Summer of IBM i Vulnerabilities
September 18, 2024 Alex Woodie
IBM has patched more than two dozen software vulnerabilities in the IBM i stack over the past few months, including flaws in Merlin, MQ, OpenSSH, the Java stack, Db2, Performance Tools, and the HTTP Server (the one powered by Apache). Nine of the security vulnerabilities carry CVSS Base scores of 7 or higher, while one is above 8, making these serious security threats. If you haven’t applied the patches yet, you’re encouraged to do it soon.
Working backwards from the most recent security bulletins, we start with September 5, when IBM issued patches for three vulnerabilities in Merlin, which officially is known as the IBM i Modernization Engine for Lifecycle Integration. The vulnerabilities stem from flaws in Golang and impact both version 1 (which is no longer supported) and version 2 of Merlin.
The first flaw, CVE-2022-30636, could allow an attacker to traverse directories, while another, CVE-2023-45288, opens up the possibility of a denial of service (DOS) attack. Both of these flaws carry CVSS Base scores of 7.5, making them moderately severe flaws. The third flaw impacting Merlin, CVE-2023-3978, carries a cross-site scripting risk. See the IBM Security Bulletin 7165994 for more info and emergency PTF patch numbers.
On September 4, IBM patched an OpenSSL flaw in IBM MQ Advanced Message Security on IBM i that could allow an attacker to launch a DOS attack on the impacted server. The specific flaw in OpenSSL, CVE-2024-2511, carries a security score of 3.7, making it a minor threat. For more information, see Security Bulletin 7167211.
A more serious threat can be found in Security Bulletin 7166691, which was published August 28 and documents a newly discovered flaw in OpenSSH that could allow an attacker to execute arbitrary code on servers running IBM i version 7.5. CVE-2024-6387 carries a security score of 8.1, making it a serious threat.
On July 22, IBM addressed a pair of security flaws in the HTTP Server (the one powered by Apache) in Security Bulletin 7160932, which impacts IBM i 7.2 through 7.5. This security bulletin covers CVE-2023-38709 and CVE-2024-24795, both which make the Web server vulnerable to an “HTTP response splitting attack” and carry security scores of 6.5, making them moderate threats.
On July 9, IBM issued Security Bulletin 7159328, which addressed three flaws in the IBM i Java stack for IBM i 7.3 through 7.5. The first flaw, CVE-2024-21085, impacts Java SE with a potential “low availability” situation that carries a security score of 3.7. The second flaw, CVE-2023-38264, could enable a DOS attack on the IBM SDK for Java, which has a security score of 5.9, making it a moderate threat. The third flaw, CVE-2024-3933, impacts Eclipse Openj9 and could allow an authenticated attacker to gain read and write access beyond their credentials. It carries a CVSS Base score of 5.3.
On July 3, IBM issued Security Bulletin 7159615, which addressed a elevated privilege flaw in IBM Managed System Services for i and IBM System Management for i. CVE-2024-38330 carries a security score of 7, making it a moderately serious threat to IBM i 7.2 through 7.4. IBM updated the security bulletin last week to cite the correct PTFs.
On June 25, IBM issued Security Bulletin 7158582, which addressed a security flaw in the HTTP Server (the one powered by Apache) that could allow an attacker to launch a DOS attack on servers running IBM i 7.3 through 7.5. CVE-2024-27316 carries a security score of 7.5, making it a moderately serious flaw.
On June 20, IBM issued Security Bulletin 7158240 to address a local privilege escalation vulnerability in TCP/IP Connectivity Utilities for i on IBM i versions 7.3 through 7.5. CVE-2024-31890 carries a security score of 7.8, making it a serious flaw.
On June 15, IBM issued Security Bulletin 7157638 to address a user enumeration vulnerability in Db2 for i due to a supplied table function. The specific flaw at issue, CVE-2024-31870 carries a security score of 3.3, making it a minor threat to customers running IBM i 7.2 through 7.5.
On June 14, IBM issued Security Bulletin 7157637, which addresses a security flaw impacting Db2 for IBM i on versions 7.2 through 7.5. The specific flaw, CVE-2024-27275, covers a local privilege escalation vulnerability due to an insufficient authority requirement, and carries a security score of 7.4.
“A local user without administrator privilege can configure a physical file trigger to execute with the privileges of a user socially engineered to access the target file,” IBM says in the security bulletin. IBM modified the bulletin on June 20 to clarify the correct PTFs that IBM i users should apply.
On June 6, IBM issued Security Bulletin 7156725 to fix an user profile enumeration flaw in IBM i Service Tools Server (SST). The flaw covers CVE-2024-31878, which carries a CVSS Base score of 5.3. IBM i versions 7.2 through 7.5 are impacted.
On June 5, IBM issued Security Bulletin 7156529 to address several flaws in IBM WebSphere Application Server Liberty running IBM i 7.2 through 7.5. The patch fixes CVE-2023-50312, which delivered “weak TLS security” and carries a security score of 5.3; CVE-2024-27270, a cross-site scripting flaw with a score of 4.7; CVE-2024-25026, a denial of service flaw with a score of 5.9; CVE-2024-27268, another DOS flaw with a security score of 5.9; CVE-2024-22329, a server-side request forgery with a security score of 4.3; and CVE-2024-22353, a DOS flaw with a security score of 5.9.
On May 18, IBM issued Security Bulletin 7154380, which addresses a DOS vulnerability due to deserialization of untrusted data in Management Central. This patch fixes CVE-2024-31879, which carries a security score of 7.5, a moderate threat.
On May 21, IBM issued Security Bulletin 7154595, which addressed a local privilege escalation vulnerability as the result of an unqualified library call in IBM Performance Tools for i in all releases of IBM i from 7.2 to 7.5. The specific flaw, CVE-2024-27264, carries a CVSS Base score of 7.4.
On May 13, IBM issued Security Bulletin 7142039, which addressed a DOS flaw in the HTTP/2 protocol in HTTP Server (the one powered by Apache). CVE-2023-44487, which has a security score of 7.5, impacts IBM i 7.3 through 7.5.
As always, you can keep up with all of IBM’s PTFs (security and otherwise) with Doug Bidwell’s PTF Guide. Click here to read the latest issue.
