================================================= Maintenance for IBM Connect:Direct for UNIX 6.2.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.2.0 code base. It is applicable to C:D UNIX version 6.2.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.2.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.2.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.2.0 Release Notes. ================================================= iFixes listed below apply to C:D for UNIX 6.2.0.0 ================================================= 001) CDUA-3012 commit date: 01 Sep 2021 ----------------------------------------- During a silent upgrade, initparm is updated to add the value of cdfa.enable same as that passed as option, if File Agent is installed inside CD Unix installation directory. So, cdfa.enable=y gets added even if standalone File Agent is installed. Updated code to add cdfa.enable=y only if Integrated File Agent is installed. 002) MFT-12365 / APAR IT37802 commit date: 14 Sep 2021 -------------------------------------------------------- C:D Install Agent startup creates a /tmp/.com_ibm_tools_attach directory used by the IBM Java Attach API. The IBM Java Attach API is not used in C:D, so the /tmp/.com_ibm_tools_attach directory creation is unnecessary and seen by some as a possible security risk. 003) MFT-12380 / APAR IT37900 commit date: 14 Sep 2021 -------------------------------------------------------- If the name of the S3 IO Exit is different of 'S3', the exception S3IOExitException: S3File: Invalid filename pathname is detected 'null' is raised. 004) CDUA-3013 commit date: 20 Sep 2021 ----------------------------------------- The CDWS connection is reset or logged out when apply changes button is clicked on file agent setting. The update of configuration fails for the integrated File Agent on ZLINUX server. The code is updated to handle the large configuration on ZLINUX. 005) CDUA-2889 commit date: 22 Sep 2021 ----------------------------------------- In the scenario where a user declines adding a local user, yet chooses to add a remote user, the remote user is added twice to the user file. The changes are done to prevent the creation of duplicate entries in the user file. 006) CDUA-2988 commit date: 27 Sep 2021 ----------------------------------------- Enabled user authority for stat logging from external sources like File Agent. If cmd.external.stat.log in userfile is set to 'n', File Agent won't be able to log its statistics in Connect Direct server's stats. 007) CDUA-2994 commit date: 28 Sep 2021 ----------------------------------------- A client request to view the initparm.cfg file may fail inappropriately with XCMM035I. 008) MFT-12352 / APAR IT38513 commit date: 29 Sep 2021 -------------------------------------------------------- Silent install of CD Unix fails intermittently due to failure in installation of Install Agent. When this issue occurs, a Java stack trace is produced that shows "java.lang.NullPointerException at com.zerog.ia.installer.LifeCycleManager.de". 009) CDUA-2043 / APAR IT37922 commit date: 05 Oct 2021 -------------------------------------------------------- A copy step using zFBA may fail and report message SCZF004E, Could not Open zFBA devices. If this failure is traced, the step may hang in execute state with a rapidly growing trace file output and ndmsmgr consuming significant CPU resource. 010) CDUA-2980 / APAR IT38016 commit date: 06 Oct 2021 -------------------------------------------------------- After upgrading to C:D Unix 6.0/6.1, an attempt to open the 'direct' prompt with a trace parameter failed with error XAPI005I Return Code: 8 Feedback: 0. Ensure that the ndmauth trace logs are always written to the ndm/bin directory to avoid permissions failures on creation of the trace logs. 011) MFT-11901 / APAR IT36440 commit date: 13 Oct 2021 -------------------------------------------------------- A process submit step (submit within a process) may fail and report an XPAE003I message if the submitted process text contains a comment on the first line. 012) MFT-12512 / APAR IT38545 commit date: 15 Oct 2021 -------------------------------------------------------- On some AIX systems, a submitted process will fail to execute, with statistics showing nothing more than a series of queue transitions from WAIT/WC to EXEC/PE to TIMER/WC, until retries are exhausted. 013) FLAG-256 commit date: 20 Oct 2021 ---------------------------------------- Integrated File Agent failed to connect to the Connect:Direct server with com.stercomm.csg.SPAdmin.JavaCDSP error in logs. Updated Integrated File Agent. 