================================================= Maintenance for IBM Connect:Direct for UNIX 6.0.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.0.0 code base. It is applicable to C:D UNIX version 6.0.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.0.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.0.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.0.0 Release Notes. ================================================= iFixes listed below apply to C:D for UNIX 6.0.0.0 ================================================= 001) MFT-10001 / APAR IT26905 commit date: 16 Nov 2018 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.5.15 and 7.0.10.25. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2018: CVE-2018-12539: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. 002) CDUA-1234 commit date: 10 Dec 2018 ----------------------------------------- Trace file names having absolute path are set correctly for PMGR/CMGR/SMGR. 003) CDUA-1235 commit date: 24 Dec 2018 ----------------------------------------- Delete Secure+ remote node operation, whose alias node name with upper case letter is present, returns Error code SPCG270E. 004) MFT-10047 / APAR IT27442 commit date: 11 Jan 2019 -------------------------------------------------------- When upgrading a C:D UNIX node with an existing keystore, a keystore password is not required. However, the automated install script, cdinstall_a, fails reporting CDAI003E when the cdai_installCmd is set to "upgrade" and no cdai_keystorePassword parameter is coded. 005) CDUA-1287/CDUA-1291 commit date: 15 Jan 2019 --------------------------------------------------- CDUA-1287-cfgcheck crash is observed.Due to cfgcheck crash, silent installation/upgrade procedure fails with rc=22 CDUA-1291-cdpmgr crash observed if process started with root.Process runs normal with user account. 006) CDUA-1296 commit date: 16 Jan 2019 ----------------------------------------- Not able to restore from 6.0 to 4.3 by taking backup manually on Solaris. 007) CDUA-1292 commit date: 17 Jan 2019 ----------------------------------------- When upgrade with silent installer fails, the service which was previously up before upgrade is not up after auto restore of C:D UNIX node. 008) MFT-9526 / APAR IT26469 commit date: 23 Jan 2019 ------------------------------------------------------- To run C:D UNIX on Solaris 10 requires Update 10 or greater. Updates may be applied as a full release or as a patchset. cdinstall correctly recognizes a full release Update, but wasn't recognizing a patchset update and failed the install. 009) CDUA-1295 commit date: 25 Jan 2019 ----------------------------------------- When upgraded with silent installer on Solaris, the client port remains in TIME_WAIT state and takes some time to clear, as a result of which silent installation fails with rc=34. 010) CDUA-1324 commit date: 28 Jan 2019 ----------------------------------------- Silent installation on Solaris fails with rc=22. 011) CDUA-1328 commit date: 29 Jan 2019 ----------------------------------------- On a Solaris system with IPV6 connectivity configured, cdpmgr start up may fail reporting an XIPT002I message, and CLI connections may fail reporting an XIPT003I message. 012) MFT-9523 commit date: 04 Feb 2019 ---------------------------------------- Control Center not reading CDU Secure+ presence correctly. 013) CDUA-1233 commit date: 06 Feb 2019 ----------------------------------------- SEAServer node's Override,ClientAuth,EncryptData parameter's update request should return error and shall not be displayed over SPCLI 014) MFT-9917 / APAR IT27019 commit date: 13 Feb 2019 ------------------------------------------------------- An ICC select process command submitted to C:D UNIX may occasionally fail with CNCD058E message. 015) CDUA-1380 commit date: 19 Feb 2019 ----------------------------------------- Update white label script notices,licensing information, and ports. 016) MFT-10143 / APAR IT28061 commit date: 25 Feb 2019 ------------------------------------------------------- A proxy update issued by a KQV client does not complete successfully if the user name or node name contains a period. 017) MFT-9967 / APAR IT26865 commit date: 08 Mar 2019 ------------------------------------------------------- CD UNIX may allow a user with sudo access restricted to certain CD UNIX executable files to expand access beyond the restriction, as indicated in the following issue: CVE-2018-1903: IBM Sterling Connect:Direct for UNIX could allow a user with restricted sudo access on a system to manipulate CD UNIX to gain full sudo access. 