========================================================== Maintenance for IBM Sterling Connect:Direct for UNIX 4.2.0 ========================================================== This maintenance archive includes module replacements for the C:D UNIX 4.2.0 code base. It is applicable to C:D UNIX version 4.2.0, and contains all the new functionality and fixes as described in the C:D UNIX 4.2.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 4.2.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 4.2.0 Release Notes. ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.0 ================================================= 001) RTC425410 / APAR IT01935 / CVE-2014-0963 commit date: 12 May 2014 ------------------------------------------------------------------------ Vulnerability related to Record Processing in TLS 1.0 and later which can result in high CPU Utilization that requires a system reboot to resolve. 002) RTC423150 commit date: 13 May 2014 ----------------------------------------- Inappropriate CSPA204E written to statistics when Sterling Contol Center Secure Connection settings are changed. 003) RTC423881 / APAR IT01701 commit date: 23 May 2014 -------------------------------------------------------- z/OS file allocation attributes specified in a type defaults file (typekey) may not be honored. Copy step may also fail with errors similar to SVSJ032I. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.1 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.1 ================================================= 001) RTC428811 / APAR IT02517 commit date: 12 Jun 2014 -------------------------------------------------------- cdpmgr fails to start, reporting "Secure+ library installation corrupted", after upgrading from a previous CDU version without Secure+ installed. 002) RFE 401559 (ID 40797) / APAR IT03451 commit date: 01 Aug 2014 -------------------------------------------------------------------- Simple clicking OK button in CD Secure+ Admin tool, without changing any value is updating the node's record file. 003) RTC432516 / APAR IT03523 commit date: 01 Aug 2014 -------------------------------------------------------- On some Linux systems, CDU 4.2.0 may fail to start, reporting an exception that indicates "libgsk8cms.so: cannot open shared object file: No such file or directory". 004) RTC102568 / APAR IT03815 commit date: 19 Aug 2014 -------------------------------------------------------- An interrupted snode process goes into WAIT/WS state until pnode resumes the process. If pnode never resumes the process, the snode process will remain in the TCQ in WAIT/WS indefinitely. Fix adds a new parameter to the tcq record of the initparm.cfg, ckpt.max.age. This parameter specifies the number of days that an snode process will remain in WAIT/WS state waiting for the pnode to resume the process before it is automatically deleted. The default value is 8. 005) RTC433169 / APAR IT04106 commit date: 04 Sep 2014 -------------------------------------------------------- If a connection attempt to a remote node failed for some reason, the session start statistics record (SSTR) would log a completion code (CC) of 0, improperly indicating that the session attempt succeeded. 006) RTC436256 / APAR IT04446 commit date: 17 Sep 2014 -------------------------------------------------------- Added millisecond time resolution to some of the existing time stamps saved in statistics logs, such as "Stat log record time" (STAR), "Start time of event" (STRT) and "Stop time of the event" (STPT). The CLI will only display the added resolution for select statistics with detail=yes. API clients can choose whether or not to display the added resolution. 007) RTC448795 / APAR IT05619 commit date: 18 Nov 2014 -------------------------------------------------------- The SSLv3 protocol contains a number of weaknesses including POODLE (Padding Oracle On Downgraded Legacy Encryption, CVE-2014-3566). IBM Sterling Connect:Direct (CD) for UNIX is therefore also vulnerable when the SSLv3 protocol is used. When CD for UNIX is operating as the SSL server (snode in CD terms) and is configured for TLS connections, and a CD operating as the SSL client (pnode in CD terms) attempts an SSLv3 connection, it's possible that CD for UNIX will allow the connection to be made and negotiated to SSLv3. Fix prevents the possible negotiation to SSLv3 when TLS is configured. NOTICE: SSLv3 is an obsolete and insecure protocol. IBM recommends to use the TLS protocol instead. To fully disable SSLv3 and use TLS instead, ensure that all secure connections are configured to 'Enable TLS Protocol' and 'Disable Override'. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.2 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.2 ================================================= 001) RTC442224 / APAR IT04683 commit date: 19 Dec 2014 -------------------------------------------------------- In some circumstances, CDU will mistake a new incoming process for a restarted process, generating an XSMG251I message and process failure. 