================================================= Maintenance for IBM Connect:Direct for UNIX 6.3.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.3.0 code base. It is applicable to C:D UNIX version 6.3.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.3.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.3.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.3.0 Release Notes. NOTICE: Security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. ================================================= iFixes listed below apply to C:D for UNIX 6.3.0.0 ================================================= 001) CDUA-4217 commit date: 28 Jun 2023 ----------------------------------------- Config file opens from CDU can occasionally fail with XCFF001I and fdbk EINTR. 002) CDUA-4037 commit date: 01 Jun 2023 ----------------------------------------- Corrected secure processing for several AWS related environment variables. 003) CDUA-3662 commit date: 05 Jun 2023 ----------------------------------------- The maximum concurrent sessions limit imposed by the system and the user who initiated C:D are two items that may be useful to know, but were not being logged. Fix updates the NUIS record with the initiating user, and adds a new message that records the maximum concurrent sessions the system will allow. 004) MFT-14483 / APAR IT43918 commit date: 08 Jun 2023 -------------------------------------------------------- CDU uses GSKit 8.0.55.12. This version is vulnerable to the following issue: CVE-2023-32342. 005) CDUA-4248 commit date: 12 Jun 2023 -------------------------------------------------------- When a command is issued from Connect:Direct Browser to delete a user entry from userfile.cfg file, we get a success response even when the user does not exist. Added a fix to show relevant error in such a case. 006) MFT-14357 / APAR IT43960 commit date: 20 Jun 2023 -------------------------------------------------------- The CDU server terminates abruptly following a COPY failure with error FIOC004E. 007) CDUA-4086 / APAR IT44103 commit date: 14 Jul 2023 ----------------------------------------- When Interactive upgrade is executed while cwd is CDU install directory, it removes all ndm directory items except SACL dir. 008) CDUA-4222 commit date: 27 Jun 2023 ----------------------------------------- During installation of Connect:Direct for UNIX on NFS with root squash enabled, a warning message is displayed saying chmod: changing permissions of '/opt/cdunix/file_agent/config': Operation not permitted. 009) CDUA-4274 commit date: 30 Jun 2023 ----------------------------------------- Install Agent logs grow indefinitely leading to very big log files over a period of time. Updated Install Agent to clear logs periodically. 010) MFT-14561 / APAR IT44029 commit date: 30 Jun 2023 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX and Linux platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.8.0. Some issues in this version were disclosed as part of recent IBM Java SDK updates. This JRE version is vulnerable to the following issues: CVE-2023-21930, CVE-2023-21967, and CVE-2023-21968. This JRE version is affected by the following issues: CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. 011) CDUA-4299 commit date: 05 Jul 2023 ----------------------------------------- Updated UBI base image for CDU container to latest version which is UBI 8.8-1009 and removed unwanted libnsl and nis_nss packages from the container image. 012) CDUA-3346 commit date: 10 Jul 2023 ----------------------------------------- Currently cdinstall_a assumes pwd is the deployment directory. If the Automation installation script cdinstall_a, is called with relative path or absolute reference, like from outside the directory which have installer_script, CPIO_file and also the certificates, the installation is getting failed with the error code 127 (cdinstall is not present at this directory). 013) Java components updates commit date: 20 Jul 2023 ------------------------------------------------------- Update_01 MFT-14410 -------------------- The Integrated File Agent component uses Spring Framework that is affected by the following issue: CVE-2023-20863. Update_02 MFT-14439 / APAR IT44099 ----------------------------------- The Integrated File Agent and the Object Store IO Exit components use FasterJackson that is affected by the following issue: PRISMA-2023-0067. Update_03 MFT-14580 / APAR IT44101 ----------------------------------- The Integrated File Agent, Install Agent and the Object Store IO Exit components use FasterJackson that is affected by the following issue: CVE-2023-35116. Update_04 MFT-14581 / APAR IT44102 ----------------------------------- The Integrated File Agent and the Object Store IO Exit components use Netty that is affected by the following issue: CVE-2023-34462. Update_05 CDUA-4331 -------------------- The Integrated File Agent and the Object Store IO Exit components use Google Guava that is affected by the following issue: CVE-2023-2976. Update_06 MFT-14738 / APAR IT44465 ----------------------------------- The Integrated File Agent component includes versions of FasterXML jackson-dataformat-properties that are affected by the following issue: CVE-2023-3894. 