018) CDUA-1336 commit date: 25 Mar 2019 ----------------------------------------- Transfer rate to AWS S3 needs improvement. This fix also adds support to direct access to S3 from on-premises node. The following new properties are available and can be used in initparm.cfg file or sysopts: s3.endPointUrl IP or hostname to access S3 services. Amazon S3 endpoint is the default. Example: s3.endpointUrl=my.s3provider.com s3.endPointPort Port to use if any. No default value. Example: s3.endpointPort=8080 s3.endPointSecure Secure or non secure access. HTTPS or HTTP requests. YES is the default. Example: s3.endpointSecure=NO s3.profilePath Credential file to use. Amazon credentials search order is the default. Example: s3.profilePath='/opt/some path/credentials' s3.profileName Profile name to use from credential file. default is the amazon S3 default [default] Example: s3.profileName=otherprofile s3.executorQueue Parallel transfer upload queue size. Default is 5. s3.executorMinPool Parallel upload. Initial number of transfer upload threads to use. Default is 10. s3.executorMaxPool Parallel upload. Maximum number of transfer upload threads to use. Default is 30. Max value is AmazonS3 max connections (50). 019) CDUA-1399 commit date: 01 Apr 2019 ----------------------------------------- snode work directory file names are not unique enough for high stress scenarios. 020) MFT-10116 / APAR IT27777 commit date: 17 Apr 2019 -------------------------------------------------------- A COPY to the local destination file /dev/null fails with error XSQF006I, feedback code 22. 021) MFT-10212 / APAR IT28704 commit date: 17 Apr 2019 -------------------------------------------------------- A protocol violation and session failure occur after a remote RUNTASK step executed in C:D Unix fails due to a user permissions error. 022) MFT-9971 / APAR IT28761 commit date: 18 Apr 2019 ------------------------------------------------------- In the statistics log entry recording maximum achieved parallel sessions (RECI=SCNT), the LCNT001I message text does not display the maximum sessions or time achieved. 023) MFT-4757 / APAR IT28892 commit date: 25 Apr 2019 ------------------------------------------------------- Restarted copy steps fail with XCPR011I if the snode was cold started (work directory cleared) between the initial session and the restarted session. 024) MFT-10273 / APAR IT28898 commit date: 26 Apr 2019 ------------------------------------------------------- Restarted copy steps fail with XCPR011I if the destination file was deleted between the initial session and the restarted session. 025) CDUA-1429 commit date: 06 May 2019 ----------------------------------------- cfgcheck takes lot of time to validate thousands of netmap entries. 026) MFT-9588 / APAR IT26481 commit date: 22 May 2019 ------------------------------------------------------- In rare circumstances, a process may fail to start, reporting an XSCM006E error, all users are denied access to CD from the SACL, even though the Strong Access Control (SACL) directory and file appear to have correct ownership and permissions set. 027) MFT-10147 / APAR IT29097 commit date: 23 May 2019 -------------------------------------------------------- When multiple copy processes are in session to a C:D snode running in a load balanced cluster and that node is abruptly killed, the pnode will restart the processes and the copies will complete successfully on another snode in the cluster. However, in rare cases, the copy termination record of some of the restarted processes is not logged on the snode side, and temporary work files may be left in the shared snode work directory. 028) MFT-10277 / APAR IT28732 commit date: 28 May 2019 -------------------------------------------------------- Supersedes MFT-9969(IT27224) Using the Amazon S3 file IO exit to receive a zero byte file fails, reporting message FIOX044E. 029) MFT-10328 commit date 28 May 2019 -------------------------------------- AWS S3 Messages too long for statistics 030) CDUA-1448 commit date 28 May 2019 -------------------------------------- S3 Write checkpoint functionality broken 031) MFT-10389 / APAR IT29296 commit date: 29 May 2019 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.5.25, 8.0.5.20, and 7.0.10.30. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in January 2019: CVE-2018-12547: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVE-2018-1890: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. 