AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Jungle java3/10/2023 ![]() While a worst-case scenario with OpenSSL appears to have been averted, that doesn’t mean it’s completely smooth sailing for IBM i shops, who have several other serious flaws to content with. ![]() We are taking action as an enterprise, and for IBM products and services that may potentially be impacted, as we do for all vulnerabilities rated High.” “IBM is responding to the reported buffer overflow vulnerability that the OpenSSL open-source community disclosed for OpenSSL versions 3.0.0 – 3.0.6. IBM will be looking into the latest OpenSSL flaw, according to a message posted yesterday on its PSIRT Blog: The two flaws are so new that CVSS Base scores are not yet available. However, it is not considered as severe as the first one. It too is a buffer overflow flaw, and it too carries the risk of a DOS attack when an attacker sends a malformed response in a certificate. The second OpenSSL flaw, CVE-2022-3786, was discovered during research of the first flaw. Nevertheless, the flaw–which involves a buffer overflow in the X.509 certificate verification that could enable remote code execution and a DOS attack–is still considered to have a high severity, and users are encouraged to apply a patch as soon as one is available. Thankfully, it’s not Heartbleed Take Two. However, the that flaw, dubbed CVE-2022-3602, is not as bad as first feared. IBM has a long history of patching flaws in OpenSSL, going all the way back to the Heartbleed epidemic in 2014. ![]() The flaw could be a concern for just about everybody, including IBM, which uses OpenSSL extensively in its products, including in IBM i. News started to emerge earlier this week of a critical OpenSSL flaw that required the utmost attention. That flaw turned out to be not as bad as initially feared, but that shouldn’t stop IBM i shops from patching other recent flaws, including some pretty serious ones in WebSphere Liberty, Java, the CCA, and Zlib. The cybersecurity world has been sitting on pins and needles for the past 48 hours, ever since news of a potentially devastating new flaw in OpenSSL started to leak out early Monday morning. OpenSSL Flaw No ‘Heartbleed,’ But Other New Vulns Detected
0 Comments
Read More
Leave a Reply. |