ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

Another Reason to Upgrade Traveler to - iOS9 and Repeating Meetings

Bill Malchisky  September 16 2015 03:38:23 PM
IBM released a support flash late this afternoon - EDT, which if using the native iOS 9 Calendar application and sync against a pre- Traveler server, you can lose repeating meetings on the iOS device. Fortunately, all of the data remains in-tact on the IBM Notes side, so the desktop client, iNotes, cloud products will have the full data set, as will Android devices connecting via Traveler. So, inform your users to avoid upgrading to iOS 9 until your environment is tested and upgraded to Traveler, if they use the native mail app and they will be quite happy they waited.

Attention Apple Users - Protect Yourself from the AirDrop Exploit

Bill Malchisky  September 16 2015 10:16:00 AM
Forbes has one of the best takes on this new vulnerability - particularly as many articles I read all cite the Forbes piece (linked below). Regardless if you have OS X or iOS, you are in scope. The issue is that in iOS and OS X an attacker can install apps sans permission via AirDrop--which is used as a quick and easy way to send files between two devices. Unfortunately, the exploit bypasses security (including the Apps Store) and need not be trusted and the user not notified of the application installation. Know that even if you reject an inbound transfer, your system can become severely compromised--which is a big part of the problem.

The exploit exists in iOS7+ along with OS 10.10 and is partially---not completely---addressed in iOS 9 and OS 10.11 (El Capitan). Thus, please be weary of lesser quality reports that claim the bug is fixed in iOS 9. The easiest workaround is to avoid using AirDrop and keep it disabled; telling users to do this though, is another matter. If you need/want to use it, just be certain to turn-off the feature when you are done. The video below demonstrates just how incredibly easy it is to initiate this attack, so it is best for admins and security officers to alert their team members.

iOS 8.4.1 AirDrop Exploit Demo video

"Smarter hackers abusing such a flaw could go deeper into the phone, to the heart of the operating system."
-- Mark Dowd, Azimuth Security researcher

Forbes - "One Great Reason To Update To iOS 9 - A Nasty Silent AirDrop Attack Is In Town"

"To initiate the attack, all a hacker has to do is to send a file via AirPlay to an iOS or OS X user running iOS 7 or later, and Yosemite, respectively. It doesn’t even matter if the recipient accepts the incoming transfer, as the malware attack is initiated."
-- Ibid.

IBM Software and iOS 9 Support

Bill Malchisky  September 16 2015 12:16:00 AM
As Apple plans to release its new mobile operating system today (16 September 2015), IBM kept busy the past few days updating their correlated technotes. Thus, it seemed appropriate to offer a few links to showcase how IBM plans to support this latest Apple offering vis-à-vis Traveler, Verse, and Connections Cloud Traveler.

Here are any relevant support related articles that mention iOS 9 in regards to IBM Traveler, IBM Verse and Connections Cloud Traveler. Just ensure that for whatever version of Traveler you are running, that Domino is fully patched.

Key Technotes

Official iOS 9 Support Statement for Traveler and Verse
IBM Traveler System Requirements
Supported by IBM Traveler server and later releases.
Supported by IBM Verse client 9.1.2 and later.
Supported by IBM Companion 9.0.11 and later.
Supported by IBM To Do 9.0.10 and later.

IBM Smart Cloud Notes Client Requirements
Support native applications for mail, calendar and contacts as well as the following IBM applications available via the Apple App store:
  • IBM Verse 9.2.1 and later.
  • IBM Traveler Companion 9.0.11 and later.
  • IBM Traveler To Do 9.0.10 and later.
IBM Traveler Support for Latest Device Updates
Apple iOS 9. x support:
  • Supported by IBM Traveler server and later releases.
  • Supported by IBM Connections Cloud Traveler.
  • Supported by IBM Verse 9.1.2 and later applications.
  • Supported by IBM Companion 9.0.11 and later applications.
  • Supported by IBM To Do and later applications.

Note: after several searches, unable to find current support statements in the public domain regarding Sametime products for iOS 9, which is why it is omitted above.

