IBM i PTF Guide, Volume 25, Number 17

April 24, 2023 Doug Bidwell

There are a lot of PTFs that you need to be aware of this week, but before we get into them, there are two security vulnerabilities, one affecting the IBM i platform’s integrated Apache Web server and the other affecting the combination of IBM i Access Client Solutions combined with the IBM Toolbox for Java. Let’s get into the security bulletins to start.

First, we have Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to HTTP response splitting and denial of service attacks (CVE-2022-37436, CVE-2006-20001), which you can find out more about at this link. The PTF numbers contain the fix for the vulnerabilities, by IBM i release, are:

IBM i Release	5770-DG1		PTF Number
	7.5			SI82700
				SI82701	
	7.4			SI82702
				SI82703	
	7.3			SI82704
				SI82705	
	7.2			SI82706
				SI82707

Second, we have Security Bulletin: IBM i Access Client Solutions is vulnerable to an attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928), which you can see all kinds of details about here. The issue can be fixed by upgrading to version 1.1.9.2 or later. See IBM i Access Client Solutions updates for the latest version available. The affected products are IBM i Access Client Solutions 1.1.2 – 1.1.4, 1.1.4.3 – 1.1.9.1.

In a rare occurrence, there are no updates to the PTF Groups for the currently supported releases – IBM i 7.5, IBM i 7.4, and IBM i 7.3 – but there sure are a whole bunch of security vulnerabilities that IBM i shops have to deal with.

First, there are two of them dealing with WebSphere Application Server Liberty. In PH50863:IBM WebSphere Application Server Liberty is vulnerable to a denial of service, which you can find out more about here and which deals with CVE-2023-24998 CVSS 7.5. Then there is PH52739:IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482 CVSS 5.3), which you can find out more about here.

Second, we have Security Bulletin: IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928), more of which you can learn about at this link. Patches are:

		5770-DBM	5770-SS1 
IBM Db2 Mirror for i	7.4	SI83019		SI82444
				SI83028		SI82954
IBM Db2 Mirror for i	7.5	SI83018		SI82443
				SI83029		SI82948

Third, there is Security Bulletin: IBM i components are affected by CVE-2021-4104 (Log4j version 1.x), for which more information is available at this link.

IBM i Release	5770-DG1	Level
7.4		SF99662 - 	19
7.3		SF99722 - 	38
7.2		SF99713 - 	49

Fourth, you have Security Bulletin: IBM i DNS is affected by denial of service attacks due to flaws in ISC BIND (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924). More information available here, and the IBM i PTF numbers for 5770-SS1 Option 31 Domain Name System contain the fix for the vulnerabilities:

IBM i Release	5770-SS1 Option 31	PTF Number
	7.5				SI82623
	7.4				SI82624	
	7.3				SI82625	
	7.2				SI82626

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.5:

HIPERs (High Impact/Pervasive)
Security
Backup Recovery Solutions
High Availability for IBM i
SAP support required PTF list for IBM i 7.5
Memo to Users
What’s New!
IBM i Access Client Solutions V1.1.9.2
MustGather: How To Obtain and Install QMGTOOLS
RPG Café

PTF Groups 7.4:

HIPERs (High Impact/Pervasive)
Security
Backup Recovery Solutions
High Availability for IBM i
Memo to Users
What’s New!
IBM i Access Client Solutions V1.1.9.2
MustGather: How To Obtain and Install QMGTOOLS
RPG Café

PTF Groups 7.3:

HIPERs (High Impact/Pervasive)
Security
Backup Recovery Solutions
High Availability for IBM i
Memo to Users
What’s New!
IBM i Access Client Solutions V1.1.9.2
MustGather: How To Obtain and Install QMGTOOLS
RPG Café

New (or Updated) links added to the ‘Links’ tab in the guide this week:

Nyet, comrade

New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:

Nein

New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:

Nuthin’

New (or Updated) links added to the ‘Prtr Links’ tab in the guide this week:

Nothing here, either

New (or Updated) links Redbooks added this week:

Nothing here as well

Tips/Definitions: The “Help” About, Check for Updates only checks the first three digits. If you are on ACS 1.1.9.1, checking for updates will not tell you about 1.1.9.2 . . . .

The Guide at a glance: There are new defectives this week (04/22/23). Here is the defective PTF rundown, which is the last defective for each release:

	Defect		Defective	APAR	Fixing
	Date		PTF			PTF
	--------	--------	-------	-------
7.5	02/24/23	MF70751		MA50112	MF70868 (When available)
7.4	02/24/23	MF70747		MA50112	MF70861 (When available)
7.3	02/22/23	MF70677		MA50059	MF70736 (When available)
			MF70600
			MF70440

Be sure to access the link in the Guide for further details.

Below is the usual archive of the IBM i PTF Guide to help you work through the PTFs in chronological order:

April 22, 2023: Volume 25, Number 17

April 15, 2023: Volume 25, Number 16

April 8, 2023: Volume 25, Number 15

April 1, 2023: Volume 25, Number 14

March 25, 2023: Volume 25, Number 13

March 18, 2023: Volume 25, Number 12

March 11, 2023: Volume 25, Number 11

March 4, 2023: Volume 25, Number 10

February 25, 2023: Volume 25, Number 9

February 18, 2023: Volume 25, Number 8