ACS, Merlin Hit With Serious Security Vulnerabilities

December 11, 2023 Alex Woodie

Three serious security vulnerabilities in IBM i Access Client Solutions and six in Merlin were disclosed and patched by IBM last week. The flaws could allow attackers to commit a range of crimes, from executing arbitrary code and denial of service attacks, to obtaining sensitive data on IBM i conducting phishing attacks. All of the flaws – including another three reported by IBM in November – should be patched immediately.

IBM published a security bulletin December 8 covering all three of the ACS flaws, which impact ACS versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3. The fix is to download and install ACS version 1.1.9.4 or later.

The most serious among them is CVE-2023-45185, which carries a CVSS Base score of 7.4. IBM says this flaw could allow an attacker to execute remote code due to improper authority checks. The second most serious flaw is CVE-2023-45182, which carries a CVSS Base score of 7.1. IBM says this flaw could enable a cybercriminal to gain access to an encrypted password, thereby enabling them to get passwords to other systems. Finally there is CVE-2023-45184, which carries a CVSS Base score of 6.2. IBM says this flaw could allow an attacker to obtain a decryption key due to improper authority checks.

There are no workarounds to any of the flaws, according to IBM. No more information was available on these flaws, which have not yet been logged in the National Institute of Standards and Technology’s (NIST) National Vulnerability Database.

Meanwhile, IBM i Modernization Engine for Lifecycle Integration, or Merlin, was also hit with multiple security vulnerabilities. According to IBM’s December 7 security bulletin, four of the vulnerabilities exist in Apache Tomcat, and one each in Merlin’s JSON and HTTP/2 implementations.

The Tomcat flaws include CVE-2023-42795, which could allow a remote attacker to obtain sensitive information due to an incomplete cleanup vulnerability when recycling various internal objects. It carries a CVSS Base score of 7.5. There is also CVE-2023-41080, which could allow a remote attacker to conduct phishing attacks due to an open redirect vulnerability in the FORM authentication feature. It has a CVSS Base score of 6.5.

Merlin’s Tomcat is also susceptible to CVE-2023-45648, a “request smuggling” vulnerability caused by improper parsing of HTTP trailer headers that could enable bad guys to execute a cross site scripting (XSS) attack. It garnered a 5.3 on the CVSS Base score scale. Finally, there is CVE-2023-34981, which could allow a cyber crook to obtain sensitive information due to flaw in Tomcat when there are no HTTP headers set in a response. This one carries a CVSS Base score of 7.5.

The JSON flaw, CVE-2023-5072, makes Merlin vulnerable to a denial of service (DOS) attack thanks to a bug in the parser. It carries a CVSS Base score of 7.5. Finally, there is CVE-2023-44487, another DOS vulnerability caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. This flaw also carries a CVSS Base score of 7.5.

The Merlin flaws exist in versions 1.0.0 through 1.4.4. The flaws can be fixed by upgrading to Merlin version 1.4.5 or later.

It’s been a busy year for IBM i security flaws, which can either be viewed as a good thing (because IBM is disclosing and patching them) or a bad thing (because the flaws exist). In any case, administrators should have extra incentive to fix the flaws fast, as government prosecutors and regulators are beginning to crack down on companies that put their customer’s data at risk due to a failure to patch known vulnerabilities.

Since our last IBM i security vulnerability roundup on November 1, there have been a dozen new security vulnerabilities disclosed in the IBM i operating system or related products, including the ACS and Merlin vulns.

The other ones include CVE-2023-42006, a critical security flaw in IBM Administration Runtime Expert for i that IBM disclosed in a November 29 security bulletin. The flaw, which carried a CVSS Base score of 8.4 and impacts IBM i 7.2 through 7.5, “could allow sensitive information stored in a file, including passwords, to be obtained by an attacker,” IBM said.

It also includes CVE-2023-22049, an unspecified flaw in the Java SDK and runtime that could enable an attacker to “cause low integrity impacts,” IBM says in a November 27 security bulletin. This flaw, which carries a CVSS Base score of 3.7, has been addressed in IBM i 7.3 through 7.5 with the latest Java PTF Group.

Then there is the latest Samba flaw, CVE-2023-4091, a nasty little bugger that could allow a cybercriminal to bypass security restrictions and truncate files to zero bytes, according to IBM’s November 9 security bulletin. This flaw impacts IBM i 7.2 through 7.4 and carries a CVSS Base score of 8.8, making it a critical threat.

You can read all of IBM’s security vulnerabilities at the IBM Product Security Central webpage. However, that webpage for some reason is only limited to 1,000 individual security flaws, or enough for about a week’s worth of IBM security flaws (the company is very particular about reporting every individual flaw in every product and configuration). For faster alerting on IBM i security flaws, you can subscribe to IBM Security Bulletins. Or better yet, read Doug Bidwell’s weekly IBM i PTF Guide and our periodic security flaw roundups in IT Jungle. Happy patching!

Editor’s Note: The recently discovered Samba flaw, CVE-2023-4091, does not impact IBM i 7.5 as originally reported. IT Jungle regrets the error.

RELATED STORIES

Government Cracks Down on Security Responses, Unpatched Vulns

Spooky New Security Vulns Lurking on IBM i

Serious New IBM i Vulns Exposed by Silent Signal – More On the Way

New “High Priority” DDM Vulnerability Affects IBM i