IBM Patches New Security Vulns In IBM i Components, Power Firmware
February 12, 2024 Alex Woodie
IBM has patched a series of moderate security vulnerabilities in IBM i products and Power firmware over the past two weeks. The IBM i flaws span Rational Developer for i (RDi), Access Client Solutions (ACS), and the Java development kit and runtime, while the Power flaw involves PowerVM and its communications with the Hardware Management Console (HMC).
Concerns over security hit an all-time high in the IBM i community according to the IBM i Marketplace 2024 study conducted by Fortra. The survey found that 79 percent of IBM i professionals considered security a top concern, a 10 percent increase over last year’s figure and the highest in the ten years Fortra has been conducting the survey.
Applying patches to known security vulnerabilities is one of the easiest things that IBM i customers can do to maintain a secure posture in the face of increased cybercriminal activity. Of course, that typically requires IBM i customers to be on a supported release of the operating system, which is something that has been a struggle for many in the community. IBM sometimes issues a fix for a release of IBM i that’s not supported, although it is rare.
Unlike the flurry of flaws found in the heart of the operating system last year, the latest batch of patches mainly concern licensed program products, which are optional tools that some (but not all) IBM i shops use.
IBM published a security bulletin on February 9 for a flaw (CVE-2023-26159) in RDi, IBM’s flagship development environment for IBM i. The Code Coverage component of RDi has a browser interface that contains follow-redirects that could allow a remote attacker to send victims to arbitrary Web sites by using a specially crafted URL. This flaw, which impacts RDi versions 9.8.0.0 and 9.8.0.1 running on Windows and MacOS, carries a CVSS Base score of 6.1.
The ACS flaw (CVE-2024-22318) was reported by IBM in a security bulletin on February 8. According to IBM, if an attacker modifies a Universal Naming Convention (UNC) paths in ACS configuration files, the path could be pointed to a hostile server, enabling the NT LAN Manager (NTLM) hash to be harvested, leading to compromised authentication information. This flaw carries a CVSS Base score of 5.1, and impacts ACS version 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4.
The latest flaws in the Java Software Development Kit (SDK) and the IBM i runtime for Java, which IBM disclosed in a February 6 security bulletin, strike a bit closer to the operating system. IBM has patched three flaws, CVE-2023-22081, CVE-2023-22067, and CVE-2023-5676, with CVS Base scores of 5.3, 5.3, and 4.1, respectively that could compromise confidentiality or cause an infinite busy hang. The patches are available for IBM i 7.3 through 7.5.
Meanwhile, IBM issued a security bulletin on January 24 about a series of OpenSSL vulnerabilities in the firmware shipped with Power10 servers. IBM uses OpenSSL to encrypt communications between the HMC and PowerVM, which are handled by something called the Virtualization Management Interface. The vulnerabilities open IBM Power users to a couple of avenues of attack.
The flaws include CVE-2022-4304, an information-disclosure vulnerability in the RSA Decryption implementation that carries a CVSS Base score of 5.9. OpenSSL is also vulnerable to three denial of service (DOS) vulnerabilities with CVE-2023-0286, CVE-2023-0215, and CVE-2022-4450, which carry CVSS Base scores of 8.2, 7.5., and 7.5 respectively. Customers running specific IBM Power System models, including S1022, S1022s, S1024, S1014, L1022, L1024, and E1050 have the vulnerable firmware and are encouraged to apply the patches.
PowerVM was also found to be susceptible to CVE-2023-33851, which could reveal sensitive data to a system administrator. The flaw, which carries a CVSS Base score of 5.3, impacts a range of Power9 and Power10 servers, according to the February 2 security bulletin.
RELATED STORIES
Top Priorities in 2024: Security and AI
Government Cracks Down on Security Responses, Unpatched Vulns