032) CDUA-1521 commit date: 30 May 2019 ----------------------------------------- Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct File Agent (CVE-2018-1890, CVE-2018-12547), which is bundled with Connect:Direct for UNIX. Also, the File Agent installer may fail on some UNIX systems with error "Installer User Interface Mode Not Supported". 033) MFT-10379 / APAR IT29303 commit date: 30 May 2019 -------------------------------------------------------- Connect direct fails to start on AIX due to linking with older versions of GSkit present in default system libraries. 034) CDUA-1444 commit date: 03 Jun 2019 ----------------------------------------- CDP validation adds extra parameters hold,retain,priority with default values. 035) CDUA-1537 commit date: 10 Jun 2019 ----------------------------------------- Make certificate mandatory for CDU installation in Docker Container. 036) CDUA-1542 / APAR IT29487 commit date: 19 Jun 2019 -------------------------------------------------------- A restarted process may log an inappropriate XSQF009I message referring to a file that ends with ".savedCTRstatLog". Also, the direct CLI output of a detailed select statistics command may include a message id and a Short Text description of the message. The Short Text description might be truncated if the text is very long. Note: It's remotely possible that a restarted process may fail on the snode side with an XSMG235I or XSMG239I message that refers to a file ending with .savedCTRstatLog. This indicates that there may be a copy step of the indicated process that is missing its CTRC record on the snode side. If user investigates and determines the CTRC record is logged, or is not necessary, then they may get past these errors by removing the indicated file that ends with .savedCTRstatLog and then releasing the process again. 037) CDUA-1529 commit date: 21 Jun 2019 ----------------------------------------- Cfgcheck does not accept more than one file.ioexit entry in initparm.cfg 038) CDUA-1403 commit date: 25 Jun 2019 ----------------------------------------- Display SEAserver node response over CDWS shall not display Override parameter 039) CDUA-1489 commit date: 09 Jul 2019 ----------------------------------------- Any process submitted using C:D Web Browser or C:D Web Services for validation with STARTT parameter in process or submit step having some valid values, then validation passes with errorneous conversion of STARTT parameter at C:D end. This might affect the parsing of response from C:D server. 040) CDUA-1477/CDUA-1461 commit date: 15 Jul 2019 --------------------------------------------------- Any process submitted using any C:D client with restart parameter set to some valid value in runtask for validation, then the process is validated without showing any detail about restart paramater in response from C:D server. 041) CDUA-1578 commit date: 15 Jul 2019 ----------------------------------------- If checkpoint value in a process is incorrect or disabled either implicitly or explicitly, and the connection gets restarted, the transfer never completes. 042) MFT-10324 / APAR IT29156 commit date: 15 July 2019 --------------------------------------------------------- When CD Unix performs a COPY RECEIVE, a restart of the COPY may fail with a Signal 11. 043) CDUA-1378 commit date: 18 Jul 2019 ----------------------------------------- After setting non-existing trace file path for cdpmgr, new CLI/other clients fail to connect with CDU. 044) MFT-10469 / APAR IT29950 commit date: 09 Aug 2019 -------------------------------------------------------- Copy steps fail with message XSQF006I and feedback code 9 on AIX when upload or download directory restrictions are configured. Same symptoms are encountered for a custom user file open exit compiled on AIX. Custom user file open exits compiled on Linux x86 platforms fail with copy steps reporting XCPR017I and XCPS002I messages. 045) MFT-6817 / APAR IT09719 commit date: 14 Aug 2019 ------------------------------------------------------- During certain stress situations, cdpmgr may become unresponsive for some minutes. During this time, select statistics will show multiple XLKL004I messages in sequence. 046) MFT-10398 / APAR IT29723 commit date: 19 Aug 2019 -------------------------------------------------------- A CD Plex redirection is logged with SCPA007I, RC=8. The completion code has been changed to RC=0. 