On 4/10/2014 12:25 PM, Amy Hoerle wrote:
It appears the latest version available is 0.9.8m per the PTF listing
located at http://www-01.ibm.com/support/docview.wss?uid=nas8N1012172 so
we should all be fine.

Not sure what you have or need to show a manager?

1. call qp2term
2. cd /QOpenSys/QIBM/UserData/SC1/OpenSSL
3. ls

On my system I see:
openssl-0.9.7d openssl-0.9.8j

Are we having fun yet???

This presumes that there isn't any open source project on your IBM i
that uses a vulnerable version. A version which lives in a different

The best part is where we're asked to certify that we haven't leaked PII
via a vulnerable trading partner. We use SSL to 'securely' transmit
say, name, address and phone number. These go into the trading
partner's server memory where someone has been freely snooping for the
past 2 years. The snooper gets our customer information despite the
fact that our servers are OK.

It gets worse. We may have encrypted that PII (on top of using SSL)
with PGP before sending it, and the trading partner then decrypted it
for their use. The plaintext PII? Once the trading partner decrypts
it, that PII is in a server memory buffer. In plaintext form.

In short, I can't certify that my PII wasn't leaked by a trading
partner. The good news, such as it is, is that the trading partners are
on the hook for (inadvertently) breaking their confidentiality
agreements with us. The bad news is that there is no way of knowing
which customers might be affected. By that I mean that there is no log
the trading partner can use to tell what bits of memory were sniffed and
there is certainly no log that would reveal what bits of what were in
that memory at the moment it was sniffed. Depending on which US state
you have customers in, the reporting laws can be anything from
nonexistent to back-breakingly onerous.

The legal people haven't approached me yet and I will have no good news
for them, despite being 'lucky' enough to not have my IBM i as a server
on the internet. My best guess is that they will opt not to report a
leak because as far as any of us can determine, our systems didn't leak.

I can tell you this: I will be keeping a much more comprehensive paper
trail of my IBM i upgrades, including one off PTF installs. Heartbleed
is a bug affecting only recent versions of OpenSSL but it could have
affected only versions from January 23 2012 through March 26 2013. I
would have no idea if we had that version installed during that specific
time frame.

It's a bad week to be a sysadmin.

This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page