IBM Support

SI68199 - FTP fixes for CVE-2011-1575 to drop sub-commands after AUTH

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

FTP fixes for CVE-2011-1575 to drop sub-commands after AUTH


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
NONE



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.


APAR Error Description / Circumvention

-------------------------------------------------
CVE-2011-1575 may jeopardize the integrity of FTP explicit TLS
connection establishment.

CORRECTION FOR APAR 'SE69814' :
-------------------------------
FTP AUTH TLS processing is changed to drop the I/O buffer of
clear text after AUTH sub-command during the cipher text
protocol phase.

CIRCUMVENTION FOR APAR 'SE69814' :
----------------------------------
None.


Activation Instructions

None.




Special Instructions

********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

End FTP server in the system
Example: ENDTCPSVR SERVER(*FTP)
Then apply the PTF
Start FTP server again
Example: STRTCPSVR SERVER(*FTP)

5770TC1 *BASE (IBM TCP/IP Connectivity Utilities for i) must be
installed in the system before applying this PTF.

END FTP SERVER IN THE SYSTEM
EXAMPLE: ENDTCPSVR SERVER(*FTP)
THEN APPLY THE PTF
START FTP SERVER AGAIN
EXAMPLE: STRTCPSVR SERVER(*FTP)


"Please end the FTP server before apply the PTF:
- ENDTCPSVR SERVER(*FTP)
Start the FTP server after the PTF is applied:
- STRTCPSVR SERVER(*FTP)"


Please end the FTP server before apply the PTF:
- ENDTCPSVR SERVER(*FTP)
Start the FTP server after the PTF is applied:
- STRTCPSVR SERVER(*FTP)

Before applying/removing PTF:
endtcpsvr *FTP

After applying/removing PTF:
strtcpsvr *FTP

Example to enable the function to limit the job numbers:
endtcpsvr *FTP
ADDENVVAR ENVVAR(QIBM_FTP_MAX_CONC_CONN) VALUE(3)  LEVEL(*SYS)
strtcpsvr *FTP

Note: the value should be greater than 0, if not, the function will not
be activated.

Before applying/removing PTF:
endtcpsvr *FTP

After applying/removing PTF:
strtcpsvr *FTP

Before applying/removing PTF:
endtcpsvr *FTP

After applying/removing PTF:
strtcpsvr *FTP

Example to enable changing return code:
endtcpsvr *FTP
ADDENVVAR ENVVAR(QIBM_FTP_CHG_RET_CODE) VALUE(1)  LEVEL(*SYS)
strtcpsvr *FTP

Example to disable changing return code:
endtcpsvr *FTP
RMVENVVAR ENVVAR(QIBM_FTP_CHG_RET_CODE) LEVEL(*SYS)
strtcpsvr *FTP

Before applying PTF:
endtcpsvr *FTP

After applying PTF:
strtcpsvr *FTP

1. Before Applying/Removing the ptf:
ENDTCPSVR *FTP

2. Apply the ptf

3. set QIBM_FTP_SRV_TRUNCT_DLY to enable the new feature
ADDENVVAR ENVVAR(QIBM_FTP_SRV_TRUNCT_DLY) LEVEL(*SYS)

4. After Applying/Removing the ptf:
STRTCPSVR *FTP

Adding or removing the value(QIBM_FTP_SRV_TRUNCT_DLY ) while FTP is
running will have an FTP job change behavior on the next incoming
transaction.
FTP will take the change on the next transaction regardless of
the job if the server is restarted using ENDTCPSVR/STRTCPSVR

This new feature will change the "STOR" internal handle behavior
that FTP server will receive the new file to overwrite the existing
file, then it will truncate the receiving file.

Notes: This feature is recommended to enable for certain
scenarios. Example: The existing file is quite big and the size of
the sending file is similar with the existing one. Otherwise,
it is not recommended.

The example to enable the feature:
ENDTCPSVR *FTP
ADDENVVAR ENVVAR(QIBM_FTP_SRV_TRUNCT_DLY) LEVEL(*SYS)
STRTCPSVR *FTP

The example to disable the feature:
ENDTCPSVR *FTP
RMVENVVAR ENVVAR(QIBM_FTP_SRV_TRUNCT_DLY) LEVEL(*SYS)
STRTCPSVR *FTP

1. Before Applying/Removing the ptf:
ENDTCPSVR *FTP

2. Apply the ptf

3. set ENV variable to enable the feature
ADDENVVAR ENVVAR(QIBM_FTP_PORT_EPRT_LIMIT) LEVEL(*SYS)

4. After Applying/Removing the ptf:
STRTCPSVR *FTP

Adding or removing the value(QIBM_FTP_PORT_EPRT_LIMIT) while FTP is
running will have an FTP job
change behavior on the next incoming transaction.
FTP will take the change on the next transaction regardless of
the job if the server is restarted using ENDTCPSVR/STRTCPSVR

example to enable the feature:
ENDTCPSVR *FTP
ADDENVVAR ENVVAR(QIBM_FTP_PORT_EPRT_LIMIT) LEVEL(*SYS)
STRTCPSVR *FTP

example to disable the feature:
ENDTCPSVR *FTP
RMVENVVAR ENVVAR(QIBM_FTP_PORT_EPRT_LIMIT) LEVEL(*SYS)
STRTCPSVR *FTP

Before Applying/Removing:
ENDTCPSVR *FTP

After Applying/Removing:
STRTCPSVR *FTP

Note:  any change to an exit program requires a server restart
regardless if this PTF is installed or not.