047) MFT-10282 / APAR IT29243 commit date: 24 May 2019 ------------------------------------------------------- During FASP transfer at Pnode, API command select process with details times out. 048) MFT-10192 / APAR IT28399 commit date: 12 Mar 2019 -------------------------------------------------------- Copy fails with error XIPT019E when CRC check is enabled. 049) CDUA-1689 commit date: 23 Aug 2019 ----------------------------------------- Added support in CD Unix for Control Center Director. Also, added support for License governance. 050) CDUA-1652 commit date: 27 Aug 2019 ----------------------------------------- On HP-UX and Solaris systems, client and server connection attempts end abruptly if the local.node record in netmap.cfg contains configurations that generate warning messages, e.g. sess.total parameter value being less than sess.pnode.max parameter value. Direct CLI connections in this scenario, for example, will terminate and report XSEC012I and XAPI006I messages, and statistics will show a "CMGR terminated by signal." message. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.0.0.1 NOTICE: Previous maintenance packages delivered on Fix Central consisted of compressed CPIO files. After a downloaded CPIO file was uncompressed, the installation scripts would then need to be extracted from it in order to apply the maintenance. All future maintenance, including this Fix Pack, will be packaged as uncompressed tar balls containing the uncompressed CPIO installation file and the installation scripts. Please refer to the Maintenance Installation Instructions that accompany maintenance downloads for more details. ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 6.0.0.1 ================================================= 001) MFT-10562 / APAR IT30282 commit date: 16 Sep 2019 -------------------------------------------------------- A run task step executing a command that should normally take less than a second to run may take a full second to complete. 002) MFT-6320 / APAR IT30283 commit date: 18 Sep 2019 ------------------------------------------------------- cdinstall_a executing an upgrade from a fresh deployment directory (i.e., there are no artifacts left from a previous upgrade) will display a rm command error indicating the upgradersps.txt file does not exist. 003) CDUA-1721 commit date: 20 Sep 2019 ----------------------------------------- Corrections made to the scripts for CCD support. a. Added support for upgrade from 6.0.0.1 to higher versions via manual installer. The upgrade support was present but it did not upgrade the install agent component. b. When upgrading from an older version to 6.0.0.1, the agent related parameters should automatically get added to userfile.cfg and initparm.cfg. 004) MFT-7909 / APAR IT30318 commit date: 19 Sep 2019 ------------------------------------------------------- When the sending side of a HSAO (FASP) copy step has tcp.max.time.to.wait=0, the step may fail with FASP022E reported on the sending side and FASP009E on the receiving side. 005) MFT-10391 / APAR IT29954 commit date: 24 Sep 2019 -------------------------------------------------------- IBM License Metric Tool (ILMT) fails to discover CD UNIX because the ILMT tag file extension is incorrect. 006) MFT-9816 / APAR IT27957 / CVE-2019-4529 commit date: 30 Sep 2019 ----------------------------------------------------------------------- IBM Sterling Connect:Direct for UNIX could allow a user who is authorized for limited CD privileges to attack through a custom application written using the CD UNIX C/C++ API by replacing the system implementation of getuid() with a malicious implementation and gain unauthorized privilege to access to the CD UNIX Server. 007) MFT-10591 commit date: 01 Oct 2019 ----------------------------------------- Installation of the optional C:D File Agent (CDFA) may fail on some systems with limited 32 bit library support, reporting "JRE libraries are missing or not compatible." Also, CDFA installed on an EFS file system in an Amazon Web Services EC2 instance will fail to start, reporting "Error: missing `j9vm' JVM". 008) CDUA-1749 commit date: 08 Oct 2019 ----------------------------------------- On Solaris systems, the cdinstall_a script may fail, reporting "test: argument expected." Also, the cdcust script may insert extra install.agent records in the initparm.cfg file, or extra client.cert_auth parameters in the admin local user record in the userfile.cfg file. 009) MFT-10626 commit date: 08 Oct 2019 ----------------------------------------- On S3, when bucket ACL does not allow write and object sent to this bucket is empty, error from S3 is not returned to CD and copy step terminates with RC=0. 