Some Additional Reading

IBM Connections Mobile Applications site
IBM Connections Cloud New Enhancements
What's New in IBM Traveler Server
In case you need it... IBM support for iOS 8
IBM Traveler Recommended Maintenance
Subscribe to Traveler Notifications
What's New in iOS 9, via Apple - {auto-update version link}
Apple iOS 9 Welcome Page - {auto-update version link}

    Back to Blogging...

    Bill Malchisky  September 16 2015 11:07:21 PM
    Finally... after a 2.5 month forced hiatus, I am happy to be back at it. Early July, my ID needed to be re-certified only to learn that my OU certifier became corrupted in a bizarre way. Neither the senior IBM support team nor myself saw such a case--I hope to write it up soon, as a case study. The result though, locked me out of my blog (even with multiple backups of the ID). Having fixed it, I'm ready to go. As those of you who read my blog regularly know, I post at least once month--with a very rare exception--so this break proved difficult.

    Have a great autumn!


      A Special Day in Baseball -- For Those Who Appreciate Any Sport

      Bill Malchisky  June 28 2015 09:25:57 PM
      I make no grand illusions about being a professional baseball fan (which is short for fanatic), I leave that to my friends like Curious Mitch and Chris Whisonant for example, who love their respective teams. I like the game, listen to radio broadcasts when I can and that is enough for me. Today though, was something of a dream for any child who seeks to play professional sports. That special event occurred in New York City, on Citi Field, with the Mets on Sunday, 28 June 2015. Today, a young Steve Matz, made his MLB (Major League Baseball) debut. Why is that such a special event, as rookies play every year? Regardless of one's favorite sport, any story like this, with such a debut can be appreciated by anyone who enjoys any sport.

      Mr. Matz grew-up on Long Island which makes him a local boy to the New York ball clubs. As a child, he loved the Mets and even dreamed of playing for them one day. From that point in his life, too now commenced a highly improbable path showcasing raw determination to play in the big leagues. Many dream of playing pro sports, few actually accomplish that. The Mets Pitching Prospect Report on Steve Matz provides the full history. To summarize, despite being drafted into the farm league in 2009, Mr. Matz had Tommy John surgery very early in his career and took a full two years to rehabilitate, then had shoulder tendonitis. In his fourth year, he finally pitched a full season, worked quite hard, and sought to prove he could play in the pros. Moving through five different teams in the minor leagues, he eventually settled in Las Vegas where he pitched quite well and "got it together". Ultimately, he got bored as per his coach---remarked by Mets Manager Terry Collins during today's post-game interview---and made the case to the Mets coaching staff, that, "It's time." After hearing that multiple times, the Mets called him up. As per Terry Collins, they had today's date picked months ago.

      Today's game got delayed due to Saturday's game being called for rain in the sixth inning. With a tie score, the game had to be continued, which occurred Sunday. As the Mets typically due, it went to extra innings further delaying Mr. Matz's start. If this is your first professional game, with between 130-150 of your friends and family in attendance, playing for the team you love, at home, for the team your family loves, is surreal for many. But to then play at the level he did, achieving the results he did is an incredible experience, matched by very few professional athletes in any sport.

      First on defense, Mr. Matz pitched for 7-2/3 innings, giving up five hits, two earned runs, three walks and six strike outs. His first pitch made it to the back wall. Nerves of course. The same batter hit him deep and got a solo home run. One batter, one run, no outs. Not a great start. Mr. Matz immediately, showed poise of a veteran player and re-focused his play and got the next batter out and out of the inning as he did in the second. When the Reds got their second solo shot off of Mr. Matz two innings later, he was unhappy of course, but immediately re-focused and never let another run score. Each time a pitch was suboptimal, he made an adjustment on the next pitch. That is mental toughness, especially from a rookie pitcher. Early in the game, I saw him throw to second base for a double play. This is a throw that some pitchers have difficulties making, due to the quickness it requires and not being able to use their wind-up. (A similar play put The Yankees in a position to lose Game 7 of The World Series against the Arizona Diamondbacks in 2001 on bunt to the pitcher and an errant throw to second; so it is hardly trivial, in my estimation.)