014) MFT-14579 / APAR IT44100 commit date: 01 Aug 2023 -------------------------------------------------------- The Integrated File Agent and Install Agent components, included in IBM Sterling Connect:Direct for UNIX, uses Bouncy Castle version 1.70. This version is affected by the following issue: CVE-2023-33201. 015) CDUA-4358 commit date: 03 Aug 2023 ---------------------------------------- Install Agent poll script does not return correct status of Install Agent process. 016) CDUA-4392/CDUA-4394 commit date: 21 Aug 2023 -------------------------------------------------- Updated the UBI base image to UBI 8.8-1032 and corrected the K8s minimum version requirement to v1.23 017) MFT-14718 / APAR IT44425 commit date: 23 Aug 2023 -------------------------------------------------------- A copy step executed by a user configured with a directory restriction specified may fail, reporting XCPR015I. The partner node may log an XCPS002I or XCPS003I message when this happens. 018) CDUA-4393 commit date: 28 Aug 2023 ----------------------------------------- Statistics generated after an upgrade are lost if an emergency restore procedure is executed. 019) CDUA-4406 commit date: 31 Aug 2023 ----------------------------------------- Add client type and remote address to client logon failure message. It shows who tried to log in, but not the type of client or the remote address. 020) CDUA-4416 commit date: 06 Sep 2023 ----------------------------------------- API commands not logged by default in a fresh CDU installation. 021) MFT-14816 / APAR IT44560 commit date: 22 Sep 2023 -------------------------------------------------------- After running for an extended time, Integrated File Agent may fail and generate java core dumps. 022) MFT-14595 / APAR IT44192 commit date: 26 Sep 2023 -------------------------------------------------------- The following warning with code SPCG774W may occur while updating the Key Certificate Label in the .Client record in Secure+: "The Certificate Label 'xxx' chain does not include a root certificate." Users will not see any warnings if root certificate is already present in certificate chain. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.3.0.1 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 6.3.0.1 ================================================= 001) CDUA-4489 commit date: 03 Oct 2023 ----------------------------------------- Fix added for addressing invalid IPV4 addresses in Port Check ignore list where the address has more than 4 segments present. 002) MFT-14723 / APAR IT44653 commit date: 04 Oct 2023 -------------------------------------------------------- When a large number of processes are in the HOLD queue the cdpmgr's CPU utilization may approach 100%. 003) CDUA-4182 / APAR IT43670 commit date: 06 Oct 2023 -------------------------------------------------------- Attempts to update Integrated File Agent configuration from C:D Web Services UI may fail and report XCMM076I. The details of the error scenario logged with this message may be incomplete or otherwise unhelpful. 004) MFT-14939 / APAR IT44736 commit date: 13 Oct 2023 -------------------------------------------------------- When the certificate information exceeds a length of 196, the complete information is recorded in the statistics file but the output of 'select statistics' command is truncated and the CERT information is displayed only upto 196 characters. 005) Integrated File Agent component updates commit date: 17 Oct 2023 ----------------------------------------------------------------------- Update_01 CDUA-4516 -------------------- For CDU node installed on Ubuntu, an attempt to update the Integrated File Agent (IFA) configuration via Connect:Direct Web Services (CDWS) may fail, indicating "Something went wrong. Please try again later." Update_02 MFT-14924 / APAR IT44625 ----------------------------------- Integrated File Agent scan of a Google Storage resource fails when the bucket name contains an underscore character Update_03 MFT-14960 / APAR IT44764 ----------------------------------- Integrated File Agent component configured with certificate based authentication may fail to connect, with IFA logs indicating NullPointerException. 