================================================= Maintenance for IBM Connect:Direct for UNIX 6.1.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.1.0 code base. It is applicable to C:D UNIX version 6.1.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.1.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.1.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.1.0 Release Notes. ================================================= iFixes listed below apply to C:D for UNIX 6.1.0.0 ================================================= 001) MFT-10783 / APAR IT31279 commit date: 05 May 2020 -------------------------------------------------------- Silent upgrade fails when traces are disabled. 002) CDUA-1801 commit date: 11 May 2020 ----------------------------------------- On RHEL 8 and SLES 15 systems, cdinstall_a execution may fail indicating an error loading shared libraries referring to libtirpc.so.1. On SLES 15 systems, cdinstall_a execution may fail indicating a command was not found referring to ifconfig or netstat. 003) CDUA-2035 commit date: 07 May 2020 ----------------------------------------- a). CDU Upgrade fails in case cfgCheck exits with a warning. b). cfgCheck exits with wrong return codes in case of error/warning. 004) CDUA-2078 commit date: 11 May 2020 ----------------------------------------- On trying to set the value of "SeaCacheEnable" using the AIJ interface, an error is observed "Invalid key word 'SeaEnableCache'". 005) CDUA-2067 commit date: 15 May 2020 ----------------------------------------- Corrected the Info message in docker container image for SIGINT signal 006) MFT-10851 / APAR IT32402 commit date: 15 May 2020 -------------------------------------------------------- When a process that has established a session and is executing fails with a retriable error, it is placed in the Timer queue to be executed again after a wait period. Due to the intelligent session retry facility, it's possible that this process could immediately be placed back into execution without a delay. However, there are some scenarios where executing again too soon after being placed in Timer could cause resynchronization issues at the snode. 007) CDUA-2100 commit date: 20 May 2020 ----------------------------------------- On Secure+ Admin tool while adding cipher suites, if user selects any option from Filter by certificate either RSA or ECDSA, TLS 1.3 cipher suites were not visible 008) MFT-11088 commit date: 29 May 2020 ----------------------------------------- Enable S3 Server Side Encryption (SSE-S3) using new parameter s3.sseS3=YES/NO 009) MFT-11014 / APAR IT32981 commit date: 01 Jun 2020 -------------------------------------------------------- CCD License Data Collector not working properly.The issue occurs around daylight savings time changes. 010) CDUA-2068 commit date: 02 Jun 2020 ----------------------------------------- Due to liveness and readiness check in IBM Container Certified Software, the STAT gets filled with messages showing "TCP lost the connection. System error is Success." 011) CDUA-2107 commit date: 02 Jun 2020 ----------------------------------------- Message file was missing a number of messages, including Sterling Secure Proxy messages added for its antivirus scanning support. 012) MFT-11039 / APAR IT32975 commit date: 05 Feb 2021 ------------------------------------------------------ Using CMPrlevel/WINdowsize/MEMlevel parameters causes XPAC011I on AIX CDU.This issue occurs around format specifier which is used to convert the string from lex parser into numbers. 013) CDUA-2104 commit date: 03 Jun 2020 ----------------------------------------- In Certified container software, the PVC get bound to any available PV in the cluster fulfilling the need to requirement depending on size, accessmode. The PVC should bound to the PV where the prerequisite files are present on mount path. Also, updated CDU 6.1 Knowledge Center link in IBM CCS. 014) MFT-11091 / APAR IT32816 commit date: 03 Jun 2020 -------------------------------------------------------- C:D UNIX shouldn't check space requirements during upgrade. 015) CDUA-2089 commit date: 09 Jun 2020 ----------------------------------------- Install Agent logs are owned by and can only be read by root. 016) MFT-11178 / APAR IT33144 commit date: 10 Jun 2020 -------------------------------------------------------- Eliminate creation of the obsolete STS folders 'import' and 'export' in the secure+ folder when installing the Secure+ feature. 017) MFT-11231 / APAR IT33310 commit date: 23 Jun 2020 -------------------------------------------------------- Invalid error and line number is printed in docker logs when secure plus certificate file is missing from the configuration directory (by default CDFILES) for containerized CDU. 018) CDUA-2130 commit date: 25 Jun 2020 ----------------------------------------- When dynamic provisioning is enabled on AWS managed services for Openshift platform, the ownership of SACL directory becomes root:cduser and permission of sysacl.cfg file changes to 660. This scenario is seen when pod get created with previously deployed pod's CDU data ie, after the restore of previous configuration the issue is observed. 019) MFT-11245 / APAR IT33344 commit date: 30 Jun 2020 -------------------------------------------------------- The cdinstall script fails with a scripting error when executed on Solaris. 020) MFT-10745 / APAR IT32488 commit date: 30 Jun 2020 -------------------------------------------------------- A CLI session on Solaris fails with errors XSEC013I and XAPI005I when host names are specified in the keys.client and keys.server files for session authentication. The issue may also manifest, regardless of the keys.* files specification, as a CLI session failure reporting message XSEC010I when multiple CLI connections are made in rapid sequence. When this happens, CDU statistics will log an XIPT016I message when the local.node's tcp.max.time.to.wait specification has elapsed after the CLI failure. 021) CDUA-1435 commit date: 03 Jul 2020 ----------------------------------------- Connect:Direct for UNIX Installer does not prompt for password verify for the Keystore password. 022) CDUA-2159 commit date: 15 Jul 2020 ----------------------------------------- On Solaris, during silent install/upgrade error message "startInstallAgent() CD Agent not started. agent.enable is set to ." is displayed. 023) MFT-11258 / APAR IT33538 commit date: 15 Jul 2020 -------------------------------------------------------- Disabling Install Agent on Solaris10 causes CDIA002I to be logged every 5 minutes in Statistics. 