002) RTC442941 / APAR IT05409 commit date: 19 Dec 2014 -------------------------------------------------------- In some circumstances, CDU will inappropriately synchronize a new incoming run task process with a previously interrupted run task process, and immediately return the status of the interrupted process with an XSMG417I message instead of running the new task. 003) RTC443927 / APAR IT04686 commit date: 19 Dec 2014 -------------------------------------------------------- When C:D is doing work, temporary files are created in the {C:D UNIX installation directory}/work/{C:D UNIX node name} directory. After certain error scenarios, some of these temporary files are not removed. 004) RTC451495 / APAR IT06191 commit date: 05 Jan 2015 -------------------------------------------------------- CVE-2014-8730, a Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack, affects Sterling Connect:Direct for UNIX. 005) RTC453918 / APAR IT06994 commit date: 21 Jan 2015 -------------------------------------------------------- FASP transfers use port 33001 on the snode side, no matter which fasp record listen ports are configured in the snode initparm.cfg file. 006) RTC454367 / APAR IT06869 commit date: 05 Feb 2015 -------------------------------------------------------- A client which has submitted a maxdelay process that lasts longer than one minute may get an error return code with message XCMM044I returned after exactly one minute. 007) RTC418516 / APAR IT02062 commit date: 06 Feb 2015 -------------------------------------------------------- The first several characters of the file name specification are cut off when received by 64 bit File Open Exits on Linux or Solaris x86 platforms. WARNING: All File Open Exits, including 32 bit versions, must be recompiled after applying this fix. 008) RTC456414 commit date: 13 Feb 2015 ----------------------------------------- Added a PMR Stamper and Data Collector utility, which automates gathering diagnostic information about Connect:Direct for UNIX and optionally sends it to IBM Support. Execute "{C:D UNIX installation directory}/etc/CD_Data_Collector --help" to see usage details. 009) RTC452436 / APAR IT07136 commit date: 17 Feb 2015 -------------------------------------------------------- Automated upgrade to C:D UNIX 4.2.0 from versions previous to 4.2.0 fails with error message CDAI015E. 010) RTC392436 / APAR IT03077 commit date: 17 Feb 2015 -------------------------------------------------------- An upgrade command performed by the automated installation script (cdinstall_a) will fail if pre-existing configuration files don't pass the configuration check, or if the sample.cd process fails to complete successfully, even when the configuration errors or sample.cd operation failure is considered tolerable. Fix adds a variable to cdinstall_a called cdai_verifyUpgrade. This variable allows users to choose whether to verify an upgrade or not. Valid values are "y" (the default) and "n". 011) RTC457220 / APAR IT07339 commit date: 24 Feb 2015 -------------------------------------------------------- A wildcard copy with the source specification on AIX may occasionally fail to find any files matching the wildcard pattern when matching files in fact exist. 012) RTC456767 / APAR IT07359 commit date: 25 Feb 2015 -------------------------------------------------------- CDU 4.2.0 automated installation script (cdinstall_a) doesn't process the cdai_localCertFile parameter or other certificates located in the deployment directory. 013) RTC431679 / APAR IT03078 commit date: 27 Feb 2015 -------------------------------------------------------- The automated installation script, cdinstall_a, doesn't provide an option to deploy a custom keystore file or a custom label for the deployed keycert file. Fix adds and describes three new optional variables, cdai_keystoreFile, cdai_keystorePassword, and cdai_localCertLabel, that allow users to deploy a custom keystore file and specify the keycert label to be used in basic Secure+ configurations. If cdai_keystoreFile and cdai_keystorePassword are specified, then the automated installation will use this file as the keystore file. If they are not specified, then the automated installation procedure will use the default keystore file that is created during the installation. In either case, the keystore file will be customized by adding the certificate portion of the deployed keycert file and any other deployed certificates to it. If cdai_localCertLabel is specified, the specification will be used to label the keycert for use in basic Secure+ configurations. If it is not specified, a default label will be used. 014) RTC423131 / APAR IT02518 commit date: 06 Mar 2015 -------------------------------------------------------- An XPAE003I message is generated for a select statistics command issued with a destfile or srcfile parameter value enclosed in double quotes, which are required if the value contains spaces, equal signs or other reserved characters. 