================================================================== Maintenance for IBM Sterling Connect:Direct FTP Plus Version 1.3.0 ================================================================== This maintenance archive includes module replacements for the C:D FTP+ 1.2.0 code base. It is applicable to C:D FTP+ version 1.3.0, and contains all the new functionality and fixes as described in the C:D FTP+ 1.3.0 Release notes, as well as fixes for the issues listed below. After applying the maintenance, the banner displayed when initiating a connection to a server will report that your C:D version is 1.3.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D FTP+ 1.3.0 Release Notes. ========================== iFixes to C:D FTP+ 1.3.0.0 ========================== 001) RTC455801 / APAR IT07069 commit date: 11 Feb 2014 -------------------------------------------------------- SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). SSLv3 is enabled by default in Connect:Direct FTP+ when Secure+ is enabled. Fix changes the default protocol from SSLv3 to TLS. 002) RTC491210 / APAR IT14195 commit date: 08 Mar 2016 -------------------------------------------------------- Connect:Direct FTP+ (CDFtp+) running on all supported UNIX platforms except for HP-UX uses IBM® Runtime Environment Java™ Technology Edition, Version 7.0.9. CDFtp+ running on HP-UX PA_RISC uses IBM® Runtime Environment Java™ Technology Edition, Version 6.0.14. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”. Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”, CDFtp+ is vulnerable to: CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”. 003) RTC496774 / APAR IT14554 commit date: 31 Mar 2016 -------------------------------------------------------- Connect:Direct FTP+ (CDFtp+) running on HP-UX Itanium uses IBM® Runtime Environment Java™ Technology Edition, Version 7.0.9. CDFtp+ running on HP- UX PA_RISC uses IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.16. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”. Of the issues in JRE 6.0.16.16 that were disclosed as part of the IBM Java SDK updates in January 2016, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact.