IBM i PTF Guide, Volume 25, Number 21
May 22, 2023 Doug Bidwell
As we report elsewhere in this week’s edition of The Four Hundred, there is a critical security vulnerability in the PowerVM hypervisor when it is running on Power9 and Power10 systems.
This HIPER/Pervasive patch is described as fixing this: An internally discovered vulnerability in PowerVM on Power9 and Power10 systems could allow an attacker with privileged user access to a logical partition to perform an undetected violation of the isolation between logical partitions which could lead to data leakage or the execution of arbitrary code in other logical partitions on the same physical server.
The Common Vulnerability and Exposure number is CVE-2023-30438, which you can read about here. The MH PTFs for the systems without HMCs (Standalone systems) is/are expected on Monday, May 22 – we will publish details in the next edition of the IBM i PTF Guide. Keep an eye on this document for latest information from IBM.
There is also Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364), which you can read about here. Affected products: Versions 17.0.0.3 – 23.0.0.1.
Sorry it took us a few extra days to get this edition of the IBM i PTF Guide out the door. This week, you have three security vulnerabilities and one end of the road for updates to WebSphere Application Server V8.5. Let’s deal with the WebSphere situation first.
IBM WebSphere Application Server V8.5 Group PTFs for IBM i operating system will no longer be released. You can read more about it here. Here are the final IBM i Group PTF levels containing the 8.5.5.23 fix pack level:
- IBM i 7.4: SF99661 level 10
- IBM i 7.3: SF99581 level 16
- IBM i 7.2: SF99481 level 23
Now, let’s go through the security issues.
First, we have Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161), which you can find out more about here.
Affected Product(s) Version(s) Plug-in Version IBM WebSphere Application Server with Web Server Plug-ins 9.0 8.5, 9.0 IBM WebSphere Application Server with Web Server Plug-ins 8.5 8.5, 9.0 IBM WebSphere Application Server Liberty with Web Server Plug-ins 17.0.0.3 - current 8.5, 9.0
Second, there is Security Bulletin: IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554), and more details are available here.
Affected Product(s) Version(s) IBM WebSphere Application Server 9.0 IBM WebSphere Application Server 8.5
And third, there is Security Bulletin: OpenSSL for IBM i is vulnerable to denial of service attacks and the ability for remote attacker to obtain sensitive information due to multiple vulnerabilities, with more information at this link. The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed. The IBM i PTF numbers for OpenSSL in 5733-SC1 contain the fixes for the vulnerabilities.
<
IBM i Release 5733-SC1 PTF Number 7.5 SI83245 7.4, 7.3, 7.2 SI83194
Here is the rundown of PTF Groups by IBM i release level since we last published:
PTF Groups 7.5:
- HIPERs (High Impact/Pervasive)
- IBM HTTP Server for i
- IBM DB2 Mirror for i
- DB2 for IBM i
- SAP support required PTF list for IBM i 7.5
PTF Groups 7.4:
- HIPERs (High Impact/Pervasive)
- Security
- DB2 for IBM i
- IBM Db2 Mirror for i
- IBM HTTP Server for i
- SAP support required PTF list for IBM i 7.4
PTF Groups 7.3:
- MQ for IBM i – v7.1.0/v8.0.0/V9.0.0/V9.1/V9.2
- HIPERs (High Impact/Pervasive)
- Security
- IBM HTTP Server for i
- SAP Support Required PTF List for IBM i 7.3
Tip O’ The Week: The “Help” About, Check for Updates only checks the first three digits. If you are on ACS 1.1.9.1, checking for updates will not tell you about 1.1.9.2 . . . .
New (or Updated) links added to the ‘Links’ tab in the guide this week:
- Nothing
New (or Updated) links added to the ‘QMGtools’ tab in the guide this week:
- Nein
New (or Updated) links added to the ‘ACS_NAV’ tab in the guide this week:
- Nuthin’
New (or Updated) links added to the ‘Prtr Links’ tab in the guide this week:
- Nothing here, either
New (or Updated) links Redbooks added this week:
- Nothing here as well
The Guide at a glance: There are new defectives this week (05/20/23). Here is the defective PTF rundown, which is the last defective for each release:
Defective PTF rundown (The last defective for each release):
Defect Defective APAR Fixing Date PTF PTF -------- -------- ------- ------- 7.5 02/24/23 MF70751 MA50112 MF70868 (When available) 7.4 02/24/23 MF70747 MA50112 MF70861 (When available) 7.3 02/22/23 MF70677 MA50059 MF70736 (When available) MF70600 MF70440
Be sure to access the link in the Guide for further details.