014) MFT-12318 / APAR IT37795 commit date: 20 Oct 2021 -------------------------------------------------------- Due to newer versions of Linux not maintaining binary compatibility for the Transport Independent RPC Library (libtirpc) with older versions, RHEL 8 and RHEL 7, for example, CDU binaries executed from a directory other than our ndm/bin directory may fail, indicating "error while loading shared libraries: libtirpc.so.1". See the Known Restrictions page of the CDU Release Notes for more details. The Known Restrictions page also describes a symbolic link which may be created to enable execution of CDU binaries from directories other than ndm/bin. If implementation of this link was desired, it had to be created manually. This fix updates the interactive and automated installation scripts to provide an option for creating this link during installs and upgrades. The interactive installation script, cdinstall, will prompt for the option if the link is not detected. A new parameter, cdai_tirpcCreateLink, has been added to the automated installation script, cdinstall_a, which takes a 'y' or 'n' value to optionally create this link. 015) CDUA-2983 commit date: 26 Oct 2021 ----------------------------------------- Integrated File Agent stats are not correctly displayed on Connect:Direct stats for some parameters. 016) FLAG-257 commit date: 27 Oct 2021 ----------------------------------------- Updated Integrated File Agent to Version 2.0.0.0_iFix007. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.2.0.1 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.2.0.1 =========================================================== 001) CDUA-2946 commit date: 28 Oct 2021 ----------------------------------------- In the SCNT statistics record, the MSAS field, which reports the theoretical maximum number of simultaneous sessions a node could run (if licensed), is arbitrarily reporting 999, instead of calculating an appropriate value based on system resource limits. 002) MFT-12453 / APAR IT38835 commit date: 29 Oct 2021 -------------------------------------------------------- Building user exits with make_exit_c and make_exit_C may fail on later Linux versions, such as RHEL 8, indicating "fatal error: rpc/rpc.h: No such file or directory". 003) MFT-12582 / APAR IT38836 commit date: 03 Nov 2021 -------------------------------------------------------- S3 upload fails for 0 byte files when an aws policy denies non server side encrypted (sse) objects. 004) CDUA-3073 / APAR IT39028 commit date: 09 Nov 2021 -------------------------------------------------------- Various C:D UNIX executable modules, including cdpmgr, may fail to run on Ubuntu 20 systems, indicating an error loading shared library libtirpc.so.1. Note: With this iFix, Ubuntu versions 18 and 20 are added to the list of supported software for Intel and AMD x86-64. 005) MFT-12621 / APAR IT38901 commit date: 15 Nov 2021 -------------------------------------------------------- When an automated upgrade (cdinstall_a) fails due to Install Agent startup failure, the Install Agent logs describing the startup failure may be lost during the subsequent restore of the original CDU installed. Fix adds capturing the Install Agent logs and saving them in the deployment directory when this occurs. 006) CDUA-3085 commit date: 16 Nov 2021 ----------------------------------------- When a silent upgrade is performed from a CDU version where Install Agent is not up due to Secure+ not installed/configured, upgrade is marked as failed as Install Agent is unable to start even after upgrade. As a part of this fix, Install Agent startup is not attempted after a silent upgrade, if it was not up before upgrade. 007) CDUA-2754 commit date: 16 Nov 2021 -------------------------------------------------------- The SSLV2 hello has been disabled. Note that TLS 1.0 is deprecated by the IETF since March 2021. 008) CDUA-3064 commit date: 17 Nov 2021 ----------------------------------------- Sometimes deployment fails during container/helm chart upgrade and configuration present on persistent volume is also lost. Now, when new container/pod comes up it doesn't have previous configuration. 009) CDUA-3106 commit date: 29 Nov 2021 ----------------------------------------- User Id is not captured in stats when a user sign on to CDU server fails. 010) CDUA-3096 commit date: 02 Dec 2021 ----------------------------------------- When changes to initparm.cfg is done using CDWS or CCM and pod is deleted so that new pod comes up with updated initparm.cfg parameters. But new pod fails to come up and keeps on restaring showing error CD service not started. 011) CDUA-2830 / APAR IT39113 commit date: 03 Dec 2021 -------------------------------------------------------- If the connection is broken when CDU is pnode pulling a file from a remote node to an S3 destination with checkpoint enabled, on restart, the checkpoint resynchronization fails with error message FIOX023E reported, and the copy step is restarted from the beginning. 012) CDUA-3134 / APAR IT39167 commit date: 02 Dec 2021 -------------------------------------------------------- Expired passwords are not detected by CDU when authenticating credentials on HP-UX Itanium and AIX platforms. Also, when credential validation failed, no reason was logged for the failure. Fix adds a new message, XIDC001I, logged only on the validating side and viewable only by administrators, indicating why credential validation was failed. 013) CDUA-3056 commit date: 06 Dec 2021 ---------------------------------------- In some scenarios, C:D Control Center may incorrectly conclude that multiple C:D UNIX nodes are running on the same system. 014) MFT-11969 / APAR IT36604 commit date: 07 Dec 2021 -------------------------------------------------------- When a remote C:D initiates a secure session to C:D UNIX (CDU) requesting Secure+ protocols that are not supported by CDU, and CDU has Secure+ Override enabled for that incoming session, it's possible that the session will fail inappropriately with a CSPA091E message. 015) CDUA-2698 commit date: 07 Dec 2021 ----------------------------------------- SPCli shows a Basename parameter when displaying a remote node, which is inappropriate since the Basename parameter became irrelevant when the Secure+ STS protocol was dropped from support. 016) MFT-12769 / APAR IT39369 commit date: 12 Dec 2021 -------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache Log4j2 has been upgraded to version 2.15.0. CVE-2021-44228: JNDI features of Apache Log4j2 versions <= 2.14.1, used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. 017) MFT-12790 / APAR IT39452 commit date: 17 Dec 2021 -------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache log4j2 has been upgraded to version 2.16.0. CVE-2021-45046: Apache Log4j is vulnerable to a denial of service, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data or a Thread Context Map pattern to exploit this vulnerability to craft malicious input data using a JNDI Lookup pattern and cause a denial of service. 018) MFT-12807 / APAR IT39480 commit date: 21 Dec 2021 ------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache log4j2 has been upgraded to version 2.17.0. CVE-2021-45105: Apache Log4j versions <= 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. 019) CDUA-3152 commit date: 27 Dec 2021 ----------------------------------------- View option for Integrated File Agent authority did not work on CD Web services UI while creating a new user authority. 020) MFT-12865 commit date: 24 Jan 2022 ---------------------------------------- Apache log4j2 upgraded to version 2.17.1. 021) MFT-12474 / APAR IT39069 commit date: 10 Jan 2022 -------------------------------------------------------- C:D monitors the Installation Agent status periodically. The error reporting for this procedure was incomplete. Fix adds a new message, CDAI003E, which is used to log more complete information if the procedure fails. 022) MFT-12710 / APAR IT39420 commit date: 13 Jan 2022 -------------------------------------------------------- On HP-UX Itanium systems using a shadow password file, client connections presenting valid credentials may fail, generating an XCMM038I message. Server connections may fail generating an XSMG245I message. Fix introduces a new requirement for the Password Hash Infrastructure (PHI) package on HP-UX. To check for package installation status: 11iv3 (B.11.31): swlist -a state SHA11i3 11iv2 (B.11.23): swlist -a state SHA To download and install the package if necessary: 11iv3 (B.11.31): https://myenterpriselicense.hpe.com/cwp-ui/free-software/PHI11i3 11iv2 (B.11.23): https://myenterpriselicense.hpe.com/cwp-ui/free-software/PHI 023) CDUA-3177 commit date: 13 Jan 2022 ----------------------------------------- cdcustrpt incorrectly identifies ndm/lib/libtirpc.so.1 link as non-standard on Linux systems where libtirpc.so.1 is not available 024) CDUA-1699 commit date: 14 Jan 2022 ----------------------------------------- Output of Select process detail command does not display Snode User Id. 025) MFT-12538 / APAR IT38957 commit date: 18 Jan 2022 -------------------------------------------------------- When CDU is preparing the list of matching files for a wildcard copy step, for security, matching files that are not readable by the local user are not added to the list. If CDU is snode and one or more of the matching files is unable to be opened, the pnode does not get notified about these files and will consider the copy step to be successful. To fix this issue, when CDU is snode, one matching file that is not readable is allowed to be added to the list of files to be sent, so that one of the individual copy steps will fail, giving the pnode awareness of the situation. For security, snode masks the name of the unreadable matching file before sending the failing step information to pnode. 026) MFT-12634 / APAR IT39304 commit date: 19 Jan 2022 -------------------------------------------------------- When a KQV client, such as C:D Application Interface for Java or C:D Web Services, issues a select statistics or select process request to C:D UNIX that includes a submitter parameter, the command may fail with the C:D UNIX ndmcmgr process killed by a SIGABRT (signal 6) or SIGSEGV (signal 11). 