015) RTC433224 / APAR IT03227 commit date: 06 Mar 2015 -------------------------------------------------------- The fsync.after.receive initparm option, used to make sure files written and closed by C:D on an NFS destination are immediately ready for processing, doesn't detect when the NFS resource is out of space. Note, the fix for this issue changes the fsync.after.receive default value to "Y". 016) RTC457537 / APAR IT07855 commit date: 20 Mar 2015 -------------------------------------------------------- When a very old version of Global Security Kit Version 8 (GSKit 8) is installed globally on a system, C:D UNIX 4.2.0 installations may fail, producing a Java core dump and reporting that "The Initialize Secure+ operation failed." If upgrading from a previous version of C:D UNIX, the Java core dump will be followed by a message reporting that "The ReKey Parmfile Secure+ operation failed." 017) RTC460297 / APAR IT07894 commit date: 23 Mar 2015 -------------------------------------------------------- Connect:Direct for UNIX Secure+ Option uses IBM Java Runtime, which is vulnerable to the following issues: CVE-2014-3065: IBM Java SDK contains a vulnerability in which the default configuration for the shared classes feature potentially allows arbitrary code to be injected into the shared classes cache, which may subsequently be executed by other local users. CVE-2014-6468: An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact. 018) RTC460318 / APAR IT07931 commit date: 24 Mar 2015 -------------------------------------------------------- Connect:Direct for UNIX Secure+ Option uses GSKit, which is vulnerable to the following issues: CVE-2015-0138: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. CVE-2015-0159: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. 019) RTC454740 / APAR IT08220 commit date: 10 Apr 2015 -------------------------------------------------------- In the copy termination statistics record, process name, process number and snode name fields are duplicated. 020) RTC462260 / APAR IT08276 commit date: 13 Apr 2015 -------------------------------------------------------- CBC ciphers are vulnerable to CVE-2011-3389 (BEAST Attack). Previous recommendation to mitigate CVE-2011-3389 was to not use CBC ciphers. RC4 ciphers are vulnerable to CVE-2015-2808 (Bar Mitzvah Attack). Current recommendation to mitigate CVE-2015-2808 is to discontinue use of RC4 ciphers. However, the remaining available ciphers are generally CBC ciphers. Accordingly, code is fixed to mitigate CVE-2011-3389. Note: Connect:Direct for UNIX by default disables the RC4 stream cipher. If you enabled the RC4 stream cipher you are exposed to the RC4 "Bar Mitzvah" Attack for SSL/TLS. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. 021) RTC456648 / APAR IT08514 commit date: 23 Apr 2015 -------------------------------------------------------- After upgrading to C:D UNIX 4.2.0 from a previous version, some clients, such as Sterling Control Center or Sterling Connect:Direct Browser, may generate errors processing a select statistics command. Possible errors include "CCTR035E Failed to connect to server" or "KQVString.parse() detected data problem...." 022) RTC456874 / APAR IT08958 commit date: 19 May 2015 -------------------------------------------------------- After a system reboot, cdpmgr may fail to start, reporting XPMD006I message. 023) RTC462223 / APAR IT08954 commit date: 28 May 2015 -------------------------------------------------------- CDU nodes configured to run behind a load balancer will have the same node name. When these nodes act as pnodes and initiate processes to the same snode at the same time, it's possible that the snode will not be able to distinguish between the processes, generating XLKL004I messages and possibly corrupting the TCQ. Fix adds a new parameter to the ndm.node initparm record called instance.id. The parameter value is initialized with a universally unique identifier (UUID). 024) RTC461501 / APAR IT08385 commit date: 04 Jun 2015 -------------------------------------------------------- cdver executed without argument may not display the product version. Issue may also manifest during installation or upgrade procedures as "unary operator expected" errors. 025) RTC469550 / APAR IT09564 commit date: 22 Jun 2015 -------------------------------------------------------- Connect:Direct for UNIX Secure+ and File Agent Options use IBM Java Runtime, which is vulnerable to the following issue on HP-UX and Solaris platforms: CVE-2015-0383: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. 026) RTC458884 / APAR IT09904 commit date: 07 Jul 2015 -------------------------------------------------------- cdpmgr may occasionally crash. The crash is more likely when cdpmgr is idle. A possible symptom of the issue is the Session Count statistics records (RECI=SCNT) logged with either negative or unrealistically large positive values indicated. 