From: Patrick Botz
Whether you consider PASE part of i5/OS or not, the fact that it is on the
system and there are OS programs running in it,
and because arbitrary
commands executed in PASE can manipulate native i5/OS objects, means that
a buffer overflow attack against PASE can theoretically put the native
i5/OS stuff at risk.
Now, this doesn't mean the sky is falling.
It doesn't mean that because
it is possible, that there are holes. It just means that you can run
programs in PASE that are susceptible to buffer overflow attacks. It means
that you have to understand which pieces of i5/OS run in PASE. The most
obvious piece -- and the one that has had buffer overflow patches for
previous versions -- is the DNS server. i5/OS uses the AIX DNS server, if
that is ever patched for security reasons, most likely you will see an
i5/OS PTF (which in all likelyhood will just replace the same AIX binary
shipped with i5/OS).