McNelly: IBM Unveils watsonx.data
Rob McNelly shares details on the recently GA'ed watsonx.data on IBM Power, an explainer on the dangers of 'shadow AI' and the latest security alerts
For many, the start of another New Year is a time to take stock of the past and plan for the future.
In my case, during my downtime in December, while spending time with family and getting outdoors to enjoy the nice Arizona weather, I took a look back at the articles I wrote in 2025. I covered topics ranging from the virtual HMC to IBM storage to cloud migration to, of course, AIX enhancements in Power11. I even co-authored one of the Power11 Redbooks.
Digging into the archives reminds me how fortunate I am to do the work I do, write about what I love, and share what I learn with my fellow AIX professionals. As always, I’m grateful to everyone who regularly reads the things I write.
As for what’s new and what’s ahead, let’s get to it.
watsonx.data on Power a Foundation for Generative AI
IBM’s Brandon Pederson has this summary of the general availability of watsonx.data on Power:
“… This milestone marks the next step in delivering a unified and hybrid data foundation purpose-built for the era of generative AI. IBM watsonx.data is a hybrid and open data lakehouse designed to help enterprises store, manage, enrich, and govern structured and unstructured data at scale, unlocking insights faster and enabling generative AI with trusted data. By combining the flexibility of data lakes with the performance of data warehouses, watsonx.data helps organizations simplify their data estates, improve price-performance, and gain self-service access to governed enterprise data.”
The Dangers of ‘Shadow AI’
While we’re on the subject of AI, this explainer highlights the need for IT department leaders and CIOs to maintain strict oversight of all deployments on the network, particularly as it relates to AI:
“Shadow AI refers to the deployment of any software, hardware or information technology on an enterprise network without an IT department or CIO’s approval, knowledge or oversight. Employees might turn to unsanctioned AI technology when they find existing solutions insufficient or believe that the approved options are too slow….
“From 2023 to 2024, the adoption of generative AI applications by enterprise employees grew from 74% to 96% as organizations embraced AI technologies. Alongside this growth came a rise in shadow AI. Today, over one-third (38%) of employees acknowledge sharing sensitive work information with AI tools without their employers’ permission.
“Shadow AI can expose companies to several risks including data leakage, fines for noncompliance and severe reputational damage…”
There’s much more, so be sure to read the whole thing.
Security Alerts From IBM Support
* AIX is vulnerable to a denial of service due to cURL libcurl:
“… AIX uses cURL libcurl as part of rsyslog, LV/PV encryption integration with HPCS and in Live Update for interacting with HMC.”
“CVEID: CVE-2025-9086
DESCRIPTION:
1. A cookie is set using the secure keyword for https://target#96;
2. curl is redirected to or otherwise made to speak with http://target` (same hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set – but with just a slash as path (`path=’/’`). Since this site is not secure, the cookie *should* just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.”
* Vulnerabilities in OpenSSL could allow an attacker to trigger an out-of-bounds read:
CVEID: CVE-2025-9230
“An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.”
* Depending on your code VIOS code level, you could see an issue with Live Partition Mobility with a tape drive:
“Problem summary: LPM validation fails for the tape devices.
Problem conclusion: added the logic to skip the the lun_id comparison for the tape devices.”
* I also saw this reported as an issue if user descriptions contain spaces in the gecos field:
“Viosupgrade completed successfully but report security configuration error:
(1) Security configuration error
The following message appears in the file
/home/ios/logs/viosupg_restore.log:
FAILED SECURITY CONFIGURATIONS
============================
2025-10-16 05:47:32 CDT RESTORE: ERR: chuser for pam_user attributes failed
Local fix
n/a
Problem summary
If a user has their gecos attibute filled with a description that includes spaces, viosupgrade restoration may report chuser failure.
Problem conclusion
Parsing and handling of gecos user attribute updated to support user descriptions that may have spaces.”