Heartbleed Exposes The Vulnerability Of An IBM i Mentality

April 28, 2014 Alex Woodie

When IBM recently patched the Heartbleed vulnerability that existed in the Power Systems firmware, it did more than issue a more secure piece of system code. IBM also demonstrated the fallibility of maintaining an IBM i mentality in an increasingly complex and interconnected world. As IT Jungle‘s PTF patch master and IBM business partner Doug Bidwell explains, we can ill afford to think of IBM i as an isolated entity anymore.

“I just read your article, IBM Patches Heartbleed Vulnerability in Power Systems Firmware. Thank you for getting that out there,” Bidwell writes via email. Bidwell, who edits IT Jungle‘s System i PTF Guide, had alerted us to IBM’s April 18 security bulletin revealing the existence of Heartbleed vulnerability in the Power Systems firmware and the immediate availability of fixes.

“But, there is something still not gelling with the client base,” Bidwell continues. “Reading your article, I see it there, also. There is no IBM i server. Just as there is no AIX server. Periodically, IBM will announce an OS-specific version of a Power server, such as PowerLinux. But there is only a Power box, and an OS that makes it a server.”

“One of the legacy conceptions we are all guilty of is that we think of the AS/400 as one entity, a box with an OS that are tightly integrated and a single entity in conversation. That changed when they merged the i and p systems onto Power….”

So much has changed since that day in April 2008 when IBM formally unveiled the Power Systems platform and did away with System i and System p forever. While the two platforms had shared hardware for some time, that was the day IBM attempted to permanently erase any lines separating those systems.

Despite the merger of platforms, many in the IBM midrange community maintain the IBM i identity, just as they identified themselves as System/38, AS/400, iSeries, or System i guys or gals before April 2008. It’s a tempting security blanket to hold onto, but the irony is that it may actually hurt security.

“The entire client base thinks of the one entity,” Bidwell writes. “And that’s the vulnerability, and, the challenge. Because there used to be one entity, when you put on the Cume, and IBM said there were no vulnerabilities, we tended to not touch the box for months, even years at a time. That changed when ‘the merge’ happened, and it’s taking a long time for people to wake up to the point your article both makes and misses, that IBM i is an OS that rides on a Power piece of hardware. Two entities, not one. And they are tightly integrated, but not so much that you can afford to watch only one entity.”

Specifically, Bidwell points to PASE, the AIX runtime that IBM added to the platform as an option more a decade ago, but which has become a critical part of the infrastructure stack for applications running on IBM i and Power Systems. If you use Java, the Apache Web server, or the PHP runtime, you’re using PASE, whether you know it or not.

“PASE added a great deal of functionality to the IBM i OS by allowing many varied licensed program products to be added to the OS/400 we all knew,” Bidwell writes. “But it also added another area of watchfulness. Each licensed program product that resides on PASE is susceptible to its own version schedule, and, its own vulnerabilities.”

PASE is just one example of how the legacy “Fortress Rochester” AS/400 mentality is clashing with today’s modern and complex Power Systems platform. When IT Jungle attempted to ascertain the significance of the Heartbleed OpenSSL vulnerability that existed in the Power Systems firmware–to gauge whether this was a super-critical problem that could be easily exploited or an obscure flaw that a hacker would have a tough time doing anything with–the IBMer from Rochester punted, saying he didn’t handle the firmware and couldn’t speak to that. Whose responsibility is it? It’s tough to say.

“The days of monitoring and administering one ‘system’ are gone,” Bidwell writes. “We all need to be watching the hardware, the OS, the licensed programs, and be aware of each of their differences and vulnerabilities. In the SMB marketplace, speaking from the ‘i’ point of view, virtually everyone thinks of their system as an IBM i. It was a great concept while it lasted, but that is not the horse we are riding today. Or, as Tim [Prickett Morgan] put it once, ‘This ain’t your daddy’s AS/400 anymore.'”