/******************************************************************************* * * Copyright © Aricent Holdings Luxembourg S.a.r.l. 2019. All rights reserved. * ********************************************************************************/ ========================================================== Maintenance for IBM Sterling Connect:Direct for UNIX 4.3.0 ========================================================== This maintenance archive includes module replacements for the C:D UNIX 4.3.0 code base. It is applicable to C:D UNIX version 4.3.0, and contains all the new functionality and fixes as described in the C:D UNIX 4.3.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 4.3.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 4.3.0 Release Notes. ================================================= iFixes listed below apply to C:D for UNIX 4.3.0.0 ================================================= 001) RTC523522 / APAR IT18957 commit date: 26 Apr 2018 -------------------------------------------------------- In rare circumstances, a text file sent to a destination file with fixed block record format on z/OS may be padded with ASCII blanks instead of EBCDIC. 002) RTC552947 / APAR IT24014 commit date: 30 Apr 2018 -------------------------------------------------------- When Secure+ security mode is disabled, session establishment can be expected to take less time than when a security mode, FIPS 140-2, for example, is enabled. However, session establishment with security mode disabled takes the same amount of time as when enabled. Session establishment times may also be increased if cdpmgr inherits a large maximum file descriptor system resource limit. 003) RTC564598 / APAR IT25140 commit date: 24 May 2018 -------------------------------------------------------- Incoming Secure+ session incorrectly allowed when the .Local node has Secure+ enabled and there is no Secure+ entry for the remote node. 004) RTC561582 / APAR IT24339 commit date: 25 May 2018 -------------------------------------------------------- Copy send performance to C:D Z/OS can be degraded when the UNIX source file sysopts includes "datatype=binary", and the Z/OS destination file record format is VB or FB. 005) RTC561515 commit date: 22 June 2018 ------------------------------------------ When alt.comm.outbound is configured on a remote node, traverse the alt.comm.outbound list on each process retry until we have a successful connection to the remote node. 006) RTC568699 commit date: 05 July 2018 ------------------------------------------ Customization fails with a syntax error during installation of C:D UNIX 4.3 on Solaris. 007) MFT-9886 commit date: 15 Aug 2018 ---------------------------------------- Connect:Direct for UNIX Secure+ uses IBM Java Runtime, which is vulnerable to the following issue: CVE-2018-2602: An unspecified vulnerability related to the Java SE I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. 008) MFT-9824 commit date: 16 Aug 2018 ---------------------------------------- A process may terminate abruptly with statistics reporting "SMGR terminated by signal". A known manifestation of this issue is likely to occur when a run job on a C:D z/OS node is attempted. 009) RTC562386 / APAR IT24362 commit date: 04 Sep 2018 -------------------------------------------------------- Parser error XPAE003I may be generated when submitting a process that has an snodeid coded with a 'Y' or 'N' character for the password. 010) RTC565352 / APAR IT24904 commit date: 04 Sep 2018 -------------------------------------------------------- There are three possible issues that may occur when sending a text file a to a z/OS destination that uses VB format with LRECL=BLKSIZE+4: . If the first record is within four bytes of the block size, the transfer will fail with an SVSJ045I message. . If the first record is four bytes or more smaller than the block size, and a subsequent record fills an entire block exactly, the z/OS destination file will be corrupted. . If the first record is four bytes or more smaller than the block size, and a subsequent record is up to four bytes longer than the maximum record size, this error condition will not be detected, and the z/OS destination file will be corrupted. 011) RTC567101 / APAR IT24905 commit date: 04 Sep 2018 -------------------------------------------------------- When sending a file to C:D z/OS and specifying the SYSOUT SYSOPTS parameter, CDU may inappropriately set the destination record format (RECFM) to VB. 012) RTC564088 / APAR IT25329 commit date: 04 Sep 2018 -------------------------------------------------------- Writes to stdout within a run job or run task may be reflected in C:D UNIX traces, even after traces are turned off. 013) RTC565959 commit date: 04 Sep 2018 ----------------------------------------- In some circumstances, an attempt to update the .Local node record via the Secure+ Admin Tool will fail reporting something similar to "Error #6 - Remote Node file not found." 014) RTC566602 / MFT-9446 / APAR IT26480 commit date: 04 Sep 2018 ------------------------------------------------------------------- On AIX systems, C:D UNIX executables will inappropriately prefer run time libraries in /usr/vac/lib and /usr/vacpp/lib directories instead of the standard /usr/lib /lib directories. The /usr/vac/lib and /usr/vacpp/lib directories may be populated if an IBM compiler is installed on the system, for example. If the libraries in /usr/vac/lib and /usr/vacpp/lib are old or otherwise incompatible with the C:D UNIX executables, various errors may occur, including XSMG609I, SMGR (pnode) failed to convert FMH68 to network format. 