024) MFT-11236 / APAR IT33402 commit date: 17 Jul 2020 -------------------------------------------------------- Incoming session requests fail with netmap check error XSMG016I following an IP address mismatch even when alternate.comminfo=*. 025) CDUA-2110 commit date: 28 Jul 2020 ----------------------------------------- If parameters in the initparm.cfg install.agent or license records are missing or improperly specified, the resulting XRIA001I or XRIA002I messages may not be formatted correctly. 026) CDUA-2141 commit date: 30 Jul 2020 ----------------------------------------- Added TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA to the list of default ciphers during silent install. 027) MFT-11234 / APAR IT33616 commit date: 07 Aug 2020 -------------------------------------------------------- When there is limited disk space available on the file system where CDU is or will be installed, the upgrade or install procedure may fail while configuring the Secure+ JRE and show messages about missing files or directories. 028) MFT-11320 / APAR IT33840 commit date: 13 Aug 2020 -------------------------------------------------------- IBM Connect:Direct for UNIX could allow a user to manipulate CD UNIX to gain root privilege, as indicated in the following issue: CVE-2020-4587: IBM Connect:Direct for UNIX is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local attacker could manipulate CD UNIX to obtain root privileges. 029) MFT-11334 / APAR IT33867 commit date: 14 Aug 2020 -------------------------------------------------------- Superseded by 6.1.0.3.iFix007. 030) CDUA-2173 commit date: 18 Aug 2020 ----------------------------------------- Umask is not consistent on system wrt to the cdpmgr process inside container. The umask of system shown is 022 while umask shown for cdpmgr is 077. So, corrected the default umask setting inside container. 031) MFT-10918 / APAR IT32508 commit date: 18 Aug 2020 -------------------------------------------------------- If a netmap entry has sess.pnode.max=0 (no outgoing sessions allowed) and sess.default=1 or more, incoming sessions fail with an XNMP007E message. 032) MFT-11216 / APAR IT33334 commit date: 04 Dec 2020 -------------------------------------------------------- On HP-UX and Solaris systems, while clients are rapidly submitting a series of processes, for example when C:D File Agent is processing many files recently added to a watch directory, it is possible that some of the process submissions will fail, with the client seeing XTQP001I and XPRG001I messages. 033) MFT-11260 / APAR IT33773 commit date: 21 Aug 2020 -------------------------------------------------------- SMGR terminated by Signal=11 due to a malformed proxy record in file userfile.cfg. 034) MFT-11275 / APAR IT33992 commit date: 01 Sep 2020 -------------------------------------------------------- cdmsgutil lacks a trace option to assist with diagnosing any issues with it that may arise. Fix adds a trace option. Invoke cdmsgutil with "-h" to see the usage. 035) MFT-11365 / APAR IT34116 commit date: 04 Sep 2020 -------------------------------------------------------- If a copy step that is using pipe IO functionality (sysopts pipe=yes) for the destination side is traced, ndmsmgr is killed with a segmentation violation (SIGSEGV). 036) CDUA-2274 commit date: 09 Sep 2020 -------------------------------------------------------- Support CD installation from Control Center Director. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.1.0.1 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.1.0.1 =========================================================== 001) MFT-11369 commit date: 15 Sep 2020 -------------------------------------------------------- posInfo array length in s3FileReader may be wrong and positioning on object stream may fail or may be wrong on a process restart. 002) MFT-10900 / APAR IT32064 commit date: 21 Sep 2020 -------------------------------------------------------- On systems where /tmp is mounted with the noexec option enabled, C:D Install Agent or File Agent installation may fail, indicating "JRE libraries are missing or not compatible". There may also be an indication that a security file or directory is missing. 003) MFT-11398 / APAR IT34160 commit date: 25 Sep 2020 -------------------------------------------------------- If the username portion of a proxy record contains one or more '@' characters, some clients may have trouble displaying the proxy record correctly. 004) MFT-11278 / APAR IT34263 commit date: 25 Sep 2020 -------------------------------------------------------- When multiple clients are connecting in rapid succession to a CDU server on Solaris or HP-UX, some of the connections may fail indicating XSEC010I. When this happens, the ndmcmgr process will hang, and, in most cases, eventually timeout, logging an XIPT016I message. It is also possible for an inappropriate XPMD005I message to be generated. 005) CDUA-2288/CDUA-2277/CDUA-2302/MFT-11355: commit date: 02 Oct 2020 -------------------------------------------------------- The following features has been integrated- a) Support for LDAP in plain vanilla container and IBM CCS b) Support for Helm 3 in IBM CCS c) Support for OpenShift 4.4 in IBM CCS d) Support for Licensing and Metering in IBM CCS LDAP support is not working after upgrade using IBM CCS because LDAP parameters were not populated correctly. Without providing appuser parameters, the deployment was getting failed because the appuser name variable was getting updated incorrectly resulting in null user argument while user creation For OCP 3.11 created on AWS cloud, the permission and onwership of SACL directory were incorrect on restart of pod. Hence, the file transfer was failing reporting inappropiate SACL directory ownership. Now, the permission and ownership has corrected to be 600 and root respectively. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.1.0.2 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.1.0.2 =========================================================== 001) MFT-11245 / APAR IT33344 commit date: 06 Oct 2020 -------------------------------------------------------- The cdinstall script fails with a scripting error when executed on Solaris 10. 002) MFT-11096 / APAR IT34401 commit date: 09 Oct 2020 -------------------------------------------------------- In a rare circumstance, CDU servers running on HP-UX or Solaris may get stuck in a loop of message XIPT007I followed by message XPMC002I after a CLI connection is attempted or the port the server is listening on for client connections is probed. 