      What makes this rookie's debut even more special is his hitting ability. In Mr. Matz's own words, "I love to hit. It's fun for me." Most pitchers are at the bottom of the order, and get a pinch hitter in an important situation (which takes them out of the game). For this reason, the American League allows a DH (designated hitter) to hit for the pitcher. If that was the case today, New Yorkers would never have seen such balanced talent. The unexpected contributions pitchers make on offense, is what keeps the National League truer to the roots of baseball for many fans--it is an interesting discussion none-the-less.

      Mr. Matz came to win and wanted to ensure he helped his chances. In his first MLB at-bat, he got a two RBI (Runs Batted In) two base hit. That was huge and put the Mets in the lead. "We needed that." -- Manager Terry Collins said after the game. In fact on offense, Mr. Matz went three for three (3-3) with four RBIs. That is huge offensive game for any ball player--more so for a pitcher. On both sides of the plate, Steve Matz played excellent baseball.

      The win today, caused the Mets to sweep the Reds, while at home. The outing gave the team a much needed confidence boost, in a way that few authors could dream (The Mets offense has been absent recently). The radio broadcaster for the Mets, Howie Rose thought of the big names over the years who started for the Mets and recalled their debut games. A couple were at home, nothing memorable as he recalled--Tom Seaver, Gary Carter, Dwight Gooden, Darryl Strawberry to name a few. This was a story and debut game for the ages. Although I will never say I saw the game at Citi Field, I did listen to it on the radio and watched a few innings on television. Whether your favorite sport is baseball, football, hockey, soccer, or something else, surely you can respect the achievements of a local kid wanting to play so badly for his/her local team, then finally getting the chance after years of injuries and rehab, and having a debut game that will be talked about for a long time, in-front of over 130 friends and family members, while helping his team sweep their opponents. All combined, makes it all the more special. Games like this are very rare. Mr. Matz also gives a great interview too: cordial, humble, and articulate. Nicely done today, Mr. Matz. Continued success to you.

      Five stories from local press with quotes from his family in the first link

      MLB Game Day box score and stats sheet
      Over a year ago, Steve Matz made headlines due to his quality play
      SNY.tv Exclusive Interview from February 2015

      Security Alert: IBM Java 6 SR16FP3 IF1 Contains Vulnerabilities Impacting Domino - Get the Fix

      Bill Malchisky  June 3 2015 03:03:10 PM
      IBM Security released a new bulletin today, entitled, "Security Bulletin: Multiple vulnerabilities in IBM Java 6 SR16FP3 IF1 affect IBM Notes and Domino" describing the latest reported vulnerabilities  by Oracle. Know that IBM Java 6 SR16FP3 IF2 resolves the issues and is suggested that you install it on your production Domino servers as soon as you can.

      Multiple Vulnerabilities Addressed
      The IBM security bulletin provides detailed descriptions and links for each of the 13 vulnerabilities identified.

      Affected versions of Domino
      Pretty much all 8.5.x and 9.0.x flavors are in-scope
       1. IBM Notes and Domino 9.0.1 Fix Pack 3 (plus Interim Fixes) and earlier
       2. IBM Notes and Domino 8.5.3 Fix Pack 6 (plus Interim Fixes) and earlier
       3. IBM Notes and Domino 8.5.3 Fix Pack 5 (plus Interim Fixes) and earlier
       4  All 9.0 and 8.5.x releases of IBM Notes and Domino prior to those listed above.

      IBM offers an Interim Fix (IF) 2 for both Domino 8.5.3 and 9.0.1 code streams, via technotes 1663874 and 1657963, respectively. If running Notes on Linux, mind the additional installation section at the bottom, entitled, Instructions for installing Notes Interim Fixes on Linux for the simple process to install the IF.

