number 14

March 27, 2021: Volume 23, Number 13

March 20, 2021: Volume 23, Number 12

March 13, 2021: Volume 23, Number 11

March 6, 2021: Volume 23, Number 10

February 27, 2021: Volume 23, Number 9

February 20, 2021: Volume 23, Number 8

February 13, 2021: Volume 23, Number 7

February 6, 2021: Volume 23, Number 6