Heartbleed does not affect Zend Server for IBM i

The word is already out on this, but this is just to add another post to amplify the message.  The Heartbleed vulnerability in OpenSSL does not affect Zend Server for IBM i.  In fact, Heartbleed does not affect IBM i at all.   Basically, the latest version of OpenSSL on IBM i provided in the 5733SC1 Licensed Program is 0.9.8.  Heartbleed affects version 1.0.1, up to 1.0.1f.

Having said that, there are some adventurous folks out there who like to install their own Linux software for PASE.  Please note that it is not recommended to install OpenSSL into PASE.  Instead, use the IBM i Licensed Program 5733SC1 to install OpenSSL, OpenSSH, and zLib.  Still, it is a doable thing, so somebody may have done it.  If that somebody might be you, here is how to verify what version of OpenSSL you may be running:

Log into a 5250 session as QSECOFR, or as a *SERCOFR class user.  Run this command:

call qp2term

This brings up the PASE shell.  In the shell, run this command:

openssl version

The result should be similar to this:

> openssl version           
  OpenSSL 0.9.8m 25 Feb 2010

As long as the version is not in the range 1.0.1 to 1.0.1f, you should be OK.

If you have been living in a cave, or just want to know more, this page explains the Heartbleed vulnerability pretty well.  The CVE can be found here.  c/net has a pretty good list of major sites that were or were not affected.


Bookmark the permalink.

Leave a Reply