010) MFT-10211 commit date: 10 Oct 2019 ----------------------------------------- Destination file can be corrupted if the file is received to a CDU cluster that is not configured with a shared work area (snode.work.path). 011) MFT-7541 / APAR IT13224 commit date: 24 Oct 2019 ------------------------------------------------------- When copying text files to or from an EBCDIC remote node, C:D UNIX translates ASCII data to EBCDIC and vice versa as needed. In some cases, an alternative to the default ASCII to EBCDIC translation provided by C:D UNIX is desired. While the product includes options for users to create their own custom xlate tables or to use codepage translation, for convenience, new xlate tables are provided that convert ISO-8859-1 ASCII text to IBM-037 EBCDIC and back. These xlate tables are located in {C:D UNIX install dir}/ndm/xlate directory. They may be specified in copy step sysopts, or be made the default translation by specifying them in the global copy record of the initparm.cfg file. 012) MFT-7394 commit date: 28 Oct 2019 ---------------------------------------- The cdcustrpt script executed by a user other than root will display "Permission denied" in reference to several files. 013) CDUA-1475 commit date: 30 Oct 2019 ----------------------------------------- Add support for C:D UNIX to run on SUSE Linux Enterprise Server for IBM POWER (ppc64le) systems. Fix also corrects cdinstall script issue which may have caused the indicated disk space required to be understated. 014) MFT-10606 / APAR IT30399 commit date: 04 Nov 2019 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX running on AIX uses IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.5.30. This JRE is vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2019: CVE-2019-4473: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. CVE-2019-11771: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system. 015) MFT-10710 / APAR IT30961 commit date: 20 Nov 2019 -------------------------------------------------------- A process coded with a copy step that correctly uses pipe I/O function (sysopts parameter pipe=yes) for the source may fail to produce a data stream. I.E., the step will complete successfully, but will show zero bytes read. 016) MFT-10666 / APAR IT31047 commit date: 27 Nov 2019 -------------------------------------------------------- During upgrade to 6.0.0.1, ownership of userfile.cfg changes to root. 017) MFT-10727 / APAR IT31176 commit date: 05 Dec 2019 -------------------------------------------------------- An inappropriate XCPZ007I message is returned after a copy step writing to an S3 bucket completes successfully. 018) MFT-10668 / APAR IT31157 commit date: 10 Dec 2019 -------------------------------------------------------- If netmap checking is on, and the incoming connection's IP address to check is specified in alternate.comminfo and listed past the 256th character in that field, the session will fail with a netmap check error. Fix extends the alternate.comminfo field length to 1023. If the field maximum length is exceeded, a new message, XCFM001I, will be generated and provide specific information about the error condition. 019) MFT-10721 / APAR IT31162 commit date: 10 Dec 2019 -------------------------------------------------------- In a rare circumstance, when using cdinstall_a script to upgrade or uninstall a node, the value of the cdai_adminUserid parameter may be incorrectly determined. 020) MFT-10754 / APAR IT31304 commit date: 16 Dec 2019 -------------------------------------------------------- If the strong password encryption (SPE) feature is in a bad state, a submit process command can fail with no error message indicating the reason for the failure. SPE will be in a bad state, for example, if the base product without Secure+ is running when Secure+ is installed. 021) MFT-10771 / APAR IT31319 commit date: 18 Dec 2019 -------------------------------------------------------- CDU opens a UDP socket on the same port used to listen for incoming API connections on TCP. 022) MFT-10694 commit date: 19 Dec 2019 ----------------------------------------- The XSTL006W message regarding recent slow stat log write times provided limited information. In addition to a slow stat log write count, fix adds slow write time average and longest slow write time. 023) MFT-10726 / APAR IT31361 commit date: 20 Dec 2019 -------------------------------------------------------- An installation or upgrade of C:D Unix sets the installation directory permissions to 700, instead of the expected 755.