Before Applying/Removing the ptf:
ENDTCPSVR *FTP

After Applying/Removing the ptf:
STRTCPSVR *FTP

Note:  This fix relies on message TCP12E2 in message file
QTCP/QTCPMSGF
to be unaltered.   If for some reason the message has been altered
it
needs to be restored before this fix will work.  The most common
problem is adding a dash after the 250, this message is not shipped
with a dash.

The FTP server must be restarted before this PTF will take affect in
immediate mode.

Before Installing/Removing
endtcpsvr *ftp

After Installing/Removing
strtcpsvr *ftp

The FTP server must be restarted in order for this fix to be activated,
and the FTP and FTP-SECURE sockets need to be closed.

Before Installing/Removing the PTF:
endtcpsvr *FTP.
check netstat option 3 and option 6 to see if there is a an ftp
listening socket.
install all ptfs for ENDTCPCNN.
Use ENDTCPCNN or option 4 from netstat to end the socket.
If there isn't a socket to end then this ptf is for prevention only.

After Installing/Removing the PTF:
startcpsvr *FTP.

Before Applying/Removing
endtcpsvr *ftp

After Applying/Removing
strtcpsvr *ftp

If you do not wish to take advantage of this change,
nothing needs to be done.
If you wish to take advantage of this change:
Add a client application ID to the Digital Certificate Manager (DCM).

Specify the created Application identifier (APPID) parameter on the
Start TCP/IP File Transfer Protocol (STRTCPFTP) or
Start TCP/IP File Transfer (FTP) command when using SSL.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI67069      TCPIP-SELECT THE SAME PORT IN THE PORT RANGE FOR DATA CONNEC
   SI66917      TCPIP-OTHER-UNPRED LOTS OF QTFTP* JOBS IN QSYSWRK
   SI66203      TCPIP-FTP-SUPPORT SPECIFYING PORT RANGE FOR DATA CONNECTIONS
   SI65398      OSP-UNPRED FTP OF LARGE FILES CAN TIMEOUT, CANNOT CHANGE FTP
   SI58930      TCPIP-FTP-F/#LDPREP-T/QSRSVRQI-MSGMCH3404 FOR OBJECT QTMFJOB
   SI57173      F/QTMFCLIE-INVALID_IPV6
   SI56669      OSP HUNDREDS OF ORPHANED QTFTP***** JOBS
   SI56416      OSP ERROR ON A FTP SESSION WHEN TRYING TO RENAME A MEMBER FI
   SI55955      TCPIP-FTP WHEN QCCSID = 65535 AND LANGID = JPN, CHANGES TO F
   SI52594      TCPIP-FTP-PERFM LIMIT THE NUMBER OF FTP SERVER JOBS/THREADS
   SI51083      OSP-PAR-940XCOM ADD FUNCTIONALITY TO QIBM_FTP_SRV_TRUNCT_DLY
   SI50624      TCPIP-FTP-INCORROUT FTP-TRAILING BLANKS ARE NOT TRIMMED WITH
   SI49357      TCPIP-FTP FTP 426 RESPONSE BEING GIVEN WHEN FILE IS ALREADY
   SI49734      TCPIP-FTP-INCORROUT FTP SUBCOMMAND QUOTE CWD ~ CONNECTION FA
   SI49432      TCPIP-FTP-F/QTMFSRVR-MSGTCP3D2C WRKPRB ENTRY BEING GENERATED
   SI48449      TCPIP-FTP-INCORROUT FTP FAILS ON TURKISH ENVIRONMENT WITH AB
   SI47456      TCPIP FTP WITH NAMEFMT 1 TO IASP DATA TRANSFER ERROR
   SI47867      Integrity Problem
   SI47340      TCPIP-FTP-MSGTCP3CB1 CCSID
   SI47287      TCPIP ABOR WHEN DOING FTP OF AN IASP FILE WITHOUT MEMBER
   SI46704      OSP-COMM-TCPIP-OTHER-PERFM FTP SENDING LARGE GIGABIT PHYSICA
   SI46345      Integrity Problem
   SI40966      OSP-COMM-TCPIP-OTHER-INCORROUT FTP EXIT POINT DOESN'T ALLOW
   SI40922      TCPIP-FTP  Wrong message sent for empty file in block mode
   SI38671      TCPIP-FTP-INCORROUT  FTP SYST returns wrong release.
   SI38392      FTP server doesn't always close its socket on ending.
   SI39041      TCPIP-FTP-INCORROUT CONNECTION CLOSED BY SYSTEM I
   SI46533      TCPIP-FTP Allow user client application ID for SSL
   SI37508      TCPIP-FTP SENDS IPV6 DNS QUERY WHEN IPV6 IS INACTIVE

Summary Information

System.............................. i
Models..............................
Release............................. V7R1M0
Licensed Program............... 5770TC1
APAR Fixed.......................... SE69814
Superseded by:......................
Recompile........................... N
Library............................. QTCP
MRI Feature ........................ NONE
Cum Level........................... NONE


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V7R1M0

Operating system(s): OS/400

Reference #: SI68199

Modified date: 04 September 2018