      Each technote also contains links on Notes and TLS 1.2 support, and protecting Notes from the POODLE attack (here (ND9) and here (ND8.5.3)) if you were previously unaware.

      "Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit

      Bill Malchisky  May 22 2015 12:35:00 AM
      Logjam (CVE-2015-4000) is the latest server exploit hitting the nation (world). In scope are 8.4x10**3 of the top 1x10**6 websites and 14.8% of mail servers in the IPv4 address space as per weakdh.org. The cause is a weakness identified in the Diffie-Hellman key exchange (explained here and here), with the exploit reported early by Ars Technica.

      The root cause goes back to the 1990's. Recall when products like Lotus Notes had a North American encryption flavor and an International encryption flavor. That ended when encryption standards were lowered and the two offerings merged, for example. It helped the Feds crack encryption overseas, but now average users have incredible computing power available to them cheaply. Thus, algorithms can be broken with significant ease today, that were nearly impossible to do so 20 years ago. I expect more exploits of this nature in the months ahead.

      "Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography"
      -- J. Alex Halderman, a key scientist behind the exploit's research, posted at https://weakdh.org

      Work-around and a Solution

      Initially, server administrators should disable support for DHE_EXPORT ciphersuites, as they downgrade connections of the Diffie-Hellman variety.

      The solution for Logjam is akin to POODLE in that TLS is the way to go. Companies like Red Hat and IBM offered TLS solutions for POODLE and the Logjam research team provided a document on how to deploy correctly Diffie-Hellman for TLS.

      For your browsers, jscher2000 in Silicon Valley, CA, via a mozillaZine Logjam post offers a four step process to Disable insecure ciphers.
      "(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
      (2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
      (3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
      (4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)"
      Then, test the success with the Qualys SSL Labs test in the next section.

      Paul Farris, earlier this week, wrote a blog post on Domino SSL Ciphers, which is located here.

      Establishing your Risk


      Web browsers should be updated shortly (as of this writing). Internet Explorer on Windows 10 was the first to have a patch. Firefox and Chrome are in the works. Check here for clarity. As of this morning (21 May 2015), my browsers were still at risk.

      Image:"Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit
      For checking browsers beyond Logjam, Qualys SSL Labs has a browser check here which checks three key vulnerabilities, the protocol support and features plus cipher suites utilized


      The TLS deployment document has a Server Test, which is easy and free to use. Here is the link. Just scroll down to the Server Test section. I tested many known sites and found that many were safe from Logjam style attacks, (which is on-par with the sub-ten percent of sites in scope), they could be further secured with Elliptic-Curve Diffie-Hellman (ECDHE).

      Image:"Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit

      They also offer two suggestions for many common application server programs (e.g. Apache, OpenSSH). The researchers also suggest that all your TLS libraries are patched and set to reject D-H Groups < 1024-bit in size.

      Checking Servers

      More detailed results are available from these two free resources
      1. An open source site entitled SSL Decoder is available to decode well as you surmised a site's SSL connection. The output is robust and the licensing allows for use internally, so start testing;
      2. Qualys SSL Labs' SSL Server Test - which provides links to additional information on each exploit tested, with several linked resources on each information page.

      A side point to know is that DSA-1024 bit signing keys are quite insecure and should be at 2048 or higher, with 4096 recommended where possible. If your keyrings are light on the encryption bits, make a plan to get them upgraded this year.

      Notation: Know that the client fix may block some websites lacking current updates. Thus, it is a good idea to ensure that your company site is current on web security patches.

      Red Hat to the Rescue

      Upon learning of the threat, Red Hat did their own research with threat assessment and published their security bulletin on this exploit. The good news is that RHEL 6.6+ and 7 are NOT vulnerable to Logjam, but if you are running early RHEL6 versions (get them patched -- see advisory RHBA-2014:1525) or RHEL 5, then you are vulnerable. Specifically, RHEL 7 omitted by design export-grade cipher suites in their initial release--offering piece of mind to those that upgraded early.