015) RTC571051 commit date: 04 Sep 2018 ----------------------------------------- In rare circumstances, a process may fail to start, reporting an XSCM006E error, all users are denied access to CD from the SACL, even though the Strong Access Control (SACL) directory and file appear to have correct ownership and permissions set. Enhanced error messages to provide greater detail when this happens. 016) MFT-9613 / APAR IT26158 commit date: 10 Sep 2018 ------------------------------------------------------- The Connect:Direct for Unix UI will fail when opening ndmapi.cfg if the local file system has assigned to the file an inode number greater than 32 bits in size. 017) CDUA-1102 commit date: 16 Aug 2018 ----------------------------------------- An update proxy command issued from a KQV client, such as C:D Browser or IBM Control Center, may fail indicating "The variable proxy name was out of bounds", even though the proxy name is valid. 018) MFT-10001 / APAR IT26905 commit date: 14 Nov 2018 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.5.15 and 7.0.10.25. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2018: CVE-2018-12539: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. 019) MFT-9969 / APAR IT27224 commit date: 07 Dec 2018 ------------------------------------------------------- Using the Amazon S3 file IO exit to receive a zero byte file fails, reporting message FIOX044E. 020) MFT-9996 / APAR IT27673 commit date: 09 Jan 2019 ------------------------------------------------------ A backup created when running the interactive script may incur permission errors when writing to the installation directory's parent folder. Instead, create the backup in the installation directory. 021) MFT-10047 / APAR IT27442 commit date: 10 Jan 2019 -------------------------------------------------------- When upgrading a C:D UNIX node with an existing keystore, a keystore password is not required. However, the automated install script, cdinstall_a, fails reporting CDAI003E when the cdai_installCmd is set to "upgrade" and no cdai_keystorePassword parameter is coded. 022) MFT-9526 / APAR IT26469 commit date: 14 Jan 2019 ------------------------------------------------------- To run C:D UNIX on Solaris 10 requires Update 10 or greater. Updates may be applied as a full release or as a patchset. cdinstall correctly recognizes a full release Update, but wasn't recognizing a patchset update and failed the install. 023) MFT-10026 / APAR IT27933 commit date: 30 Jan 2019 -------------------------------------------------------- After installing or upgrading to C:D UNIX 4.3.0.0.iFix018, the banners of the Secure+ administration tools, SPAdmin and SPCli, refer to C:D UNIX 4.2.0.4. 024) MFT-9523 / APAR IT26470 commit date: 04 Feb 2019 ------------------------------------------------------- Control Center not reading CDU Secure+ presence correctly. 025) MFT-10143 / APAR IT28061 commit date: 12Feb 2019 ------------------------------------------------------- A proxy update issued by a KQV client does not complete successfully if the user name or node name contains a period. 026) MFT-9917 / APAR IT27019 commit date: 13 Feb 2019 ------------------------------------------------------- An ICC select process command submitted to C:D UNIX may occasionally fail with CNCD058E message. 027) MFT-9967 / APAR IT26865 commit date: 07 Mar 2019 ------------------------------------------------------- CD UNIX may allow a user with sudo access restricted to certain CD UNIX executable files to expand access beyond the restriction, as indicated in the following issue: CVE-2018-1903: IBM Sterling Connect:Direct for UNIX could allow a user with restricted sudo access on a system to manipulate CD UNIX to gain full sudo access. 028) MFT-10116 / APAR IT27777 commit date: 20 Mar 2019 -------------------------------------------------------- A COPY to the local destination file /dev/null fails with error XSQF006I, feedback code 22. 029) MFT-10016 / APAR IT28408 commit date: 25 mar 2019 ------------------------------------------------------- Transfer rate to AWS S3 needs improvement. This fix also adds support for direct access to S3 from an on-premises node The following new properties are available and can be used in initparm.cfg file or sysopts: s3.endPointUrl IP or hostname to access S3 services. Amazon S3 endpoint is the default. Example: s3.endpointUrl=my.s3provider.com s3.endPointPort Port to use if any. No default value. Example: s3.endpointPort=8080 s3.endPointSecure Secure or non secure access. HTTPS or HTTP requests. YES is the default. Example: s3.endpointSecure=NO s3.profilePath Credential file to use. Amazon credentials search order is the default. Example: s3.profilePath='/opt/some path/credentials' s3.profileName Profile name to use from credential file. default is the amazon S3 default [default] Example: s3.profileName=otherprofile s3.executorQueue Parallel transfer upload queue size. Default is 5. s3.executorMinPool Parallel upload. Initial number of transfer upload threads to use. Default is 10. s3.executorMaxPool Parallel upload. Maximum number of transfer upload threads to use. Default is 30. Max value is AmazonS3 max connections (50). 030) MFT-10212 / APAR IT28704 commit date: 10 Apr 2019 -------------------------------------------------------- A protocol violation and session failure occur after a remote RUNTASK step executed in C:D Unix fails due to a user permissions error. 031) MFT-9971 / APAR IT28761 commit date: 12 Apr 2019 ------------------------------------------------------- In the statistics log entry recording maximum achieved parallel sessions (RECI=SCNT), the LCNT001I message text does not display the maximum sessions or time achieved. 032) MFT-4757 / APAR IT28892 commit date: 24 Apr 2019 ------------------------------------------------------- Restarted copy steps fail with XCPR011I if the snode was cold started (work directory cleared) between the initial session and the restarted session. 