003) CDUA-2346 commit date: 16 Oct 2020 ----------------------------------------- The upgrade/rollback jobs fails due to new integer value of license parameter in values.yaml file. Earlier, it was created an environment variable inside pod. But, now it is being removed as env variable and it can be seen in annotation section of pod while describing it. Since, no env variale would be created the upgrade/rollback shall work properly. 004) MFT-11366 / APAR IT34125 commit date: 22 Oct 2020 -------------------------------------------------------- If a copy step between two CDU nodes specifies sysopts with datatype=text, it may transfer in block mode, which is inappropriate and inefficient for CDU to CDU transfers. This issue may also manifest as communication errors, or a "SMGR terminated by signal" message. 005) MFT-11530 / APAR IT34855 commit date: 10 Nov 2020 -------------------------------------------------------- Automated install incorrectly allows a local node name that exceeds 16 chars 006) MFT-11520 / APAR IT35189 commit date: 12 Nov 2020 -------------------------------------------------------- IBM Connect:Direct for UNIX could allow a non-authorized user to gain application privileges, as described in the vulnerability below. CVE-2020-4747: IBM Connect:Direct for UNIX can allow a local or remote user to obtain an authenticated CLI session due to improper authentication methods. 007) MFT-11502 / APAR IT34639 commit date: 13 Nov 2020 -------------------------------------------------------- If the source side of a copy step is pipe IO (a data stream invoked with the pipe=yes sysopts) and the stream is ended abnormally (bad command, terminated by signal, etc.), the abnormal termination is not detected. The copy step will complete as though the pipe IO data stream was received and ended normally. 008) MFT-11547 / APAR IT35148 commit date: 03 Dec 2020 -------------------------------------------------------- When using SPAdmin and SPCli to import a file with multiple unique certificates that have labels equal to existing certificates in the keystore, and with the ImportMode set to AddUniqueLabel, only the first certificate in the file will get added with a unique label. Subsequent certificates in the import file will overwrite existing certificates that have the same label. 009) MFT-11072 / APAR IT33855 commit date: 08 Dec 2020 -------------------------------------------------------- Upgrade from CCD changes ownership of install\downloads directory. 010) MFT-11457 / APAR IT35091 commit date: 11 Dec 2020 -------------------------------------------------------- In case the default Install Agent port is busy and an upgrade of CDU instance is performed from an older version without Install Agent to a newer version with Install Agent, the IA service fails to start due to unavailability of the port. The upgrade fails but without indicating the correct reason for failure. Also, in such a case as a part of rollback process restore to the previous Install Agent version is attempted, which never existed. 011) CDUA-2386 / APAR IT35188 commit date: 11 Dec 2020 -------------------------------------------------------- The CLI/Server authentication can fail if the local DNS returns the peer's host name in upper or mixed case. 012) CDUA-2430 commit date: 14 Dec 2020 ----------------------------------------- Added support for specifying custom CD backup paths and installation program paths. With this feature, custom backup paths for CDU and Install Agent can be specified during a silent install. Apart from these, custom path for downloading installers during upgrade via CCD can also be specified. The newly added silent install options are as follows: cdai_cdBackupLocation : Specify custom backup path for CD during an upgrade. cdai_agentBackupLocation : Specify custom backup path for Install Agent during an upgrade. cdai_erInstallerLocation : Specify custom path for storing installer that will be used during an emergency restore. cdai_agentInstallerLocation: Specify custom path for downloading installer that will be used for an upgrade via CCD. 013) CDUA-2450 commit date: 17 Dec 2020 ----------------------------------------- The version of CDFA bundled with CDU is 1.4.0.0, which doesn't support certificate based client authentication. Fix updates C:D File Agent bundled with CDU to 1.4.0.1, which includes support for configuring certificate-based user authentication. 014) MFT-11518 / APAR IT34801 commit date: 07 Jan 2021 -------------------------------------------------------- run task steps that end abnormally, i.e., terminated by a signal, are logged as normal completions. Also, if a run task step generates stderr output, the output is not captured or logged in statistics. Fix adds a new warning message, XSMG424I, which captures and logs any stderr generated so it can be analyzed. 015) MFT-11176 / APAR IT33837 commit date: 11 Jan 2021 -------------------------------------------------------- On a system(running under a load balancer), silent Install/Upgrade might fail with following error: "Connect:Direct installation verification failed. Task is select statistics for sample process." 016) MFT-11488 / APAR IT35273 commit date: 13 Jan 2021 -------------------------------------------------------- cdinstall_a script - on AIX the silent install hangs if there is no 'mktemp' binary on the server. 017) CDUA-2304 commit date: 21 Jan 2021 --------------------------------------- User Authority gets converted to User Proxy if userId contains "@" in value. If a client such as C:D Web Services attempts to create local user with an invalid "@" character imbedded in the user name, CDU will create a proxy record instead of responding with an error condition. 018) CDUA-2508 commit date: 22 Jan 2021 --------------------------------------- When user is running Install Agent on some port other than default(1365), and performs an upgrade, the check in installer which detects if this port is available for IA to start after upgrade, does not work correctly and may return false error. 019) CDUA-2476 / APAR IT35442 commit date: 25 Jan 2021 -------------------------------------------------------- It is possible in certain scenarios for C:D events to occur and not get logged to statistics. 020) CDUA-2507 / APAR IT35570 commit date: 27 Jan 2021 -------------------------------------------------------- When using SPCli to update the KeyCertLabel of the local node or a remote node and no other parameters are specified, SPCli inappropriately reports "SPCL108E rc=8 All mandatory key word value pairs must be entered." 