New ACS update, 1.1.9.11, fixes vulnerability

On Tuesday, January 14, an announcement was posted on the IBM's ACS Updates page:

IBM i Access Client Solutions is vulnerable to an attacker carrying out an XML External Entity injection via a crafted XFA file inside of a PDF.

Apache Tika is used by the Run SQL Scripts feature to determine the content type of binary column data in a table on the IBM i.

IBM strongly recommends upgrading to 1.1.9.11, and discontinuing use of versions 1.1.9.8 through 1.1.9.10.

The download was not available until Wednesday morning. When I received the following alert when starting my ACS:

I can either click on the "Download update…" button, or I can go to IBM's ACS website, http://ibm.biz/IBMi_ACS (the URL is case sensitive).

The "Login to IBM" page is opened. Don't worry if you don't have an IBMid, you can create one in a couple of minutes.

Confirm your agreement with IBM's license.

You will then be presented with the "IBM i Access Client Solutions" page. The download for ACS's latest version is the first download.

Click on the "Download" action. The file will be downloaded onto your computer.

Once you have downloaded the zip file, I recommend you read the "Getting Started" file. This will guide you through the install process depending upon which operating system you use.

I installed the new release without any issues.

I can then confirm that the new release was installed (Help > About):

There was nothing new added to 1.1.9.11, just the fix for the vulnerability. If you want to learn what is included ACS to date IBM's ACS webpage here.