I put them both on my systems yesterday morning. Only have one real app
that uses OpenSSL, and it ran fine all day yesterday.
Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Steinmetz, Paul
Sent: Thursday, October 06, 2016 8:12 AM
To: 'Midrange Systems Technical Discussion'
Subject: Blue Patches 14 More OpenSSL Flaws In IBM i - V7R1 SI62643
V7R2SI62242 - Has anyone applied either of these yet?
Big Blue Patches 14 More OpenSSL Flaws In IBM i
Update OpenSSL to 1.0.2i to address security vulnerabilities
V7R1 - 5733SC1 SI62623 already Superseded by SI62643
V7R2 - 5733SC1 SI62622 already Superseded by SI62242
Has anyone applied either of these yet?
Published: October 3, 2016
by Alex Woodie
IBM i shops that use the OpenSSL encryption protocol will want to know
that IBM last week issued program temporary fixes (PTFs) for 14 security
vulnerabilities impacting IBM i versions 7.1, 7.2, and 7.3. If you're
running an older version of the IBM i OS, you are out of luck.
Like most modern operating systems, IBM i includes a range of open
source components. That includes OpenSSL, which is an open source
implementation of the Transport Layer Security (TLS) and Secure Sockets
Layer (SSL) wire encryption protocols that's managed by the OpenSSL
Project.
As we learned following the big "Heartbleed" vulnerability that shook
the security world back in 2014, we can find OpenSSL in multiple places
on IBM i, including WebSphere and Domino products. But the biggest
concern is likely the Portable Utilities for i product, or 5733-SC1 LPO,
which contains the OpenSSH, OpenSSL, and zlib open source packages that
IBM i professionals can use to secure communications.
Since the big wakeup call that was Heartbleed, security researchers have
been poking at OpenSSL and finding a series of problems. That has led to
a series of patches for OpenSSL flaws, including one batch back in March
2015, and another batch in August 2015.
IBM issued its latest batch of OpenSSL patches last week after
researchers posted patches to various security sites. The patches are
primarily targeted for Linux environments, but since OpenSSL runs in the
AIX PASE runtime on IBM i, it's a small matter for IBM to port them
over. It appears IBM did this work quickly this time around, which is
good for security conscious IBM i shops. (It's also good for those
security unconscious IBM i shops out there, but that's another story.)
IBM detailed the 14 OpenSSL flaws in IBM i in this security bulletin
posted last Tuesday. As per usual, IBM also had patches available
immediately upon disclosing the existence of the security flaws. The
PTFs are available immediately. Customers running IBM i 7.1 should apply
PTF number SI62623, while customers running IBM i 7.2 and 7.3 should
look for SI62622. As with most security flaws such as this, customers
are recommended to apply the patches as soon as possible.
Here's a short description of the 14 flaws that IBM patched, according
to the Common Vulnerabilities and Exposures (CVE) clearinghouse of
security flaws:
* CVE-2016-6302: This flaw impacts the decryption component of the
security protocol that could allow an attacker to launch a denial of
service (DOS) attack by sending a malformed ticket. The flaw was first
described by security researchers in August, and carries a Common
Vulnerability Scoring System (CVSS) base score of 5.3.
* CVE-2016-6303: This flaw is caused by an integer overflow in the
MDC2_Update function, which could enable an attacker to launch a DOS
attack against het affected machine. It also was discovered in August
and carries a CVSS base score of 5.3, but it could be more dangerous, as
researchers say there could be unknown vectors.
* CVE-2016-6304: A flaw in how the OpenSSL service handles requests
could enable an attacker to launch a DOS attack by repeatedly requesting
renegotiation. This flaw, which was discovered by researchers this
month, carries a CVSS base score of 7.5, making it a substantial threat.
* CVE-2016-6305: A problem with the SSL_peek() component of OpenSSL
could enable an remote criminal to carry out a DOS attack by sending
specially crafted data. The attacker must be authenticated, which
mitigates the risk to some extent, giving this flaw (discovered last
month) a CVSS score of 4.3.
* CVE-2016-6306: A problem with how OpenSSL checks message lengths when
parsing certificates could enable an attacker to launch a DOS attack.
The flaw carries a CVSS base score of 4.3.
* CVE-2016-6307: This is another DOS-related vulnerability discovered in
September that's caused by a problem in how OpenSSL allocates memory
when checking for excessive message lengths. By initiating multiple
connection attempts, a remote authenticated attacker could send an
overly large message to exhaust all available memory resources, thereby
crashing the vulnerable system. It carries a CVSS base score of 4.3.
* CVE-2016-6308: This is another DOS-related flaw, also caused by a
failure to properly allocate memory prior to checking for excessive
message lengths. It was also discovered last month and also carries a
CVSS base score of 4.3.
* CVE-2016-2177: A flaw in how OpenSSL uses pointer arithmetic for
heap-buffer boundary checks could be leveraged by a malicious user to
trigger an integer overflow and thereby cause the application to crash.
Security researchers say this flaw, which was first discovered in June,
carries a moderate risk; its CVSS base score is 5.9.
* CVE-2016-2178: A flaw in the Digital Signature Algorithm (DSA)
component of OpenSSL could enable an attacker to recover a private DSA
key, thereby enabling him to recover encrypted data. This flaw was
discovered by security researchers in June, and carries a moderate CVSS
base score of 5.3.
* CVE-2016-2179: A failure for the Datagram Transport Layer Service
(DTLS) protocol to properly restrict the lifetime of queue entries
associated with unused out-of-order messages could enable an attacker to
open a large number of simultaneous connections and consume all
available memory resources, thereby crashing the program. It was
discovered in June, and carries a CVSS base score of 5.3.
* CVE-2016-2180: A flaw in the TS_OBJ_print_bio function could enable an
attacker to crash an affected application by submitting a specially
crafted timestamp. The DOS flaw, first discovered in July, was assigned
a relatively high CVSS base score of 7.5.
* CVE-2016-2181: An error in the DTLS replay protection function could
enable an attacker to cause valid packets to be dropped by sending a
specially crafted sequence number. This DOS flaw was first spotted in
August and carries a CVSS base score of 5.3.
* CVE-2016-2182: Another flaw in TS_OBJ_print_bio function of OpenSSL
could allow an attacker to crash an application. This flaw was found
August and carries a CVSS base score of 4.3.
* CVE-2016-2183: This error, known as the SWEET32 Birthday attack, is
caused by an error in the Triple-DES on 64-bit block cipher that's used
as a part of the SSL/TLS protocol. A remote hacker could use this flaw
to capture large amounts of encrypted traffic and possibly recover the
unencrypted plaintext data, what's known as a man-in-the-middle attack.
This flaw was first described in August, and carries a low CVSS base
score of 3.7.
Now go patch those IBM i servers!
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx
http://www.pencor.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
midrange.com
