-
A Hacker’s Dozen: 11 New Security Vulns Reported in IBM i
August 23, 2023 Alex Woodie
IBM on August 18 reported 11 new security vulnerabilities in IBM i’s Java stack, including two critical Java flaws that should be patched immediately. The new batch of vulns continues what has been an active summer for security flaws on the platform.
IBM revealed the existence of the 11 Java security flaws in IBM i version 7.2 through 7.5 and the availability of emergency program temporary fixes (PTFs) on the security bulletin section of its IBM Product Security Central webpage.
The security bulletin shows 11 flaws, CVE-2022-21426 through CVE-2023-21968, impacting various components of the Java stack, including the Java Software …
Read more -
Guru: Retrieving The Long And Short Object Name
August 14, 2023 Bob Cozzi
Many releases ago, IBM i received “Long SQL Names” for files and libraries. These new longer names (up to 128 characters) were well received by SQL enthusiasts, but largely ignored by the mainstream IBM i developer. As each version of IBM i emerged, more and more shops experienced one or more objects with a longer-than-10-character name.
Recently I created a file named BOAT_TRAFFIC. This name is clearly longer than 10 characters. I used SQL DDL (the CREATE or REPLACE TABLE statement) to create the file. Using SQL DDL is the only real way to create an object with a long …
Read more -
IBM i PTF Guide, Volume 25, Number 31
July 31, 2023 Doug Bidwell
Here’s something to look out for: D-mode IPL from tape fails with system reference code B6005121 on IBM i, which you can read more about at this link. Here’s the deal. When the PTF for MA50161 is PERM applied and the PTF for MA50018 is not PERM applied, and a SAVSYS is taken, a D-mode IPL from that tape will fail with the B6005121, which is an operating system task during the IBM i boot process.
Also, this week we wanted to remind you that software-related issues cannot be automatically uploaded to IBM technical support using the WRKPRB feature …
Read more -
Serious New IBM i Vulns Exposed by Silent Signal – More On the Way
July 24, 2023 Alex Woodie
Two new vulnerabilities in core components of the IBM i operating system were disclosed by IBM last week, including one that impacts Performance Tools and another in Facsimile Support for i. Both vulnerabilities were discovered by Silent Signal, the Hungarian firm that discovered the recent DDM vulnerability, and both are considered high risk flaws that should be patched immediately.
More security flaws exist in IBM i that will be exposed in the months to come, the company says.
The first new flaw, CVE-2023-30988, pertains to a local privilege escalation vulnerability discovered in Facsimile Support for i, a native IBM …
Read more -
New “High Priority” DDM Vulnerability Affects IBM i
July 10, 2023 Alex Woodie
Unauthenticated users can remotely run CL or PASE commands on IBM i as a result of a newly discovered vulnerability in the operating system’s Distributed Data Management (DDM) architecture. IBM issued a patch for the flaw, which it classified as moderate. However, the Hungary-based ethical hacking group that discovered the flaw, Silent Signal, recommends treating it as a high priority.
IBM disclosed the DDM security flaw and availability of program temporary fixes (PTFs) for IBM i version 7.2 through 7.5 via a security bulletin on June 30. The flaw was assigned CVE-2023-30990 by the Common Vulnerability Scoring System, and given …
Read more -
Guru: Object Usage Statistics
July 10, 2023 Bob Cozzi
A long time ago in a system far, far away, IBM added the Date Last Used to the Object Description for all objects on the system. The term “last used” means different things to different object types; for *FILE objects it means the file was opened or its description was changed, for *PGM objects it means the program was called, for other objects it generally means what you might think it means (viewed, retrieved/read, updated, etc.) The only exceptions are Device Descriptions which get updated when a *DEVD changes from “Vary On Pending” to some other status.
The Date Last …
Read more -
Four Hundred Monitor, June 28
June 28, 2023 Jenny Thomas
Talk about going all in. IBM dropped $4.6 billion in cash this week to pick up technology spend-management platform Apptio. Compared to the $34 billion Red Hat deal of 2019, this might seem like small potatoes, but that was then and these days even IBM has had layoff and hiring freezes, so Big Blue must be feeling very confident this pick up will bolster its capabilities in cloud and automation. “Technology is changing business at a rate and pace we’ve never seen before,” IBM CEO Arvind Krishna said in the release. “To capitalize on these changes, it is essential to …
Read more -
Guru: Binding Directory Entries
June 5, 2023 Bob Cozzi
I assume you’ve heard about *BNDDIR (Binding Directory) objects introduced circa 1994 with OS/400 V3R2. The infamous QC2LE binding directory is used by a huge number of RPG applications to access C runtime and unblocked MI functions such as system cvthc, cpybytes, and matmatr. You have probably seen RPG IV source code with the BNDDIR(‘QC2LE’) keyword on the header specification.
I was one of the first developers outside of IBM to use Binding Directories for my own code. When I go back and look at my own RPG IV code created prior to mid-2007, well over 90 percent of it …
Read more -
Critical Security Vulnerability In PowerVM Hypervisor
May 22, 2023 Timothy Prickett Morgan
IBM’s Product Security Incident Response Team (PSIRT) put out a notice on Wednesday, May 17, to inform the Power Systems installed base that there is a very serious security vulnerability in the PowerVM hypervisor. You can see the PSIRT notice at this link and the Security Bulletin: This Power System firmware update is being released to address CVE 2023-30438 at this link. This has a CVSS base score of 9.3, which means it is critical.
We very rarely see any security vulnerabilities being reported for the PowerVM hypervisor or for the IBM i operating system itself, for that matter, …
Read more -
Inside IBM’s Efforts To Modernize The ISV Army
May 15, 2023 Alex Woodie
“You go to war with the army you have, not the army you might want or wish to have at a later time.” IBM executives must feel a bit like the eminently quotable Don Rumsfeld, former Secretary of the Department of Defense, as they marshal their assets in the battle for application supremacy. While some of Big Blue’s partners have honed their IBM i applications into modern weapons, others are fielding old equipment more suitable for a previous war.
It’s no state secret that Big Blue has a legacy problem on its hands in the IBM i world. When the …
Read more