×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
Joe,
Whether you consider PASE part of i5/OS or not, the fact that it is on the
system and there are OS programs running in it, and because arbitrary
commands executed in PASE can manipulate native i5/OS objects, means that
a buffer overflow attack against PASE can theoretically put the native
i5/OS stuff at risk.
Now, this doesn't mean the sky is falling. It doesn't mean that because
it is possible, that there are holes. It just means that you can run
programs in PASE that are susceptible to buffer overflow attacks. It means
that you have to understand which pieces of i5/OS run in PASE. The most
obvious piece -- and the one that has had buffer overflow patches for
previous versions -- is the DNS server. i5/OS uses the AIX DNS server, if
that is ever patched for security reasons, most likely you will see an
i5/OS PTF (which in all likelyhood will just replace the same AIX binary
shipped with i5/OS).
Thanks.
Patrick Botz
IBM STG Lab Services Security Practice
botz@xxxxxxxxxx
work: 507 253 0917 mobile: 507 250 5644
http://www.ibm.com/systems/services/labservices
midrange-l-bounces@xxxxxxxxxxxx wrote on 10/22/2007 06:25:25 PM:
From: Patrick Botz
This is mostly true, but not universally true. Anything that runs in
the
PASE environment under i5/OS is susceptible to a buffer overflow
attack
just like a standard LUW. So you can't just assume that no matter
what it
is, it won't affect i5/OS.
I guess it depends on your definition of i5/OS. Me, I don't consider
PASE
to be i5/OS. But that's just me.
Joe
midrange.com
