April Showers Bring May IBM i Security Vulnerabilities

May 8, 2024 Alex Woodie

IBM has patched more than a dozen security flaws in IBM i and related products this spring, including serious flaws in the operating system proper and the compilers, and a critical vulnerability in Administrative Runtime Expert that landed a nearly perfect CVSS Base score.

In the interest of time, let’s cover the security vulnerabilities in descending order of severity. That means we’re starting with the worst and then moving on to the slightly less worse.

ARE Flaw

The flaw reported in the Administration Runtime Expert for i (ARE), which IBM launched in 2010 to make it easier to manage IBM i environment, is the most pressing concern for IBM i administrator. That’s because it could allow a cybercriminal to run arbitrary code on IBM i by remotely sending a specially crafted request to the vulnerable software, which is never a good thing.

The ARE flaw is contained in a JavaScript library called Dojo that IBM uses to render the product’s GUI. For years, Dojo has been susceptible to a security vulnerability referred to as “prototype pollution” error in the setObject function. The security vulnerability, CVE-2021-2345, was first discovered in 2021, and was updated in on April 24 of this year, when IBM first reported it as impacting IBM i. It carries a CVSS Base score of 9.8, making it a critical flaw.

The Dojo flaw impacts ARE in IBM i versions 7.2 through 7.5. There are no workarounds and users are encouraged to apply the emergency PTFs immediately. Read this security bulletin for more information and PTF numbers.

IBM i and RDS Flaw

IBM reported a privilege escalation flaw in IBM i and Rational Development Studio (RDS) for i on April 27, 2024. The vulnerability, which could allow user-controlled code to run with administrator privilege by submitting a malicious CL command, was traced to an unqualified library call contained in the IBM i networking and compiler infrastructure.

The flaw, which was given the name CVE-2024-25050 in the Common Vulnerability and Exposure (CVE) database maintained by the National Institute of Science and Technology (NIST), has a CVSS Base score of 8.4, making it a serious threat. There are no workarounds and IBM encourages all customers running IBM i 7.2 through 7.5 to apply emergency PTFs to fix the problem. IBM made no acknowledgements as to who discovered the vuln.

To remedy the flaw, customers will have to apply around 20 PTFs for each version of IBM i. You can find the specific PTF numbers needed for your version of IBM i by reading the security bulletin. IBM also issued a security bulletin for RDS, but it’s the same flaw with the same fix.

Java Flaws

In late March, IBM fixed half a dozen newly discovered security flaws in the Java Software Development Kit (SDK) and Java runtime for IBM i.

Five of the flaws are due to “unspecified vulnerabilities” in various components of Java SE (Standard Edition) that could “cause high confidentiality impact and high integrity impact,” IBM says in its March 27 security bulletin.

Two of these flaws, CVE-2024-20952 and CVE-2024-20918, can be executed by remote attackers and carry CVSS Base scores of 7.4, making them high security threats. Two others, CVE-2024-20921 and CVE-2024-20926, can also be carried out remotely and carry CVSS Base scores of 5.9, making them midrange threats. One of these flaws, CVE-2024-20945, can only be carried out by an authenticated attacker, and it was given a CVSS Base score of 4.7.

The final Java flaw, CVE-2023-33850, refers to an issue in the GSKit-Crypto library that would allow a remote attacker to obtain sensitive information by sending an overly large number of trial messages for decryption to the RSA Decryption implementation. This flaw carries a CVSS Base score of 7.5, making it a high security threat.

IBM fixed the Java flaws with PTFs for IBM i versions 7.3 through 7.5. For more info, see the March 27 security bulletin.

ACS Flaws

IBM issued a pair of security bulletins to bring attention to three vulnerabilities recently discovered and patched in Access Client Solutions (ACS), the widely used IBM utility for working with the server.

The first security bulletin covers two flaws discovered in Apache Commons Compress, an open source data compression product that IBM uses in ACS’s Data Transfer feature when transferring data from Excel.

The first Apache Commons Compress flaw, CVE-2024-25710, could enable a cybercriminal to launch a denial of service (DOS) attack by creating an infinite loop with a specially crafted DUMP file. The second flaw, CVE-2024-26308, also could allow a hacker to launch a DOS attack, this time by causing an out-of-memory error with a specialized crafted “Pack200” file.

Both flaws carry CVSS Base Score of 5.5, making them mid-sized threats. The flaws existing in ACS versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4. The fix is to upgrade to ACS version 1.1.9.5, which IBM shipped last month.

The second security bulletin for ACS, also issued April 19, alerts users to the existence of CVE-2023-48795, a security vulnerability in the product’s OpenSSH implementation of Apache Mina, which is used to help authenticate users in the Open Source Package Manager component.

OpenSSH is vulnerable to a machine-in-the-middle attack caused by a flaw in the extension negotiation process in the SSH transport protocol when used with certain OpenSSH extensions, IBM says. It carries a CVSS Base score of 5.9, making it a midrange threat. The remediation, as before is to upgrade to ACS version 1.1.9.5.

Quickly applying emergency PTFs when IBM delivers them is an important step in building a secure IBM i environment. You can subscribe to IBM’s My Notifications service to automatically receive alerts on IBM security fixes. You can also subscribe to IT Jungle and read Doug Bidwell’s PTF Guide to stay up to date. For a list of all recent security vulnerabilities in IBM i, click here.

This Issue Sponsored By

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search