Below is the usual archive of the IBM i PTF Guide to help you work through the PTFs in chronological order:
May 20, 2023: Volume 25, Number 21
May 13, 2023: Volume 25, Number 20
May 6, 2023: Volume 25, Number 19
April 29, 2023: Volume 25, Number 18
April 22, 2023: Volume 25, Number 17
April 15, 2023: Volume 25, Number 16
April 8, 2023: Volume 25, Number 15
April 1, 2023: Volume 25, Number 14
March 25, 2023: Volume 25, Number 13
March 18, 2023: Volume 25, Number 12
March 11, 2023: Volume 25, Number 11
March 4, 2023: Volume 25, Number 10
February 25, 2023: Volume 25, Number 9
February 18, 2023: Volume 25, Number 8
February 13, 2023: Volume 25, Number 7
February 4, 2023: Volume 25, Number 6
January 28, 2023: Volume 25, Number 5
January 21, 2023: Volume 25, Number 4
January 14, 2023: Volume 25, Number 3
January 7, 2023: Volume 25, Number 2
January 1, 2023: Volume 25, Number 1
December 10, 2022: Volume 24, Number 50
December 3, 2022: Volume 24, Number 49
November 26, 2022: Volume 24, Number 48
November 19, 2022: Volume 24, Number 47
November 12, 2022: Volume 24, Number 46
November 5, 2022: Volume 24, Number 45
October 29, 2022: Volume 24, Number 44
October 22, 2022: Volume 24, Number 43
October 15, 2022: Volume 24, Number 42
October 8, 2022: Volume 24, Number 41
October 1, 2022: Volume 24, Number 40
September 24, 2022: Volume 24, Number 39
September 17, 2022: Volume 24, Number 38
September 10, 2022: Volume 24, Number 37
September 3, 2022: Volume 24, Number 36
August 27, 2022: Volume 24, Number 35
August 20, 2022: Volume 24, Number 34
August 13, 2022: Volume 24, Number 33
August 6, 2022: Volume 24, Number 32
July 30, 2022: Volume 24, Number 31
July 23, 2022: Volume 24, Number 30
July 16, 2022: Volume 24, Number 29
July 9, 2022: Volume 24, Number 28
June 25, 2022: Volume 24, Number 26
June 18, 2022: Volume 24, Number 25
June 11, 2022: Volume 24, Number 24
June 4, 2022: Volume 24, Number 23
May 28, 2022: Volume 24, Number 22
May 25, 2022: Volume 24, Number 21
May 14, 2022: Volume 24, Number 20
May 7, 2022: Volume 24, Number 19
April 30, 2022: Volume 24, Number 18
April 23, 2022: Volume 24, Number 17
April 16, 2022: Volume 24, Number 16
April 2, 2022: Volume 24, Number 14
March 26, 2022: Volume 24, Number 13
March 19, 2022: Volume 24, Number 12
March 12, 2022: Volume 24, Number 11
March 5, 2022: Volume 24, Number 10
February 26, 2022: Volume 24, Number 9
February 19, 2022: Volume 24, Number 8
February 12, 2022: Volume 24, Number 7
February 5, 2022: Volume 24, Number 6
January 29, 2022: Volume 24, Number 5
January 22, 2022: Volume 24, Number 4
January 15, 2022: Volume 24, Number 3
January 8, 2022: Volume 24, Number 2
January 1, 2022: Volume 24, Number 1
December 6, 2021: Volume 23, Number 48
November 20, 2021: Volume 23, Number 47
November 13, 2021: Volume 23, Number 46
November 6, 2021: Volume 23, Number 45
October 30, 2021: Volume 23, Number 44
October 23, 2021: Volume 23, Number 43
October 16, 2021: Volume 23, Number 42
October 9, 2021: Volume 23, Number 41
October 2, 2021: Volume 23, Number 40
September 25, 2021: Volume 23, Number 39
September 18, 2021: Volume 23, Number 38
September 11, 2021: Volume 23, Number 37
September 4, 2021: Volume 23, Number 36
August 28, 2021: Volume 23, Number 35
August 21, 2021: Volume 23, Number 34
August 14, 2021: Volume 23, Number 33
August 7, 2021: Volume 23, Number 32
July 31, 2021: Volume 23, Number 31
July 24, 2021: Volume 23, Number 30
July 17, 2021: Volume 23, Number 29
July 10, 2021: Volume 23, Number 28
July 3, 2021: Volume 23, Number 27
June 26, 2021: Volume 23, Number 26
June 19, 2021: Volume 23, Number 25
June 12, 2021: Volume 23, Number 24
June 5, 2021: Volume 23, Number 23
June 5, 2021: Volume 23, Number 22
May 22, 2021: Volume 23, Number 21
May 15, 2021: Volume 23, Number 20