TECHNICAL ALERT 20171004
Critical Security Patch Released for IBM JDK
Waratek’s Virtual Patching Instantly Mitigates the Risks of Vulnerabilities.
IBM has issued its third mass patch of 2017 that includes fixes for 28 flaws in the Java Development Kit (JDK) that ships with the IBM i operating system. Many of these flaws were first addressed by Oracle in its July 2017 Critical Patch Update. The IBM patches address the unique characteristics of the IBM JDK.
There are no known workarounds for these security flaws. Eight of the 28 patches fix security flaws that carry a CVSS Base Score of 9.6 with the potential to allow attackers to take full control of an impacted server. The most severe flaws are “unspecified vulnerabilities” found in the Embedded Libraries, Embedded JAXP, ImageIO, Embedded RMI, and AWT components.
All but one of the flaws impact the IBM SDK Java Technology Edition software in all releases of IBM i, from version 6.1 to version 7.3, according to IBM. The patches released by IBM fix the problems in all of these releases. IBM is not expected to issue fixes for older OS.
Read the full IBM Security Bulletin.
Waratek customers are protected by the Waratek Application Security Platform’s virtual patching feature. Binary equivalent virtual patches are applied while the application continues to run without code changes or tuning.
Companies that have not deployed the Waratek Application Security Platform should act quickly to apply the IBM patch. IBM has bundled all 28 of the patches into a single program temporary fix (PTF), one for each version of the operating system.
As demonstrated by recent events, quickly applying patches is vital. Many organizations cannot apply binary patches as quickly as malicious hackers can launch attacks against known and new vulnerabilities. Virtual patching allows security teams to instantly protect applications while they assess the applicability of the physical patch in their environments.
Contact Waratek for more information.