021) CDUA-2522 commit date: 28 Jan 2021 ----------------------------------------- In CDU container, when the container is restored or upgrade the CDWS cannot perform logging to restored or upgraded CDU container node. An error stating "Either entries are incorrect or Connection is down" is thrown on CDWS. Although, the container node is UP and running. The CD stat reports "Incorrect userid or password" with error message XCMM038I. This is seen only when LDAP feature is enabled on container. 022) MFT-11571 / APAR IT35287 commit date: 02 Feb 2021 -------------------------------------------------------- cdpmgr responsiveness can be degraded when statistics exit processing takes a long time to complete. Fix adds XSTL007W and XSTL008W messages to warn when increased time is needed for the statistics exit to process a statistics log. Fix also adds code to restart the statistics exit if it's not running when it's time to send a statistics log. 023) CDUA-2420 commit date: 05 Feb 2021 ----------------------------------------- Analyzing CLI connection security issues can be difficult. Fix improves CLI connection messaging and logging. 024) CDUA-2530 commit date: 08 Feb 2021 ----------------------------------------- In CDU container, when the container is restored/recovered from previous/older configuration and there is any additional directory in work, then the nodename gets updated with the name of additional directory in work. Causing renaming of nodename inside container irrespecive of any value in cd_param_file. 025) CDUA-2428/CDUA-2435/CDUA-2496/CDUA-2457: commit date: 10 Feb 2021 ---------------------------------------------------------------------- The IBM Certified Container Software for CDU has been recertified by IBM Certification Team. Also, the following features have been integrated - a) Support for Dynamic Provisioning b) Support for using existing PVC c) Support for downloading container images from Entiled registry ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.1.0.3 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.1.0.3 =========================================================== 001) CDUA-2536 commit date: 16 Feb 2021 ----------------------------------------- Automated upgrade inappropriately tries to backup Install Agent, even when Install Agent was not present on the previous version. 002) CDUA-2537 commit date: 11 Feb 2021 ----------------------------------------- Install Agent installer may fail during automatic upgrade of node without Install Agent. 003) CDUA-2616 commit date: 08 Mar 2021 ----------------------------------------- The licenseType value for parameter in values.yaml for IBM Certified Container Software for UNIX has been updated. The default value is prod which means the helm chart which is installed on cluster will be annotated with Production license. 004) CDUA-2617 commit date: 09 Mar 2021 ----------------------------------------- When LDAP feature is enabled on container with TLS authentication then certificates meant only for LDAP are also imported to CD secure plus keystore. 005) MFT-11792 / APAR IT35919 commit date: 10 Mar 2021 -------------------------------------------------------- The system-defined hard and soft limits for "max open files" are not passed to a run task or run job created by the CD session manager. 006) CDUA-2287 commit date: 07 Apr 2021 ------------------------------------------ CDU should throw exceptions for invalid values of Install Agent and License governance parameters. 007) MFT-11905 / APAR IT36111 commit date: 25 Aug 2021 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX, Linux, and Solaris platforms use IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.6.15 and 8.0.5.40. CDU on HP-UX platform uses JRE Versions 8.0.6.0 and 8.0.5.35. These JREs are vulnerable to the following issues, disclosed as part of recent IBM Java SDK updates: CVE-2020-27221: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVE-2020-14782: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVE-2020-14579: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14578: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVE-2019-17639: Eclipse OpenJ9 could allow a remote attacker to obtain sensitive information, caused by the premature return of the current method with an undefined return value. By invoking the System.arraycopy method with a length longer than the length of the source or destination array can, an attacker could exploit this vulnerability to obtain sensitive information. CVE-2020-2781: An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-2654: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. 008) CDUA-2506 commit date: 17 Mar 2021 ----------------------------------------- CDU should detect expired password when authenticating credentials using standard security 009) CDUA-2642 commit date: 18 Mar 2021 ----------------------------------------- In CDU container, when download directory restriction is applied by configuring pstmt.download_dir parameter in userfile.cfg, then file transfer fails with XCPR017I message id, Error returned by user exit program; UsrTxt=Downloa d_dir can not be set; errno = 1; Operation not permitted 010) CDUA-2542 commit date: 22 Mar 2021 ----------------------------------------- If processes fail with an XSCM006E message indicating incorrect permission settings for the SACL directory, cdcust should be run to reset permissions correctly. In some rare cases, cdcust may not reset SACL permissions correctly and the problem will not be resolved. 011) MFT-11922 / APAR IT36342 commit date: 24 Mar 2021 -------------------------------------------------------- C:D process-notify-parameter sends mail with "from" attribute as root@. Fixed code to send mail with "from" attribute as root@hostname 012) MFT-11951 / APAR IT36389 commit date: 29 Mar 2021 -------------------------------------------------------- When receiving a native i5 file with long records (LRECL > 27998), C:D UNIX may inappropriately fail the step with an XCPR001I message. 013) MFT-7394 commit date: 01 Apr 2021 ---------------------------------------- The report generated by cdcustrpt utility includes a list of symbolic links found within the C:D installation directory, but did not include the directories that the links referenced. 