One of the best ways to protect your IBM i from any vulnerability is to keep your PTFs current. Paying your Software Maintenance bill entitles you to bug fixes, enhancements and new versions of IBM i. IBM continuously releases fixes and new enhancements for supported releases, so why not take advantage of what you are paying for?
Over the past few months, there have been several PTFs related to IBM i security. We are not used to having this level of exposure on our beloved platform, and it has many people feeling anxious. The good news is that IBM is providing the fixes needed to plug these serious exposures.
Eleven different security vulnerabilities
IBM’s recent PTFs mitigate eleven different vulnerabilities that affect Node.js, OpenSSH, Samba, Spectre, and Meltdown. The good news is if you’re not using Node.js, OpenSSH or Samba than you don’t have to worry about applying those PTFs. But everyone should be concerned with the Spectre and Meltdown PTFs, because they contain vulnerabilities that are activated at the chip level, which affects everyone.
Let’s take a closer look at the vulnerabilities IBM’s new security PTFs address.
More for Spectre and Meltdown
The most recent round of IBM i PTFs include some additional patches for the Spectre and Meltdown vulnerabilities. The IBM i PTFs address four vulnerabilities at the microprocessor level (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754, and CVE-2018-3639), and involve speculative execution tasks. You can read more about them in the October 16, 2018 IBM Security Bulletin: Click Here
These PTFS are not the only ones that address Spectre and Meltdown. There have been several others that you also need to be sure you have applied. In additon to applying the IBM i software PTFs; you also need to apply PTFs to the firmware. You can apply the IBM i PTFs listed above first, but if you don’t apply the firmware patches and perform an IPL, it can affect any mitigations you may be planning.
Node.js and OpenSSH Vulnerabilities with Open Source
While Spectre and Meltdown are vulnerablities that originate at the hardware level, our next set of PTFs focus on vulnerabilities caused by software. One of the great things about IBM i is that it can support Open Source tools, which is allowing companies to attract younger generations to working with the platform. The problem with open source is that we now have more potential points of entry into the system, and those entry points need to be secured.
In September, IBM released a PTF to address two vulnerabilities (CVE-2018-12115 and CVE-2018-7166) that affect Node.js. These vulnerabilities can leave sensitive data exposed without you even realizing it, and it can leave you subject to a denial of service attack. IBM classified these PTFs as having high severity for POWER systems. If you’re using Node.js you should put this PTF high on your to do list. For more details about this PTF: Click Here
Companies use SSH to encrypt their data over remote connections. OpenSSH is an open source version of SSH that is used on IBM i. There is only one vulnerability related to SSH (CVE-2018-15473) which could allow a hacker to gain access to sensitive information resulting from different responses to valid and invalid attempts at authentication. This exposure has a medium level of risk associated with it. You can access more information: Click Here
Are you using Samba for file and print services? If so, then you need to consider applying IBM’s PTFs that address five Samba vulnerabilities (CVE-2018-10918, CVE-2018-1139, CVE-2018-10919, CVE-2018-10858, and CVE-2018-1140). These vulnerabilities can expose your sensitive data, or worse result in denial of service attacks and a complete application shut down. Samba vulnerabilities range from medium to high risk, so they shouldn’t be taken lightly. You can get more details in this IBM Security Bulletin: Click Here
Keep Current to Protect your IBM i
IBM provides lots of Security Bulletins. While many of them have no impact on IBM i, lately we’ve seen more security related fixes than normal. That may scare some people, but it doesn’t have to. The solution is to keep up with the recommended IBM PTFs and you’ll increase the security of your IBM i.