IBM i safe from OpenSSL Heartbleed bug

Clients have asked me whether their IBM i servers may be vulnerable to hackers due to the widely publicized OpenSSL Heartbleed bug.

The answer is no. IBM i is safe from this bug, which is present only in specific OpenSSL versions: 1.0.1 through 1.0.1f (inclusive). IBM i’s latest version of OpenSSL, shipped with the “Portable Utilities for i” licensed program product 5733SC1, is 0.9.8, which does not contain the bug.

To make doubly certain, check what version of OpenSSL is installed on your IBM i. Run these two commands, which, respectively, start a PASE interactive terminal session and check the openssl version:
call qp2term
openssl version

For me, the above commands returned “OpenSSL 0.9.8m 25 Feb 2010,” confirming that I’m not affected.

Press F3 afterward to leave the PASE environment.

Thanks to Jim Oberholtzer of Agile Technology Architects for his contribution to this answer.

UPDATE from IBM: System SSL and IBMJSSE2 are also safe from the vulnerability on IBM i.

This entry was posted in IBM i, iSeries, System i and tagged , , , . Bookmark the permalink.

4 Responses to IBM i safe from OpenSSL Heartbleed bug

  1. Hans Weenink says:

    Hi,

    Thanks for the information !
    I found my recently upgraded V6R1, latest cumpack lpar running a slightly younger version of openssl
    OpenSSL 0.9.8y 5 Feb 2013
    Still not affected.

  2. Steph says:

    Thanks, Alan and Jim! I too have had clients asking about this.

  3. JimmyChien says:

    When I sue this command ,it returns /QOpenSys/usr/bin -sh: openssl: not found
    and I checked the License Program and found there are no 57XX-SC1 installed.
    Does it mean that it does not have any OpenSSL in my system?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>