027) RTC462479 / APAR IT10090 commit date: 10 Jul 2015 -------------------------------------------------------- Connect:Direct for UNIX did not report snodeid value utilized. 028) RTC463108 / APAR IT10120 commit date: 16 Jul 2015 -------------------------------------------------------- A process copy step sending to an invalid destination, such as a nonexistent path, will log an XCPS003I on the source side and then XIPT016I and go into TIMER/RETRY. On the destination side, an XCPR010I is logged and then "SMGR terminated by signal 11". 029) RTC470882 / APAR IT10377 commit date: 28 Jul 2015 -------------------------------------------------------- Connect:Direct for UNIX Secure+ will fail to send data when the negotiated RU size is less than 16K on systems that use the SSL BEAST mitigation. The error is "The SSL library failed, reason=SSL_write failed Message ID CSPA309E". The issue occurs between nodes where an older version of Secure+ is used, that does not support buffer sizes larger than 16K for SSL sessions. 030) RTC471695 / APAR IT10717 commit date: 31 Jul 2015 ------------------------------------------------------- Connect:Direct API commands over a secure connection fail after upgrading the JRE in Connect:Direct Browser, Sterling Control Center or other application using the Application Interface for Java (AIJ). 031) RTC438326 / APAR IT04205 commit date: 14 Aug 2015 -------------------------------------------------------- On occasion, the statistics archive utility won't run on a day when it should run, causing two days worth of statistics log files to be contained in the archive file when it runs the next day. 032) RTC474638 / APAR IT10817 commit date: 20 Aug 2015 -------------------------------------------------------- Copy receive performance from C:D Z/OS can be degraded when the UNIX destination file sysopts includes "datatype=binary", and the Z/OS source file record format is VB or FB. 033) RTC445816 / APAR IT06148 commit date: 09 Jan 2015 -------------------------------------------------------- A fresh C:D install will include the unused "syslog.logd" initparm. 034) RTC448618 / APAR IT06145 commit date: 15 Dec 2014 -------------------------------------------------------- Under specific stress situations, "direct" will trigger a segmentation fault. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.3 ----------------------------------------------------------- C:D for UNIX 4.2.0.3 adds support for FASP (Fast and Secure Protocol). FASP is supported on Linux and AIX platforms only. See the Hardware and Software Requirements section of the Sterling Connect:Direct for UNIX 4.2.0 Release Notes for specific information regarding support for FASP. FASP requires a license key for use. Download the license key from Passport Advantage when you download the fix pack. Note 1: If you previously downloaded a licence key for UNIX V4.2.0.2, you must download the new license key for 4.2.0.3 to continue using FASP. Your old license key will not work with the new fix pack. Note 2: If you are installing Sterling Connect:Direct for UNIX V4.2.0.3 using the Automated Install method, you must also update your options file with the new cdai_asperaLicenseFile parameter to support FASP. Set the parameter value to . Alternatively the value may be specified on the command line with --asperaLicenseFile. ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.3 ================================================= 001) RTC452439 / APAR IT06692 commit date: 18 Sep 2015 -------------------------------------------------------- After a process is submitted that refers to a netmap entry with comm.transport equal to tcp or udt33 and that has two or more comm.info specifications, which is an invalid configuration, further process submissions that refer to other valid netmap entries will not run and stay in WAIT/WC state. 002) RTC477087 / APAR IT11383 commit date: 22 Sep 2015 -------------------------------------------------------- When viewing a detailed copy termination record (CTRC) of a secure copy step in the CLI, the Security Mode value might be truncated. 003) RTC457011 commit date: 23 Sep 2015 ----------------------------------------- Messages XCMM028I and XTRA000I missing from msgfile.cfg. 004) RTC458466 / APAR IT09079 commit date: 24 Sep 2015 -------------------------------------------------------- Statistics archive script failure messages are not captured and displayed in the XSTA004E message. 005) RTC476357 / APAR IT11308 commit date: 26 Oct 2015 -------------------------------------------------------- The tcp.max.time.to.wait and runstep.max.time.to.wait parameters may not be honored during process execution if a client issues repetitive select process detail=yes commands while the process is executing. This would be the case if the C:D node is monitored by Control Center, for example. 