      To their credit, Red Hat made it clear early that they will not update the default cipher list in RHEL 5, so you need to upgrade to at least RHEL 6.6 to be safe. I do like a vendor that gets to the point quickly in an unambiguous manner. Everybody wins with this type of communication, from my perspective.

      SUSE has a security bulletin with some information on resolutions, located here.

      Additional Reading

      Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice -- outlining specific attacks and how the researchers broke the 512-bit DH group
      Logjam Attack Proof of Concept Demonstrations -- which lists the susceptibility to each of the three attack styles
      Guide to Deploying Diffie-Hellman for TLS
      Logjam: TLS vulnerabilities (CVE-2015-4000) by Red Hat
      MITRE CVE's Logjam dictionary definition
      NIST NVD's entry (National Vulnerability Database)
      "Logjam TLS Attack (Weak Diffie-Hellman) and Novell Products"

      Train Tips for European Traveling -- Chapter III

      Bill Malchisky  April 22 2015 12:30:00 AM
      This year I needed to travel from Zurich, Switzerland to Ghent, Belgium by rail. In contrasting the route through Paris two years ago, I decided to take a chance and transfer instead in Cologne, Germany.  This post describes the lessons learned and useful tips to make your next rail experience even better.

      As I needed to work and needed to increase the chances for power, I chose first class end-to-end on this trip. The rates were reasonable enough that the service upgrade proved cost-effective on my route, which is quite unusual I learned. Note that information on previously reviewed trains --- two years ago --- included second class, which is in contrast to this year's experience and updates.


      1. SBB IC from Zurich to Basel
      2. Transferred to the DB Bahn ICE through Germany via Cologne to Brussels
      3. From Brussels to Ghent I transferred to the local Belgian rail line IC (express) for the last segment
      This route proved excellent overall with fast and easy connections.

      Swiss Rail -- SBB

      The Swiss train chosen is different than last year's service to Thusis via Chur. The IC express to Basel in 53 minutes. Very nice trains, comfortable seats, and power on some of seats. The one-by-two seat configuration allowed groups of four to sit together facing each other or two people to share a table if sitting against the window on either side. Just wide and deep enough for a 15" laptop with the power brick to lay alongside. Comfortable and impeccably on-time.

      German Rail -- DB Bahn ICE

      I last utilized the DB Bahn during the 2006 World Cup, so it was interesting to see the changes in the past nine years.

      To increase my changes to work unimpeded, I sat in the quiet car, which worked well for me. In speaking with German colleagues at my conference, I learned that all 2nd Class seats have power now on ICE, so that is a good tip and definitely saves money on rail fares.

      The seven hour journey did not disappoint from a rail experience, but know that just because they offer a Boardrestaurant or Boardbistro does not mean you will get food. In my case, the first train lacked water in the food card, so they had no hot meals, just sandwiches on a mobile food cart with water, juice, coffee, and some spirits as I recall. The second trip (2.5h) lacked any food beyond meat-based sandwiches (fine for some, but not for vegetarians). The German diet is mostly meat based, so the lack of sandwich variety met my expectations--a perfect time to dive into my travel food bag.

      If you require customer service when booking your tickets, know that e-mail is their preferred option and in my case took three business days (plus the weekend) to receive a response. Thus, before booking your tickets, double check every detail. Otherwise if you were to make a mistake when purchasing your ticket and unless you purchased well in advance, you might have to seek assistance upon arriving at the train station and wait on line there before boarding your first segment's train.

      On-board WiFi

      When looking at trains two years, ago, I commented in my first train tips post that DB Bahn wanted to include WiFi on their trains out of Frankfurt; as this trip routed via Cologne and did not travel to Frankfurt, I am unable to accurately comment on WiFi progress therein. But know that WiFi on my route was non-existent and remains today a problem in much of Europe with all trains. For this reason and my train experiences over the past three years, I must confidently state that the US' Amtrak Acela service and regional trains in the northeast are significantly better in this regard.