014) MFT-11787 / APAR IT36460 commit date: 06 Apr 2021 -------------------------------------------------------- The S3 read process can partially fill and corrupt target file with inconsistant data 015) MFT-11950 / APAR IT36382 commit date: 06 Apr 2021 -------------------------------------------------------- A Copy step using FASP can intermittently fail on the receiving node with error FASP009E when select process detail command is issued for the process running the copy step, or if the trace smgr command is invoked. 016) MFT-11907 / APAR IT36234 commit date: 06 Apr 2021 -------------------------------------------------------- When a file is being transferred to or from a z/OS PDS member, the member name is information that might be useful when opening the source or destination file in the C:D UNIX file open exit, but it was not getting passed in. NOTICE: File open exits must be recompiled after applying this fix. 017) MFT-11137 / APAR IT33438 commit date: 16 April 2021 ---------------------------------------------------------- On HPUX and Linux, Secure+ transfers may fail with error "Secure+ initialization failure" "gsk_environm ent_init() failed" when there is a GSKit installed globally. Note: User will have to take care of the following restriction on HP-UX. On HP-UX, a setuid executable(CD server in this case), when executed by a non-root user cannot load libraries(GSKit in this case) from any path other than standard system paths. Please refer to "man dld.so" on HP-UX for more details. A compatible GSKit is shipped with CDU and gets installed at a non-standard system path. CDserver will need help form the root user to load the compatible GSKit libraries: 1. Create(if not exists) /etc/dld.sl.conf and make it writable by root ONLY. 2. /etc/dld.sl.conf must contain a ":" separated list of following paths: i) ${ndm.path}/ndm/lib/gsk/lib64/ ii) ${ndm.path}/ndm/lib/ 3. Make sure the above 2 paths exist. Please get the ${ndm.path} from initparm.cfg 018) MFT-11199 / APAR IT33267 commit date: 16 April 2021 ---------------------------------------------------------- CDAIJ cdNode.getConnectionInfo().getGmtOffset() returns incorrect value. 019) CDUA-2512 commit date: 18 Mar 2021 ----------------------------------------- Removed malformed proxies with invalid or empty localid value to appear in api calls. This doesnt detect a valid localid but a non existent user. 020) CDUA-2645 commit date: 05 May 2021 ----------------------------------------- Cdinstall script should display Installed C:D Version during upgrade. 021) CDUA-2545 / APAR IT36615 commit date: 21 Apr 2021 -------------------------------------------------------- Newly created Secure+ remote node entries set Override=DefaultToLN by default. If the .Local node entry specifies Override=y, and a remote node entry specifies Override=y or DefaultToLN, then the protocol of incoming secure sessions for that remote node entry may override the remote node entry's configured protocol 022) CDUA-2728 commit date: 05 May 2021 ----------------------------------------- Case launcher scripts have been implemented for IBM Certified Container Software for UNIX where deployment can be done in OpenShift cluster in AirGap environment by following standard IBM deployment procedures. The helm chart deployment in AirGap environment can achieved using cloudctl. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.1.0.4 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.1.0.4 =========================================================== 001) MFT-12051 / APAR IT36806 commit date: 02 Jun 2021 -------------------------------------------------------- The ndmcmgr module may terminate with a signal 11 (SIGSEGV) if a client sends invalid information. 002) MFT-12010 / APAR IT36815 commit date: 13 May 2021 -------------------------------------------------------- C:D Unix ndm_auth failure with errors XSEC000I, XAPI005I. When a Solaris 'direct' client connects to a C:D server on a different platform, the authorization may fail. NOTICE: In a distributed client/server environment, if a Solaris client or server installation is upgraded with this or any later iFix, any corresponding Solaris server or client must also be upgraded. 003) MFT-12173 / APAR IT37036 commit date: 18 Oct 2021 -------------------------------------------------------- When validating user credentials, C:D UNIX may consider a valid password to be expired in some scenarios and inappropriately fail the validation. 004) MFT-11874 / APAR IT36615 commit date: 04 Jun 2021 -------------------------------------------------------- Errors during a multi steps copy process generate stat records like "...|MSGI=FIOX044E|...|MSGT=IOExitFactory.createWriter failed,scheme=s3, error=java.lang.OutOfMemoryError native memory exhausted." as well as associated java core files. 005) CDUA-2840 commit date: 17 Jun 2021 ----------------------------------------- Redhat Market place needs values.schema.json file for its UI. The schema file is used for UI rendering. The support has been added. 006) CDUA-2831 commit date: 17 Jun 2021 ----------------------------------------- Some AIX and Solaris specific prompts in the manual installation script show the Connect:Direct version as 4.3.0.0. Updated the same to display the current installing version. 007) MFT-12210 / APAR IT37291 commit date: 09 Jul 2021 -------------------------------------------------------- When pulling from a wildcard source specification on the remote node to an S3 bucket on CDU, the first copy step fails reporting FIOX021E. Subsequent steps may succeed, but the source and destination file names will be mismatched in the copy termination records (CTRCs). Wildcard copy steps more generally may have incorrect source and destination file names specified in the local or remote step start records (LSSTs or RSSTs). 008) MFT-12250 / APAR IT37390 commit date: 23 Jun 2021 -------------------------------------------------------- An upgrade (maintenance deployment) initiated by Control Center Director (CCD) may hang during Install Agent upgrade. When this issue occurs, the {Correlation ID}_UpgradeAgent.log will show "Upgrade failed. UpgradeRc=", the {Correlation ID}_AgentUpgradeStatusCode will show "RC=3", and the PollAgent.log will continuously report "Upgrade in process". 009) MFT-12275 / APAR IT37413 commit date: 25 Jun 2021 ------------------------------------------------------- On AIX, XRIA002I message is seen in stats due to addition of double quotes around agent.enable parameter in initparm.cfg file. The erroneous double quotes get added during an upgrade or installation. 