× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Big Blue Patches 14 More OpenSSL Flaws In IBM i

Update OpenSSL to 1.0.2i to address security vulnerabilities

V7R1 - 5733SC1 SI62623 already Superseded by SI62643
V7R2 - 5733SC1 SI62622 already Superseded by SI62242

Has anyone applied either of these yet?

Published: October 3, 2016

by Alex Woodie

IBM i shops that use the OpenSSL encryption protocol will want to know that IBM last week issued program temporary fixes (PTFs) for 14 security vulnerabilities impacting IBM i versions 7.1, 7.2, and 7.3. If you're running an older version of the IBM i OS, you are out of luck.

Like most modern operating systems, IBM i includes a range of open source components. That includes OpenSSL, which is an open source implementation of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) wire encryption protocols that's managed by the OpenSSL Project.

As we learned following the big "Heartbleed" vulnerability that shook the security world back in 2014, we can find OpenSSL in multiple places on IBM i, including WebSphere and Domino products. But the biggest concern is likely the Portable Utilities for i product, or 5733-SC1 LPO, which contains the OpenSSH, OpenSSL, and zlib open source packages that IBM i professionals can use to secure communications.

Since the big wakeup call that was Heartbleed, security researchers have been poking at OpenSSL and finding a series of problems. That has led to a series of patches for OpenSSL flaws, including one batch back in March 2015, and another batch in August 2015.

IBM issued its latest batch of OpenSSL patches last week after researchers posted patches to various security sites. The patches are primarily targeted for Linux environments, but since OpenSSL runs in the AIX PASE runtime on IBM i, it's a small matter for IBM to port them over. It appears IBM did this work quickly this time around, which is good for security conscious IBM i shops. (It's also good for those security unconscious IBM i shops out there, but that's another story.)

IBM detailed the 14 OpenSSL flaws in IBM i in this security bulletin posted last Tuesday. As per usual, IBM also had patches available immediately upon disclosing the existence of the security flaws. The PTFs are available immediately. Customers running IBM i 7.1 should apply PTF number SI62623, while customers running IBM i 7.2 and 7.3 should look for SI62622. As with most security flaws such as this, customers are recommended to apply the patches as soon as possible.

Here's a short description of the 14 flaws that IBM patched, according to the Common Vulnerabilities and Exposures (CVE) clearinghouse of security flaws:

* CVE-2016-6302: This flaw impacts the decryption component of the security protocol that could allow an attacker to launch a denial of service (DOS) attack by sending a malformed ticket. The flaw was first described by security researchers in August, and carries a Common Vulnerability Scoring System (CVSS) base score of 5.3.

* CVE-2016-6303: This flaw is caused by an integer overflow in the MDC2_Update function, which could enable an attacker to launch a DOS attack against het affected machine. It also was discovered in August and carries a CVSS base score of 5.3, but it could be more dangerous, as researchers say there could be unknown vectors.

* CVE-2016-6304: A flaw in how the OpenSSL service handles requests could enable an attacker to launch a DOS attack by repeatedly requesting renegotiation. This flaw, which was discovered by researchers this month, carries a CVSS base score of 7.5, making it a substantial threat.

* CVE-2016-6305: A problem with the SSL_peek() component of OpenSSL could enable an remote criminal to carry out a DOS attack by sending specially crafted data. The attacker must be authenticated, which mitigates the risk to some extent, giving this flaw (discovered last month) a CVSS score of 4.3.

* CVE-2016-6306: A problem with how OpenSSL checks message lengths when parsing certificates could enable an attacker to launch a DOS attack. The flaw carries a CVSS base score of 4.3.

* CVE-2016-6307: This is another DOS-related vulnerability discovered in September that's caused by a problem in how OpenSSL allocates memory when checking for excessive message lengths. By initiating multiple connection attempts, a remote authenticated attacker could send an overly large message to exhaust all available memory resources, thereby crashing the vulnerable system. It carries a CVSS base score of 4.3.

* CVE-2016-6308: This is another DOS-related flaw, also caused by a failure to properly allocate memory prior to checking for excessive message lengths. It was also discovered last month and also carries a CVSS base score of 4.3.

* CVE-2016-2177: A flaw in how OpenSSL uses pointer arithmetic for heap-buffer boundary checks could be leveraged by a malicious user to trigger an integer overflow and thereby cause the application to crash. Security researchers say this flaw, which was first discovered in June, carries a moderate risk; its CVSS base score is 5.9.

* CVE-2016-2178: A flaw in the Digital Signature Algorithm (DSA) component of OpenSSL could enable an attacker to recover a private DSA key, thereby enabling him to recover encrypted data. This flaw was discovered by security researchers in June, and carries a moderate CVSS base score of 5.3.

* CVE-2016-2179: A failure for the Datagram Transport Layer Service (DTLS) protocol to properly restrict the lifetime of queue entries associated with unused out-of-order messages could enable an attacker to open a large number of simultaneous connections and consume all available memory resources, thereby crashing the program. It was discovered in June, and carries a CVSS base score of 5.3.

* CVE-2016-2180: A flaw in the TS_OBJ_print_bio function could enable an attacker to crash an affected application by submitting a specially crafted timestamp. The DOS flaw, first discovered in July, was assigned a relatively high CVSS base score of 7.5.

* CVE-2016-2181: An error in the DTLS replay protection function could enable an attacker to cause valid packets to be dropped by sending a specially crafted sequence number. This DOS flaw was first spotted in August and carries a CVSS base score of 5.3.

* CVE-2016-2182: Another flaw in TS_OBJ_print_bio function of OpenSSL could allow an attacker to crash an application. This flaw was found August and carries a CVSS base score of 4.3.

* CVE-2016-2183: This error, known as the SWEET32 Birthday attack, is caused by an error in the Triple-DES on 64-bit block cipher that's used as a part of the SSL/TLS protocol. A remote hacker could use this flaw to capture large amounts of encrypted traffic and possibly recover the unencrypted plaintext data, what's known as a man-in-the-middle attack. This flaw was first described in August, and carries a low CVSS base score of 3.7.

Now go patch those IBM i servers!

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.