========================================================= Maintenance for IBM Connect:Direct FTP Plus Version 1.3.0 ========================================================= This maintenance archive includes module replacements for the C:D FTP+ 1.2.0 code base. It is applicable to C:D FTP+ version 1.3.0, and contains all the new functionality and fixes as described in the C:D FTP+ 1.3.0 Release notes, as well as fixes for the issues listed below. After applying the maintenance, the banner displayed when initiating a connection to a server will report that your C:D version is 1.3.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D FTP+ 1.3.0 Release Notes. ========================== iFixes to C:D FTP+ 1.3.0.0 ========================== 001) RTC455801 / APAR IT07069 commit date: 11 Feb 2014 -------------------------------------------------------- SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). SSLv3 is enabled by default in Connect:Direct FTP+ when Secure+ is enabled. Fix changes the default protocol from SSLv3 to TLS. 002) RTC491210 / APAR IT14195 commit date: 08 Mar 2016 -------------------------------------------------------- Connect:Direct FTP+ (CDFtp+) running on all supported UNIX platforms except for HP-UX uses IBM® Runtime Environment Java™ Technology Edition, Version 7.0.9. CDFtp+ running on HP-UX PA_RISC uses IBM® Runtime Environment Java™ Technology Edition, Version 6.0.14. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”. Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”, CDFtp+ is vulnerable to: CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”. 003) RTC496774 / APAR IT14554 commit date: 31 Mar 2016 -------------------------------------------------------- Connect:Direct FTP+ (CDFtp+) running on HP-UX Itanium uses IBM® Runtime Environment Java™ Technology Edition, Version 7.0.9. CDFtp+ running on HP- UX PA_RISC uses IBM® Runtime Environment Java™ Technology Edition, Version 6.0.16.16. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”. Of the issues in JRE 6.0.16.16 that were disclosed as part of the IBM Java SDK updates in January 2016, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. 004) RTC503673 / APAR IT15845 commit date: 23 Jun 2016 -------------------------------------------------------- Connect:Direct FTP+ uses Flexera InstallAnywhere, which is vulnerable to the following issue: CVE-2016-4560: Flexera InstallAnywhere could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system. 005) RTC518198 / APAR IT17607 commit date: 19 Oct 2016 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM® Runtime Environment Java™ (JRE) Version 7.0.9.30 (6.0.16.20 on the HP-UX PA_RISC platform). These JREs are vulnerable to the following issue, disclosed as part of the IBM Java SDK updates in April 2016: CVE-2016-3426: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. 006) RTC539217 / APAR IT20756 commit date: 24 May 2017 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM® Runtime Environment Java™ (JRE) Version 7.0.9.50 (6.0.16.30 on the HP-UX PA_RISC platform). These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in January 2017: CVE-2016-5546: An unspecified vulnerability related to the Libraries component has no confidentiality impact, high integrity impact, and no availability impact. CVE-2016-5548: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2016-5549: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2016-5547: An unspecified vulnerability related to the Libraries component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2016-5552: An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. CVE-2016-2183: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the- middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack. NOTICE: This is the last release to be published for C:D FTP+ 1.3.0 for HP-UX PA_RISC. In the future, releases for this platform will be available on demand only from Customer Support. 007) RTC546237 / APAR IT21636 commit date: 30 Jul 2017 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses jzlib version 1.1.3. This jzlib version is vulnerable to the following issues: CVE-2016-9840: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVE-2016-9841: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVE-2016-9842: zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVE-2016-9843: zlib is vulnerable to a denial of service, caused by a big- endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. 008) RTC552784 / APAR IT22755 commit date: 12 Oct 2017 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM® Runtime Environment Java™ (JRE) Version 7.0.10.1 (6.0.16.41 on the HP-UX PA_RISC platform). These JREs are vulnerable to the following issue, disclosed as part of the IBM Java SDK updates in January 2017: CVE-2017-10115: An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2017-10116: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system. 009) RTC569886 commit date: 01 Jun 2018 ----------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM® Runtime Environment Java™ (JRE) Version 7.0.10.10. This JRE is vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in January and April 2018: CVE-2018-2633: An unspecified vulnerability related to the Java SE JNDI component could allow an unauthenticated attacker to take control of the system. CVE-2018-2603: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2018-2579: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVE-2018-2618: An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2018-2602: An unspecified vulnerability related to the Java SE I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. CVE-2018-2783: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact. 010) MFT-10002 / APAR IT26935 commit date: 08 Nov 2018 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM® Runtime Environment Java™ (JRE) Versions 8.0.5.16, 8.0.5.15, and 7.0.10.25. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2018: CVE-2018-12539: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files.