010) MFT-12251 / APAR IT37493 commit date: 14 Jul 2021 -------------------------------------------------------- The cdpmgr process failed to start, logging error XPMD007I in the statistics. 011) MFT-12150 / APAR IT37417 commit date: 23 Jul 2021 -------------------------------------------------------- If a run task step runs a UNIX process that produces a great deal of stderr, the step can hang. 012) MFT-12365 / APAR IT37802 commit date: 04 Aug 2021 -------------------------------------------------------- C:D Install Agent startup creates a /tmp/.com_ibm_tools_attach directory used by the IBM Java Attach API. The IBM Java Attach API is not used in C:D, so the /tmp/.com_ibm_tools_attach directory creation is unnecessary and seen by some as a possible security risk. 013) MFT-12380 / APAR IT37900 commit date: 04 Aug 2021 -------------------------------------------------------- If the name of the S3 IO Exit is different of 'S3', the exception S3IOExitException: S3File: Invalid filename pathname is detected 'null' is raised. 014) MFT-12318 / APAR IT37795 commit date: 30 Jul 2021 -------------------------------------------------------- Due to newer versions of Linux not maintaining binary compatibility for the Transport Independent RPC Library (libtirpc) with older versions, RHEL 8 and RHEL 7, for example, CDU binaries executed from a directory other than our ndm/bin directory may fail, indicating "error while loading shared libraries: libtirpc.so.1". See the Known Restrictions page of the CDU Release Notes for more details. The Known Restrictions page also describes a symbolic link which may be created to enable execution of CDU binaries from directories other than ndm/bin. If implementation of this link was desired, it had to be created manually. This fix updates the interactive and automated installation scripts to provide an option for creating this link during installs and upgrades. The interactive installation script, cdinstall, will prompt for the option if the link is not detected. A new parameter, cdai_tirpcCreateLink, has been added to the automated installation script, cdinstall_a, which takes a 'y' or 'n' value to optionally create this link. 015) CDUA-2043 / APAR IT37922 commit date: 12 Aug 2021 -------------------------------------------------------- A copy step using zFBA may fail and report message SCZF004E, Could not Open zFBA devices. If this failure is traced, the step may hang in execute state with a rapidly growing trace file output and ndmsmgr consuming significant CPU resource. 016) CDUA-2980 / APAR IT38016 commit date: 16 Aug 2021 -------------------------------------------------------- After upgrading to C:D Unix 6.0/6.1, an attempt to open the 'direct' prompt with a trace parameter failed with error XAPI005I Return Code: 8 Feedback: 0. Ensure that the ndmauth trace logs are always written to the ndm/bin directory to avoid permissions failures on creation of the trace logs. 017) MFT-12349 / APAR IT38059 commit date: 23 Aug 2021 -------------------------------------------------------- The S3 File IO Exit included in IBM Sterling Connect:Direct for UNIX uses Apache Commons Codec Version 1.11. This version is vulnerable to the following issue, disclosed by Apache Tomcat Information: Third Party Entry 177835: Apache Commons Codec could allow a remote attacker to obtain sensitive information, caused by the improper validation of input. An attacker could exploit this vulnerability using a method call to obtain sensitive information. 018) MFT-11901 / APAR IT36440 commit date: 31 Aug 2021 -------------------------------------------------------- A process submit step (submit within a process) may fail and report an XPAE003I message if the submitted process text contains a comment on the first line. 019) MFT-12352 / APAR IT38513 commit date: 27 Sep 2021 -------------------------------------------------------- Silent install of CD Unix fails intermittently due to failure in installation of Install Agent. When this issue occurs, a Java stack trace is produced that shows "java.lang.NullPointerException at com.zerog.ia.installer.LifeCycleManager.de". 020) MFT-12512 / APAR IT38545 commit date: 29 Sep 2021 -------------------------------------------------------- On some AIX systems, a submitted process will fail to execute, with statistics showing nothing more than a series of queue transitions from WAIT/WC to EXEC/PE to TIMER/WC, until retries are exhausted. 021) CDUA-3066 / APAR IT38735 commit date: 19 Oct 2021 -------------------------------------------------------- In some cases on Linux x86 and Linux zSeries platforms, an automated upgrade (cdinstall_a) will fail, with the installation trace file showing finalRc=6, and the exitStatusFile.txt showing CDAI006E, Setting root attributes failed. Also, an automated install or upgrade invoking the --tirpcCreateLink command line option will fail, with the trace file showing finalRc=2, and the exitStatusFile.txt showing CDAI002E Invalid argument found. argument: --tirpcCreateLink. 022) MFT-12582 / APAR IT38836 commit date: 26 Oct 2021 -------------------------------------------------------- S3 upload fails for 0 byte files when an aws policy denies non server side encrypted (sse) objects. 023) MFT-12453 / APAR IT38835 commit date: 27 Oct 2021 -------------------------------------------------------- Building user exits with make_exit_c and make_exit_C may fail on later Linux versions, such as RHEL 8, indicating "fatal error: rpc/rpc.h: No such file or directory". 024) MFT-12621 / APAR IT38901 commit date: 29 Oct 2021 -------------------------------------------------------- When an automated upgrade (cdinstall_a) fails due to Install Agent startup failure, the Install Agent logs describing the startup failure may be lost during the subsequent restore of the original CDU installed. Fix adds capturing the Install Agent logs and saving them in the deployment directory when this occurs. 025) MFT-12577 / APAR IT38803 commit date: 12 Nov 2021 -------------------------------------------------------- A run task may fail to execute, generating an XSMG424I warning that inappropriately indicates "RPC call to stat_log_1() returns null. RPC time out." 026) MFT-12474 / APAR IT39069 commit date: 15 Nov 2021 -------------------------------------------------------- C:D monitors the Installation Agent status periodically. The error reporting for this procedure was incomplete. Fix adds a new message, CDAI003E, which is used to log more complete information if the procedure fails. 