A Hacker’s Dozen: 11 New Security Vulns Reported in IBM i

August 23, 2023 Alex Woodie

IBM on August 18 reported 11 new security vulnerabilities in IBM i’s Java stack, including two critical Java flaws that should be patched immediately. The new batch of vulns continues what has been an active summer for security flaws on the platform.

IBM revealed the existence of the 11 Java security flaws in IBM i version 7.2 through 7.5 and the availability of emergency program temporary fixes (PTFs) on the security bulletin section of its IBM Product Security Central webpage.

The security bulletin shows 11 flaws, CVE-2022-21426 through CVE-2023-21968, impacting various components of the Java stack, including the Java Software Development Kit (SDK) and the Java Runtime for IBM i. The flaws could potentially expose IBM i users to a variety of threats, including denial of service (DOS) attacks, and loss of availability, integrity, and confidentiality of data, IBM’s website states.

The most severe flaw is CVE-2023-21930, an unspecified vulnerability in Oracle Java SE (Standard Edition) and Oracle GraalVM Enterprise Edition that’s related to the Java Secure Socket Extension (JSSE) component. This flaw could allow an unauthenticated attacker to cause a high confidentiality impact and a high integrity impact, and carries a CVSS Base score of 7.4 (on a scale of 10).

The second critical flaw is CVE-2023-2597, which is described as a buffer overflow flaw in Eclipse Openj9 caused by improper bounds checking. A local authenticated attacker could overflow a buffer and execute arbitrary code on the system by using specially crafted input, the security alert says. This flaw carries a CVSS Base score of 7

Several other flaws carry moderate impacts, including CVE-2023-21967 and CVE-2023-21954, which carry CVSS Base scores of 5.9; and CVE-2022-21426, CVE-2023-21939, and CVE-2023-21830, with CVSS Base scores of 5.3. Four other flaws have a score of 3.7.

There are no workarounds for any of these flaws, and users are encouraged to apply the available PTFs immediately. For each operating system release, there is a single PTF that will fix all 11 Java flaws. See this security bulletin for links to download the PTFs.

IBM also gave this warning to users who run their own Java code: “If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code.”

It’s been an active summer for security flaws on IBM i. Going back to May 1, there have been 28 individual security flaws impacting IBM i, according to a search of security bulletins on IBM’s Product Security Central. Many of these flaws impact open source components, such as Java and OpenSSL, which tend to attract the most attention from hackers. But many of the flaws have also impacted core components of the IBM i stack, including DDM, Performance Tools, and Facsimile Report.

All told, the year has brought 52 known vulnerabilities to the IBM i platform. With more than four months left, that number is sure to grow.

RELATED STORIES

Midsummer Security Indicators: Hot and Gloomy

A Decade of Data Breaches: Some Things Never Change

Serious New IBM i Vulns Exposed by Silent Signal – More On the Way

New “High Priority” DDM Vulnerability Affects IBM i