Kisco Systems

Kisco U

What IBM i Users Should Check When Learning of a Security Vulnerability

Home : Kisco U : What IBM i Users Should Check When Learning of a Security Vulnerability

Contributed by our partners at Seiden Group

A client asked about a vulnerability found in libwebp, which is used by PHP’s image-handling gd extension.

My first step was to find a reputable source for details. According to this trusted article about the vulnerability, the issue affected only libwebp versions 1.3.1 and earlier. I checked our own system and found we had a patched version from IBM, so we were safe. The client was, too.

Here is the procedure you can use for checking the version of this or any other open source package on IBM i.

How to check your package version

The easiest way is to use the Open Source Package Management window of Access Client Solutions (ACS). The link is at or near the bottom of the left-side menu:

ACS Open Source Package Management link

After clicking the link and logging in, you should see a list of installed packages. To narrow your search to the component you want, select the View / Filter… menu option shown below:

View -> Filter…

Then type the package name you are looking for in the Package Filter input box that appears:

Filter prompt (libwebp)

After clicking OK, you will see any matching packages:

Filtered list showing libwebp7 with version number

The list showed that the libwebp package was called libwebp7, and the version was 1.3.2-1, a higher number than the vulnerable 1.3.1 version. Our version was safely patched.

If I had needed to update libwebp7, I could have clicked on Updates available and looked for a newer version.

New IBM repositories

If you do not see new versions such as I showed above, check the third column of the list. If the third column does not show the repository names ibmi-base or ibmi-release, you will need to enable them to get the latest open source updates. Enable them by clicking the Available packages tab and installing the package ibmi-repos.

Many thanks to Seiden Group for contributing this article. Seiden Group specializes in innovative, reliable software solutions using IBM i, Db2, Node.js, PHP, Python, RPG, and APIs. They assist CIOs, IT Directors and IBM i teams in all phases of modern development and keep everyone productive with unparalleled performance and trouble-shooting services.