006) RTC478504 / APAR IT11951 commit date: 26 Oct 2015 -------------------------------------------------------- cdpmgr responsiveness can be degraded when installed on a slow file system due to increased time needed to log stat records. XSTL005W and XSTL006W messages to warn when increased time is needed to log stat records. There was also a minor inefficiency in cdstatm that may begin occurring the day after cdpmgr is initialized. 007) RTC480733 / APAR IT11978 commit date: 27 Oct 2015 -------------------------------------------------------- An OpenSSL denial of service vulnerability disclosed by the OpenSSL Project affects GSKit. Connect:Direct for UNIX Secure+ Option uses GSKit and is vulnerable to the following issue: CVE-2015-1788: OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. 008) RTC483784 / APAR IT12356 commit date: 20 Nov 2015 -------------------------------------------------------- XSQF006I error generated when a copy step destination uses pipe I/O, and fsync.after.receive initparm is set to 'y'. 009) RTC482534 / APAR IT12247 commit date: 09 Dec 2015 -------------------------------------------------------- Added support for new C:D Java Application Interface (CDJAI) Secure+ commands. Refer to the CDJAI documentation for further information. The SPCli "Delete KeyStoreEntry" and "Import KeyCert" commands were also enhanced. See the SPCli help command for details. 010) RTC483171 / APAR IT12761 commit date: 15 Dec 2015 -------------------------------------------------------- Secure+ install script may hang after indicating "Initializing the Secure+ Parmfile." 011) RTC483323 / APAR IT12844 commit date: 17 Dec 2015 -------------------------------------------------------- Statistics log file archive script fails to capture log files with extensions greater than three digits. 012) RTC484160 / APAR IT12867 commit date: 18 Dec 2015 -------------------------------------------------------- In a high stress scenario where an snode has less session capacity than the pnode, some processes may become stuck in the TIMER queue and require a manual release. 013) RTC487482 / APAR IT12868 commit date: 18 Dec 2015 -------------------------------------------------------- When analyzing stat logs that capture a high load scenario, it can be difficult to identify all stat records logged by a particular ndmsmgr process. Fix adds a new stat log field called OSID. OSID value is set to the UNIX pid of the process that logged it. 014) RTC489332 / APAR IT13232 commit date: 18 Jan 2016 -------------------------------------------------------- Connect:Direct for UNIX Secure+ Option uses GSKit, which is vulnerable to the following issue: CVE-2016-0201: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a MD5 collision. An attacker could exploit this vulnerability to obtain authentication credentials. 015) RTC462517 / APAR IT13623 commit date: 04 Feb 2016 -------------------------------------------------------- A long running ndmsmgr doing a series of run job steps may eventually begin producing erratic results. This scenario might come about if there are many processes stacked up in the TCQ for an adjacent node that only allows one or two sessions. In this case ndmsmgr would likely piggy back the stacked processes one after another. One example of the possible erratic results involves CDU sending a series of processes to CDW that include a binary copy step and a run job step. The copy steps may eventually begin to fail with CDW reporting LCPR001I, "record length in comm buffer bigger than IO buffer size." 016) RTC490329 / APAR IT13627 commit date: 04 Feb 2016 -------------------------------------------------------- On Linux and AIX platforms, a long running ndmsmgr performing many copy steps will consume an increasing amount of system memory. 017) RTC486767 / APAR IT13996 commit date: 25 Feb 2016 -------------------------------------------------------- Processes may be coded with an snode that will invoke a Secure+ alias node when a session is attempted. In some cases, these secure session attempts can fail, reporting a CSPA201E message with reason text indicating "error setting ciphers". 018) RTC476574 / APAR IT14034 commit date: 29 Feb 2016 -------------------------------------------------------- If the cdpmgr process is killed while C:D processes are being executed, when cdpmgr is restarted, these processes may fail, reporting XSQF009I referring to a temporary work file in the C:D work directory, and XSMG405I. 019) RTC490759 / APAR IT14056 commit date: 01 Mar 2016 -------------------------------------------------------- tcp.max.time.to.wait and runstep.max.time.to.wait parameters are not honored if smgr tracing is turned on. 020) RTC494236 / APAR IT14215 commit date: 10 Mar 2016 -------------------------------------------------------- Processes submitted with a start time specified (startt parameter) may not run as scheduled. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.4 -----------------------------------------------------------