027) CDUA-2754 commit date: 16 Nov 2021 ----------------------------------------- The SSLV2 hello has been disabled. Note that TLS 1.0 is deprecated by the IETF since March 2021. 028) CDUA-2830 / APAR IT39113 commit date: 17 Nov 2021 -------------------------------------------------------- If the connection is broken when CDU is pnode pulling a file from a remote node to an S3 destination with checkpoint enabled, on restart, the checkpoint resynchronization fails with error message FIOX023E reported, and the copy step is restarted from the beginning. 029) CDUA-3134 / APAR IT39167 commit date: 02 Dec 2021 -------------------------------------------------------- Expired passwords are not detected by CDU when authenticating credentials on HP-UX Itanium and AIX platforms. Also, when credential validation failed, no reason was logged for the failure. Fix adds a new message, XIDC001I, logged only on the validating side and viewable only by administrators, indicating why credential validation was failed. 030) CDUA-2698 commit date: 03 Dec 2021 ----------------------------------------- SPCli shows a Basename parameter when displaying a remote node, which is inappropriate since the Basename parameter became irrelevant when the Secure+ STS protocol was dropped from support. 031) CDUA-3056 commit date: 06 Dec 2021 ---------------------------------------- In some scenarios, C:D Control Center may incorrectly conclude that multiple C:D UNIX nodes are running on the same system. 032) MFT-11969 / APAR IT36604 commit date: 07 Dec 2021 -------------------------------------------------------- When a remote C:D initiates a secure session to C:D UNIX (CDU) requesting Secure+ protocols that are not supported by CDU, and CDU has Secure+ Override enabled for that incoming session, it's possible that the session will fail inappropriately with a CSPA091E message. 033) MFT-12769 / APAR IT39369 commit date: 12 Dec 2021 -------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache Log4j2 has been upgraded to version 2.15.0. CVE-2021-44228: JNDI features of Apache Log4j2 versions <= 2.14.1, used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. 034) MFT-12790 / APAR IT39452 commit date: 17 Dec 2021 -------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache log4j2 has been upgraded to version 2.16.0. CVE-2021-45046: Apache Log4j is vulnerable to a denial of service, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data or a Thread Context Map pattern to exploit this vulnerability to craft malicious input data using a JNDI Lookup pattern and cause a denial of service 035) MFT-12807 / APAR IT39480 commit date: 21 Dec 2021 -------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache log4j2 has been upgraded to version 2.17.0. CVE-2021-45105: Apache Log4j versions <= 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. 036) MFT-12634 / APAR IT39304 commit date: 31 Dec 2021 -------------------------------------------------------- When a KQV client, such as C:D Application Interface for Java or C:D Web Services, issues a select statistics or select process request to C:D UNIX that includes a submitter parameter, the command may fail with the C:D UNIX ndmcmgr process killed by a SIGABRT (signal 6) or SIGSEGV (signal 11). 037) MFT-12865 commit date: 24 Jan 2022 ---------------------------------------- Apache log4j2 upgraded to version 2.17.1. 038) MFT-12538 / APAR IT38957 commit date: 10 Jan 2022 -------------------------------------------------------- When CDU is preparing the list of matching files for a wildcard copy step, for security, matching files that are not readable by the local user are not added to the list. If CDU is snode and one or more of the matching files is unable to be opened, the pnode does not get notified about these files and will consider the copy step to be successful. To fix this issue, when CDU is snode, one matching file that is not readable is allowed to be added to the list of files to be sent, so that one of the individual copy steps will fail, giving the pnode awareness of the situation. For security, snode masks the name of the unreadable matching file before sending the failing step information to pnode. 039) MFT-12710 / APAR IT39420 commit date: 12 Jan 2022 -------------------------------------------------------- On HP-UX Itanium systems using a shadow password file, client connections presenting valid credentials may fail, generating an XCMM038I message. Server connections may fail generating an XSMG245I message. Fix introduces a new requirement for the Password Hash Infrastructure (PHI) package on HP-UX. To check for package installation status: 11iv3 (B.11.31): swlist -a state SHA11i3 11iv2 (B.11.23): swlist -a state SHA To download and install the package if necessary: 11iv3 (B.11.31): https://myenterpriselicense.hpe.com/cwp-ui/free-software/PHI11i3 11iv2 (B.11.23): https://myenterpriselicense.hpe.com/cwp-ui/free-software/PHI 040) MFT-12822 / APAR IT39729 commit date: 24 Jan 2022 -------------------------------------------------------- When a KQV client, such as C:D Web Services or Control Center Monitor, issues a select statistics request to C:D UNIX that includes a record id specification for CTRC, the command may fail generating an XUPC999I message. 041) CDUA-3245 / APAR IT40116 commit date: 03 Mar 2022 -------------------------------------------------------- cdinstall script run on HP-UX may mistakenly indicate that Password Hash Infrastructure (PHI) package installation is required. PHI is not required on HP-UX systems that use traditional password storage. 042) MFT-12886 / APAR IT40115 commit date: 04 Mar 2022 -------------------------------------------------------- When an upgrade is performed, the old install-agent jar is not removed. Added a fix to keep only the latest install-agent jar after an upgrade. 043) CDUA-1701 commit date: 14 Mar 2022 ----------------------------------------- KQV client submitted delete process command using submitter search criteria fails to find matching processes. 044) CDUA-3242 / APAR IT40322 commit date: 17 Mar 2022 -------------------------------------------------------- If the backup procedure is invoked during an interactive upgrade (cdinstall), it may fail indicating that tar cannot open the {CDU install directory}.CDBCompressible.[gz|Z] and {CDU install directory}.CDBUncompressible files due to permission. A restore procedure invoked after this error will indicate no such file or directory regarding the {CDU install directory}.CDBCompressible.[gz|Z] and {CDU install directory}.CDBUncompressible files. 