A few days ago I noted here that the IBM i (AS/400) did not have a Heartbleed vulnerability, and I shared a link to an IBM statement about this. It looks like IBM got a little ahead of themselves. You need to be aware of the new IBM Heartbleed security advisory for Power Systems.

The advisory only applies to selected IBM i platforms, so be sure to read the entire advisory to understand if you are affected.

This advisory includes the Hardware Management Console (HMC) which is widely used by IBM i customers with multiple logical partitions (LPARs). Even if you use the HMC to manage a single LPAR, you are probably affected by this advisory. Almost everyone enables HMC terminal access services in such a way that they would be exposed to the Heartbleed vulnerability.

If you do have a vulnerable IBM i system, you should follow IBM’s advice and force your IBM i users to change their passwords. If you’ve already done this before applying the recommended updates, you should do it again (after you put on your teflon suit, of course).

Don’t forget to ask your third party vendors about any Heartbleed vulnerabilities in their software.

Townsend Security does not use the affected version of OpenSSL for TLS session security in any of its products, and is not affected by the Heartbleed vulnerability.

Patrick