033) MFT-10273 / APAR IT28898 commit date: 25 Apr 2019 ------------------------------------------------------- Restarted copy steps fail with XCPR011I if the destination file was deleted between the initial session and the restarted session. 034) CDUA-1399 commit date: 16 May 2019 ----------------------------------------- snode work directory file names are not unique enough for high stress scenarios. 035) CDUA-1429 commit date: 06 May 2019 ----------------------------------------- cfgcheck takes lot of time to validate thousands of netmap entries. 036) MFT-9588 / APAR IT26481 commit date: 22 May 2019 ------------------------------------------------------- In rare circumstances, a process may fail to start, reporting an XSCM006E error, all users are denied access to CD from the SACL, even though the Strong Access Control (SACL) directory and file appear to have correct ownership and permissions set. 037) MFT-10147 / APAR IT29097 commit date: 22 May 2019 -------------------------------------------------------- When multiple copy processes are in session to a C:D snode running in a load balanced cluster and that node is abruptly killed, the pnode will restart the processes and the copies will complete successfully on another snode in the cluster. However, in rare cases, the copy termination record of some of the restarted processes is not logged on the snode side, and temporary work files may be left in the shared snode work directory. 038) MFT-10282 / APAR IT29243 commit date: 24 May 2019 ------------------------------------------------------- During FASP transfer at Pnode, API command select process with details times out. 039) MFT-10277 / APAR IT28732 commit date: 28 May 2019 ------------------------------------------------------- Supersedes MFT-9969(IT27224) Using the Amazon S3 file IO exit to receive a zero byte file fails, reporting message FIOX044E. 040) MFT-10328 commit date: 28 May 2019 ----------------------------------------- AWS S3 Messages too long for statistics 041) CDUA-1448 commit date: 28 May 2019 ----------------------------------------- S3 Write checkpoint functionality broken 042) MFT-10389 / APAR IT29296 commit date: 29 May 2019 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.5.25, 8.0.5.20, and 7.0.10.30. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in January 2019: CVE-2018-12547: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVE-2018-1890: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. 043) CDUA-1520 commit date: 30 May 2019 ----------------------------------------- Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct File Agent (CVE-2018-1890, CVE-2018-12547), which is bundled with Connect:Direct for UNIX. Also, the File Agent installer may fail on some UNIX systems with error "Installer User Interface Mode Not Supported". 044) CDUA-1542 / APAR IT29487 commit date: 20 Jun 2019 -------------------------------------------------------- A restarted process may log an inappropriate XSQF009I message referring to a file that ends with ".savedCTRstatLog". Also, the direct CLI output of a detailed select statistics command may include a message id and a Short Text description of the message. The Short Text description might be truncated if the text is very long. Note: It's remotely possible that a restarted process may fail on the snode side with an XSMG235I or XSMG239I message that refers to a file ending with .savedCTRstatLog. This indicates that there may be a copy step of the indicated process that is missing its CTRC record on the snode side. If user investigates and determines the CTRC record is logged, or is not necessary, then they may get past these errors by removing the indicated file that ends with .savedCTRstatLog and then releasing the process again. 045) CDUA-1529 commit date: 21 Jun 2019 ---------------------------------------- Cfgcheck does not accept more than one file.ioexit entry in initparm.cfg 046) MFT-10416 commit date: 03 Jul 2019 ---------------------------------------- On some systems, cdpmgr may fail to start, reporting an XRIA010I message. cfgcheck may also report the same error attempting to validate configuration files. 047) MFT-10398 / APAR IT29723 commit date: 15 Jul 2019 -------------------------------------------------------- A CD Plex redirection is logged with SCPA007I, RC=8. The completion code has been changed to RC=0. 048) CDUA-1611 commit date: 26 Jul 2019 --------------------------------------- SPAFileWriteException on spcli.sh stat() when fully qualified directory name is provided. 049) MFT-6817 / APAR IT09719 commit date: 08 Aug 2019 ------------------------------------------------------- During certain stress situations, cdpmgr may become unresponsive for some minutes. During this time, select statistics will show multiple XLKL004I messages in sequence. 050) MFT-10391 / APAR IT29954 commit date: 09 Aug 2019 -------------------------------------------------------- IBM License Metric Tool (ILMT) fails to discover CD UNIX because the ILMT tag file extension is incorrect. 051) CDUA-1690 commit date: 23 Aug 2019 -------------------------------------------------------- Added support in CD Unix for Control Center Director and License governance. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.3.0.1 NOTICE: Previous maintenance packages delivered on Fix Central consisted of compressed CPIO files. After a downloaded CPIO file was uncompressed, the installation scripts would then need to be extracted from it in order to apply the maintenance. All future maintenance, including this Fix Pack, will be packaged as uncompressed tar balls containing the uncompressed CPIO installation file and the installation scripts. Please refer to the Maintenance Installation Instructions that accompany maintenance downloads for more details. -----------------------------------------------------------