MF64591 - LIC Mitigate Spectre and Meltdown vulnerabilities in program
PTF ( Program Temporary Fixes ) Cover letter
LIC Mitigate Spectre and Meltdown vulnerabilities in program
Pre/Co-Requisite PTF / Fix List
REQ LICENSED PTF/FIX LEVEL
TYPE PROGRAM RELEASE NUMBER MIN/MAX OPTION
---- -------- --------- ------- ------- ------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels. This PTF may be a prerequisite
for future PTFs. By applying this PTF you authorize and agree to the
This PTF is subject to the terms of the 'IBM License Agreement for Machine
Code', the terms of which were provided in a printed document that was
delivered with the machine.
SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.
APAR Error Description / Circumvention
IBM has released this PTF in response to CVE-2017-5753,
CVE-2017-5715, CVE-2017-5754, and CVE-2018-3639.
CORRECTION FOR APAR 'MA46869' :
Spectre and Meltdown vulnerabilities could allow untrusted
programs to obtain unauthorized access to data as described in
CVE-2017-5753, CVE-2017-5715, CVE-2017-5754, and CVE-2018-3639.
These vulnerabilities can be mitigated by applying this PTF and
taking further actions described in the Special Instructions
section. Run-time performance may be affected if you choose to
take those further actions.
This PTF should be applied along with all other PTFs provided in
response to these vulnerabilities. See the IBM i Security
Bulletin for that list of PTFs:
CIRCUMVENTION FOR APAR 'MA46869' :
To determine whether to take the further actions described below, you
(the system administrator) must assess the risk that programs running
on your system would intentionally try to read unauthorized data.
Exploiting Spectre and Meltdown vulnerabilities requires a deliberate
attack rather than an accidental program error. If you trust the
providers of the programs that run on your system, and you have
controls in place to prevent untrusted programs from being installed or
created, you might choose not to take the further actions. However, if
you're unsure about trusting programs that run on your system, you
might choose to take the further actions described below.
Note that security level (system value QSECURITY) has no direct effect
on Spectre and Meltdown vulnerabilities. However, if your system is
running at a security level less than 40, users have more direct ways
to gain unauthorized access to data.
To enable Spectre and Meltdown mitigations for all subsequent creations
and conversions of modules, programs, and service programs, the system
administrator should use the Start System Service Tools (STRSST)
command, sign on, and select the following sequence of menu options:
1. Start a service tool
1. Display/Alter storage
2. Licensed Internal Code (LIC) data
14. Advanced analysis
On the "Select Advanced Analysis Command" screen, enter 1=Select on
the list entry for OXMITIGATIONS.
On the "Specify Advanced Analysis Options" screen in the Options
field, enter the following:
The system will display the resulting mitigation setting, similar to
- Display Formatted Data
- Page/Line. . . 1
- Columns. . . : 1 - 78
-Find . . . . . . . . . . .
-Running macro: OXMITIGATIONS ENABLE
-System-Wide Translator Mitigation Controls
- OX level: 4
- Mitigations enabled
In the Options field, you can also enter one of these options:
After applying this PTF and enabling mitigations as described above,
creating new objects (*PGM, *SRVPGM, or *MODULE object types) from
source code will mitigate those objects for Spectre and Meltdown
To mitigate existing program objects, also take one of these actions:
- Create the programs again by compiling the source code.
- Follow conversion directions in developerWorks article "Simple IBM
i Program and Module Conversion":
- Restore the programs, either after setting the QFRCCVNRST system
value to 7 or by specifying the FRCOBJCVN(*YES *ALL) parameter on the
restore command (such as RST, RSTOBJ, RSTLIB, RSTLICPGM).
- Use the DSPPGM or DSPSRVPGM command to see whether the program has
all creation data (for ILE programs) or observable information (for OPM
programs). If the program shows "All creation data *YES" or
"Observable information *ALL", you can use the CHGPGM or CHGSRVPGM
command with keyword FRCCRT(*YES) to force the program to be created
Additionally, if you expect that untrusted programs might be restored
in the future, the system administrator can set system value
QFRCCVNRST=7 so that programs will be converted with mitigations during
THIS IS A DELAYED PTF TO BE APPLIED AT IPL TIME.
PTF/FIX NO(S). APAR TITLE LINE
MF61369 OSP-OTHER-UNPRED MSGMCH3203 during CHGPGM PRFDTA(*APYALL)
|Superseded by:......................||View fix details for PTF MF65389|
|MRI Feature ........................||NONE|
More support for:
Software version: V7R3M0
Operating system(s): OS/400
Reference #: MF64591
Modified date: 12 September 2018