Security Bulletin: IBM i is vulnerable to a user gaining elevated privileges due to an unqualified library call [CVE-2024-55898].

Security Bulletin

Summary

IBM i is vulnerable to a user with the capability to compile or restore a program to gain elevated priviliges due to an unqualified library call as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.

Vulnerability Details

CVEID: CVE-2024-55898
DESCRIPTION: IBM i could allow a user with the capability to compile or restore a program to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege.
CWE: CWE-427: Uncontrolled Search Path Element
CVSS Source: IBM
CVSS Base score: 8.5
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM i	7.5
IBM i	7.4
IBM i	7.3
IBM i	7.2

Remediation/Fixes

The issue can be addressed by applying PTFs to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i 5770-SS1 PTF numbers listed below resolve the vulnerability.

IBM i Release	5770-SS1 PTF Numbers	PTF Download Link
7.5	SJ03650 SJ03678 SJ03685 SJ03754 SJ03769 SJ03804 SJ03808 SJ03813 SJ03817 SJ03821 SJ03841 SJ03864 SJ03892 SJ03902 SJ03997 SJ04013 SJ04017 SJ04020 SJ04051 SJ04063 SJ04126 SJ04154 SJ04156 SJ04168 SJ04174 SJ04193 SJ04200 SJ04211 SJ04260	https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03650 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03678 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03685 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03754 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03769 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03804 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03808 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03813 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03817 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03821 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03841 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03864 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03892 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03902 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03997 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04013 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04017 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04020 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04051 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04063 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04126 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04154 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04156 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04168 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04174 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04193 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04200 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04211 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04260
7.4	SJ03651 SJ03679 SJ03684 SJ03753 SJ03772 SJ03803 SJ03807 SJ03812 SJ03816 SJ03820 SJ03842 SJ03868 SJ03891 SJ03901 SJ03998 SJ04016 SJ04018 SJ04019 SJ04050 SJ04061 SJ04127 SJ04162 SJ04167 SJ04173 SJ04201 SJ04251 SJ04259	https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03651 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03679 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03684 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03753 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03772 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03803 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03807 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03812 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03816 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03820 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03842 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03868 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03891 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03901 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03998 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04016 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04018 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04019 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04050 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04061 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04127 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04162 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04167 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04173 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04201 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04251 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04259
7.3	SJ03652 SJ03680 SJ03683 SJ03752 SJ03773 SJ03802 SJ03806 SJ03811 SJ03815 SJ03819 SJ03843 SJ03869 SJ03890 SJ03999 SJ04049 SJ04060 SJ04078 SJ04080 SJ04081 SJ04128 SJ04166 SJ04169 SJ04172 SJ04202 SJ04252 SJ04258	https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03652 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03680 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03683 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03752 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03773 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03802 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03806 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03811 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03815 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03819 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03843 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03869 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03890 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03999 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04049 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04060 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04078 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04080 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04081 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04128 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04166 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04169 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04172 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04202 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04252 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04258
7.2	SJ03653 SJ03681 SJ03682 SJ03748 SJ03774 SJ03801 SJ03805 SJ03810 SJ03814 SJ03818 SJ03844 SJ03870 SJ03889 SJ04002 SJ04048 SJ04059 SJ04069 SJ04079 SJ04082 SJ04147 SJ04165 SJ04171 SJ04176 SJ04203 SJ04257 SJ04264	https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03653 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03681 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03682 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03748 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03774 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03801 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03805 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03810 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03814 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03818 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03844 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03870 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ03889 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04002 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04048 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04059 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04069 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04079 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04082 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04147 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04165 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04171 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04176 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04203 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04257 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ04264

https://www.ibm.com/support/fixcentral

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Acknowledgement

Change History

22 Feb 2025: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.5.0,7.4.0, 7.3.0, 7.2.0","Edition":"","Line of Business":{"code":"LOB68","label":"Power HW"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSB23CE","label":"IBM i 7.5 Preventative Service Planning"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSTS2D","label":"IBM i 7.3 Preventative Service Planning"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSC5L9","label":"IBM i 7.2 Preventative Service Planning"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SS9QQS","label":"IBM i 7.4 Preventative Service Planning"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.4.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Tips

Security Bulletin: IBM i is vulnerable to a user gaining elevated privileges due to an unqualified library call [CVE-2024-55898].