      Train Station WiFi

      As the Cologne's station's WiFi refused to send me an SMS access code for the free Internet--which meant no Internet access during my time there. If you lack a data card for your smart phone, you need to know that you might have problems getting the mobile rail ticket to display on your phone (app specific). As a hedge against a no ticket situation with a short transfer, pre-print your ticket before leaving so you have it on your person and no matter what happens, you can board safely.

      In the Zurich and Basel rail stations, getting WiFi proved easy and reliable. As long as you have a cell phone to receive a text message (SMS), you can get online. This doesn't work with WiFi only tablets, so be warned that you need a cell phone to retrieve the code (which you can then enter on your tablet) in these stations too.

      Transfer Times

      If you see station with a four minute connection window, it is actually reasonable to make your connecting train, but best to get a map of the station first so you know where to go. Small transfer times can be managed easily in Germany and Switzerland. Belgium can require more walking, so it is best to check the map. As a goal, the transfer time is based upon what is reasonable for a local traveler to be able to accomplish sans rushing. How much luggage that includes remains unclear, but if you require red cap services (luggage porter) at each station, then look for a longer window.

      Pricing and Payments

      Swiss trains offer Super Saver fares on certain trains, for sub-14 day purchases, which are dramatically cheaper than the normal fares. If the desired train is expecting low to medium occupancy, wait. Caveat, ticket is pre-paid, and can not be changed. In this case, you need to  either buy another ticket or get a ride.

      Belgium train tickets now accept American Express, MasterCard, and Visa at the rail station. At the time of this writing, they still allow both micro-chip and magnetic strip cards, so if your credit card company has yet to replace your card with increased security, you are fine. The payment option expansion are a nice change since the 2013 trip.


      Traveling via DB Bahn is hands-down easier to go from Switzerland to Belgium than via the TGV. The Cologne transfer over the Paris transfer alone (see Tip 4 below for the painful details) warrants due consideration for this route. The Belgian rail experience improved dramatically by removing the Belgian only bank card rule for non-cash payments. In Germany, even if you travel in first class does not mean that you get a meal on the German trains. And you can of course forget about WiFi on-board. I do enjoy traveling by rail and found this route and connections to be easy, efficient and cheaper than air travel. Looking forward to my next rail adventure. Overall, one of the better train travel days I had.

      In a future post, I will contrast Acela to the European trains as a means to offer more tips for non-locals of the northeast United States, and way to incorporate it into your rail travel to reduce costs when flying to the US..

      Additional Tips

      1. Read The Man in Seat 61 for specific tips on your chosen city pair. It is a lot of information to keep current, but overall, he is on-the-mark and provides an invaluable collection of rail knowledge. Mike Smith suggested that site two years ago, and it proved valuable on many levels.
      2. Rick Steve's Travel Tips: Trains & Rail Passes
      3. Train Tips for European Traveling - Part II (2014)
      4. Train Tips for European Traveling (2013)

      Ten Behaviors That Could Kill Your Career

      Bill Malchisky  April 13 2015 11:30:00 PM
      A few weeks ago, Jack Welch wrote an article for the Daily Mail covering common pitfalls stalling one's career. Many items listed were taught to me when I worked as an employee or through customers along the way, thus, I appreciated his wisdom. If you have not read the piece, I wanted to share it. Perhaps you know someone that can use the information to better himself or herself in their current job, or apply an item below to your own aspirations.

      I find point three is particularly important. To paraphrase a customer from about 18 years ago, "Come to the table with solutions, otherwise you are being spiteful." I always remembered that point (and glad I had a solution).

      The excerpt below is included verbatim from the article.

      If you recognize your own behaviors here, make it your mission to change them - before you have to. In time, you’re likely to see your career move from a stall to a soar.

      1) Misfiring on performance or values - Overcommitting and under-delivering
      2) Resistance to change - Failing to embrace new ideas
      3) Being a Problem Identifier vs a Problem Solver
      4) Winning over your boss but not your business peer group
      5) Always worrying about your next career move versus focusing on the present
      6) Running for office - it’s totally transparent to everyone but you!
      7) Self-importance - exhibiting a humorless, rigid attitude
      8) Lacking the courage and conviction to push back on the system
      9) Forgetting to develop your own succession plan for when you get promoted
      10) Complacency - you’ve stopped growing.