027) CDUA-3207 / APAR IT39749 commit date: 25 Jan 2022 -------------------------------------------------------- An inappropriate CDIA003E message indicating the Installation Agent helper from the previous check is still running may be logged every five minutes. 028) MFT-12577 / APAR IT38803 commit date: 28 Jan 2022 -------------------------------------------------------- A run task may fail to execute, generating an XSMG424I warning that inappropriately indicates "RPC call to stat_log_1() returns null. RPC time out." 029) CDUA-3197/MFT-12990 / APAR IT40237 commit date: 01 Feb 2022 ------------------------------------------------------------------ Integrated File Agent support has been added to CDU container. IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93. IBM Sterling Connect:Direct for UNIX Certified Container is hosted by Red Hat Universal Base Image. Due to use of Red Hat Universal Base Image and binutils package, IBM Sterling Connect:Direct for UNIX Certified Container is vulnerable to the following: buffer overflow (CVE-2019-20838, CVE-2020-14155, CVE-2020-35448, CVE-2021-20266, CVE-2021-23840, CVE-2021-3200, CVE-2021-35942, CVE-2021-36087, CVE-2021-37600, CVE-2021-38185), denial of service (CVE-2020-16135, CVE-2021-20231, CVE-2021-20232, CVE-2021-23841, CVE-2021-28135, CVE-2021-33574, CVE-2021-3487, CVE-2021-3580), elevation of privilege (CVE-2021-20197), sensitive data exposure (CVE-2021-22876, CVE-2021-22898, CVE-2021-22923), drive-by download (CVE-2021-22922), unauthorized access (CVE-2021-22924), data corruption (CVE-2021-27218, CVE-2021-3421), side-channel attack (CVE-2021-33560), arbitrary code execution (CVE-2021-3445), use-after-free (CVE-2021-36084, CVE-2021-36085, CVE-2021-36086) This fix updates Red Hat Universal base image to 8.5-226 and binutils to 2.30-108 ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.2.0.2 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.2.0.2 =========================================================== 001) CDUA-3232 commit date: 11 Feb 2022 ----------------------------------------- Integrated File Agent may fail to start, even though cdfastart.log file shows "File agent started successfully". Note: this issue does not affect Integrated File Agent support added to IBM Certified Container in 6.2.0.2. 002) CDUA-1701 commit date: 28 Feb 2022 ----------------------------------------- KQV client submitted delete process command using submitter search criteria fails to find matching processes. 003) CDUA-3245 / APAR IT40116 commit date: 03 Mar 2022 -------------------------------------------------------- cdinstall script run on HP-UX may mistakenly indicate that Password Hash Infrastructure (PHI) package installation is required. PHI is not required on HP-UX systems that use traditional password storage. 004) MFT-12886 / APAR IT40115 commit date: 04 Mar 2022 -------------------------------------------------------- When an upgrade is performed, the old install-agent jar is not removed. Added a fix to keep only the latest install-agent jar after an upgrade. 005) MFT-12948 / APAR IT40165 commit date: 08 Mar 2022 -------------------------------------------------------- After installation of CDU on AIX servers, a strings process keeps on running and consuming high CPU. 006) CDUA-3231 commit date: 16 Mar 2022 ----------------------------------------- Connect Direct Automated installation does not detect Integrated File Agent start up. With this change if fileAgentEnable is set to yes and Integrated File Agent is failed to start, Automated installation will fail. 007) CDUA-3242 / APAR IT40322 commit date: 22 Mar 2022 -------------------------------------------------------- If the backup procedure is invoked during an interactive upgrade (cdinstall), it may fail indicating that tar cannot open the {CDU install directory}.CDBCompressible.[gz|Z] and {CDU install directory}.CDBUncompressible files due to permission. A restore procedure invoked after this error will indicate no such file or directory regarding the {CDU install directory}.CDBCompressible.[gz|Z] and {CDU install directory}.CDBUncompressible files. 008) CDUA-3303 / APAR IT40392 commit date: 24 Mar 2022 -------------------------------------------------------- If a user exit program fails to execute, an appropriately named log file is generated in {CDU install dir}/work/{CDU node name} directory, but does not contain helpful information. 009) CDUA-3308 commit date: 29 Mar 2022 ----------------------------------------- Added Port Check Ignore List feature support. NOTE: Port Check Ignore feature is not supported for the API port on HP-UX and Solaris platforms. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.2.0.3 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.2.0.3 ===========================================================