045) CDUA-3280 commit date: 30 Mar 2022 ----------------------------------------- On RHEL 8 and SLES 15 systems, cdinstall_a execution may fail indicating a command was not found referring to netstat. 046) MFT-12913 / APAR IT40593 commit date: 12 Apr 2022 -------------------------------------------------------- Some C:D Install Agent logs may be owned by root instead of the C:D installer id. 047) CDUA-3303 / APAR IT40392 commit date: 15 Apr 2022 -------------------------------------------------------- If a user exit program fails to execute, an appropriately named log file is generated in {CDU install dir}/work/{CDU node name} directory, but does not contain helpful information. 048) CDUA-3324 / APAR IT40568 commit date: 15 Apr 2022 -------------------------------------------------------- cdpmgr response time can be slowed if the TCQ becomes loaded with many processes. This can result in significantly increased time needed to execute processes and to accept incoming client or server connections. 049) CDUA-2945 / APAR IT40825 commit date: 04 May 2022 -------------------------------------------------------- Temporary work files created in the deployment directory during an automated install are not cleaned up. 050) CDUA-2521 commit date: 04 May 2022 ----------------------------------------- Migrating the configuration of an existing node to a newly installed node can be time-consuming and tedious. Fix adds two new scripts in the etc directory, CDUmigrateConfigSrc and CDUmigrateConfigDest. Execute CDUmigrateConfigSrc on the existing node and follow the prompts to gather up that node's configurations. CDUmigrateConfigSrc may be copied to the etc directory of an older node (must be at least CDU 4.2.0) that doesn't supply the script. Execute CDUmigrateConfigDest on the newly installed node and follow the prompts to apply the older node's configuration to the new node. 051) CDUA-3348 / APAR IT40717 commit date: 06 May 2022 -------------------------------------------------------- On some Linux systems, cfgcheck run by the cdcustrpt script may fail indicating error while loading shared libraries: libtirpc.so.1. 052) MFT-13197 / APAR IT40831 commit date: 10 May 2022 -------------------------------------------------------- The NUIC record may not be logged into the C:D stats intermittently on slower systems. 053) MFT-12948 / APAR IT40165 commit date: 17 May 2022 -------------------------------------------------------- After installation of CDU on AIX servers, a strings process keeps on running and consuming high CPU. 054) MFT-13267 / APAR IT41201 commit date: 15 Jun 2022 -------------------------------------------------------- Upgrade of Connect:Direct for UNIX from Control Center Director may fail sometimes when standalone File Agent is running. 055) MFT-13374 / APAR IT41284 commit date: 20 Jun 2022 -------------------------------------------------------- Connect:Direct for UNIX uses zlib, which is vulnerable to the following issue: CVE-2018-25032: Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash. 056) MFT-13372 / APAR IT41296 commit date: 21 Jun 2022 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX, Linux, and Solaris platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.6.30. This JRE version is vulnerable to the following issues, disclosed as part of recent IBM Java SDK updates: CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. 057) MFT-13473 / APAR IT41488 commit date: 12 Jul 2022 -------------------------------------------------------- A process submitted from the CLI may fail with a syntax message, XPAE003I, if the process contains an snodeid or pnodeid parameter where one of the elements, the password, for example, contains a C:D process special character, such as an equals sign. Fix adds the ability to enclose snodeid and pnodeid parameter elements in single quotes, which will cause any C:D process special characters in these elements to be ignored. 058) CDUA-3486 commit date: 13 Jul 2022 ----------------------------------------- High water mark value in SCNT record is significantly overstated in some scenarios. 059) MFT-9996 / APAR IT27673 commit date 15 Jul 2022 ----------------------------------------------------- A backup created when running the interactive script may incur permission errors when writing to the installation directory's parent folder. Instead, create the backup in the installation directory. 060) MFT-13244 / APAR IT40939 commit date: 15 Jul 2022 -------------------------------------------------------- Statistics log messages may contain garbled text when referencing a value that contains colon characters (:) or backslashes (\), such as a Windows file name. 061) MFT-13381 / APAR IT41151 commit date: 29 Jul 2022 -------------------------------------------------------- In some scenarios, a copy step may fail, indicating XSQF009I and XCPZ001I messages when attempting to open a translation (xlate) table in the default directory {C:D UNIX install dir}/ndm/xlate. 062) MFT-13560 / APAR IT41681 commit date: 09 Aug 2022 -------------------------------------------------------- The Connect:Direct for UNIX Install Agent and File Agent use versions of Apache Commons Configuration that are vulnerable to the below listed issue. Apache Commons Configuration has been upgraded to version 2.8.0 in Install Agent and File Agent. CVE-2022-33980: Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when using the interpolation defaults. By using a specially-crafted configuratrion, an attacker could exploit this vulnerability to execute arbitrary code or perform unintentional contact with remote servers. 063) CDUA-3085 commit date: 17 Aug 2022 ----------------------------------------- When a silent upgrade is performed from a CDU version where Install Agent is not up due to Secure+ not installed/configured, upgrade is marked as failed as Install Agent is unable to start even after upgrade. As a part of this fix, Install Agent startup is not attempted after a silent upgrade, if it was not up before upgrade. 064) MFT-13630 / APAR IT42170 commit date: 28 Sep 2022 -------------------------------------------------------- Added support of silent upgrade of CDU if only server is installed before upgrade. As a part of the silent upgrade process, client will be added to CDU installation. 065) MFT-13054 / APAR IT40665 commit date: 03 Oct 2022 -------------------------------------------------------- Add the silent installation parameter cdai_cliAuthkey=keystring to allow users to override the default CLI authentication key.