      Jack Welch is executive chairman the Jack Welch Management Institute, where he is directly involved in preparing MBA and Executive Certificate program graduates to transform their companies and careers.

      If you’re experiencing a stalled or faltering career - and most of us do at some point or another - take a good look in the mirror. Are you guilty of exhibiting any of these common behaviors?


      How To Kill a GHOST: The Next Vulnerability

      Bill Malchisky  April 10 2015 12:10:00 AM
      The first big vulnerability for 2015 launched during IBM ConnectED. With conference and presentation prep the past several weeks, I checked Planet Lotus to see if GHOST was previously covered. Not seeing any posts, I wanted to write about it now.

      In my opinion, this vulnerability gained less traction than POODLE and Shellshock due to the limited scope. GHOST (CVE-2015-0235) impacts the glibc gethostbyname() and gethostbyname2() calls. Applications using DNS resolution are primarily impacted, but any application utilizing glibc is a potential issue. As most non-hosting companies do not offer public DNS servers, the crisis is somewhat muted especially as the risk becomes internal only. However, the issue's importance became escalated on several sites in my opinion, due to the ease of which one can exploit the vulnerability--which I will intentionally leave undisclosed in this post.

      It is important to note that IBM Domino is NOT affected by GHOST.

      Additional Reading

      Common Vulnerabilities and Exposures' official write-up on CVE-2015-0235, including scores of references links
      National Vulnerability Database's summary via the NIST is here, revised 6 April 2015
      ZDNet's GHOST article

      Checking The Vulnerability

      Using the Red Hat Access Lab glibc (GHOST) Detector, one can quickly and easily ascertain the risk. This detector provides a small shell script which you run locally. Just change the permission to add executable access, then run the script. The results will tell you if you are vulnerable or not.
      Note: this tool only works for RHEL, CentOS and RHEL based systems

      Other options include, the Cyberciti post, and using OpenWall's C script


      To address this vulnerability, you just need to update the glibc version. If you have a fully patched system, this is trivial. If you have lagged on upgrades over a period of time, you might have several dependencies needing resolution. Each major distro has a page on this issue, with a suggested fix for their build.

      Red Hat -- they offer a fix for RHEL4 - RHEL7, with a caveat for RHEL4. They also suggest performing init 6, but recognize that is always less than convenient, so they provide a temporary method of restarting public facing processes in-scope. The full process list running glibc using the older glibc version, viewed through this command:

      lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t

      SUSE -- Issue announcement , their bugzilla report and resolution page
      Canonical's Ubuntu -- Security Notice USN-2485-1, their CVE-2015-0235 reference sheet, and Wiki reference sheet
      Debian Linux -- DSA-3142-1, addresses their eglibc, which is their version of glibc
      Oracle Linux
      Cyberciti.biz -- general testing and fixing for Linux distros with several included flavors

      Product Specific -- Red Hat's rhev-hypervisor6 security update

      IBM Specific Product Technotes

      Technote 1696618 covers their Security Proventia Network Enterprise Scanner product and lists a product fix
      Technote 1696526 covers their Security Virtual Server Protection for VMware with includes fixes
      Technote 1695835 covers their Security Access Manager for Enterprise SSO Virtual Appliance
      Technote 1696243 covers their WebSphere Transformation Extender with Launcher Hypervisor [for RHEL]
      Technote 1696602 covers their PureApplication System
      Technote 1696600 covers their Workload Deployer
      Technote 1695860 covers their QRadar SIEM, QRadar Risk Manager, and QRadar Vulnerability Manager products
      Technote 1696546 covers their Tivoli Access Manager for e-business
      Technote 1697649 covers Domino not being in-scope

      IBM's Product Security Incident Response site lists all of the IBM GHOST related Technotes

      Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

      © 2010 William Malchisky.