006) Object Store component updates commit date: 18 Oct 2023 -------------------------------------------------------------- Update_01 MFT-14703 / APAR IT44273 ----------------------------------- A copy step that refers to an object store name that contains space characters may fail, generating an FIOX043E message. Update_02 MFT-14731 / APAR IT44469 ----------------------------------- Sending to an object store with invalid credentials or region specified results in FIOX022E message and abrupt termination of the connection with the remote node. Update_03 MFT-14922 / APAR IT44639 ----------------------------------- If a copy step sending from an object store fails due to lack of read access to the object, likely generating an FIOX011E message, a zero byte destination file may be created. Update_04 MFT-14983 / APAR IT44765 ----------------------------------- A copy step will fail when it references a Google Storage bucket that contains an underscore character. 007) MFT-14704 / APAR IT44390 commit date: 19 Oct 2023 -------------------------------------------------------- In some cases, if a process with a copy step to object store fails to specify a disposition for the object, the step will fail reporting an FIOX022E message. 008) CDUA-4480 commit date: 19 Oct 2023 ----------------------------------------- After upgrade, stale libraries left behind from the previous installation, may cause some issues in Connect:Direct functionalities. 009) Object Store component updates commit date: 27 Oct 2023 -------------------------------------------------------------- Update_01 MFT-14705 -------------------- Alternative methods of establishing credentialed access to Azure were missing. Fix adds the following to the existing credentials mechanisms, in this order: 1. ManagedIdentityCredential - If the application deploys to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account. 2. WorkloadIdentityCredential - If the app is deployed on Kubernetes with environment variables set by the workload identity webhook, DefaultAzureCredential will authenticate the configured identity. 3. EnvironmentCredential - The DefaultAzureCredential will read account information specified via environment variables and use it to authenticate. new configuration properties added: az.workloadTenantId az.workloadServiceTokenFilePath az.managedIdClientId az.workloadIdClientId See documentation for details. Update_02 CDUA-2888 -------------------- Certificates required for secure connections to object stores were only accessed from the JRE truststore. Fix adds configuration option, store.keyStore, to use C:D S+ trusted certificates in addition to or in place of JRE truststore. This option takes the following values: JRE_ONLY (default): the JRE keystore will be used as the unique source for CAs SP_ONLY: The secure Plus keystore will be used as the unique source for CAs JRE_SP: the JRE keystore is the first source for CAs, next Secure Plus keystore will be used SP_JRE: the Secure Plus keystore is the first source for CAs, next the JRE keystore will be used See documentation for details. Update_03 CDUA-4410 -------------------- Azure shared access signature (SAS) resource access was not supported. Fix adds support for SAS token with new az.sasToken property. Azure access credentials order is now: - Connection string if az.connectionString provided - Shared key if az.accountName and az.accountKey - SAS token if az.sasToken provided - Managed identity credentials if az.managedIdentityId provided - Workload identity credentials if az.worloadIdentityId provided, plus optional properties az.workloadTenantId, az.workloadServiceTokenFilePath. These properties only work inside Azure. - Environment credentials See documentation for details. Update_04 MFT-14773 -------------------- While C:D is accessing an AWS S3 object store with temporary credentials, it is possible that the temporary credentials will be updated in anticipation of expiration. C:D would not recognize that new credentials were available in this case, and access would fail. Fix enables C:D to monitor and refresh credentials files when the files are updated. Update_05 MFT-14933 / APAR IT44839 ----------------------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use netty-handler versions that are vulnerable to the following issue: CVE-2023-4586. Update_06 MFT-15020 / APAR IT44840 ----------------------------------- When Integrated File Agent (IFA) is watching an object store bucket, the IFA log files may show an inappropriate message indicating "error object '' does NOT exist", referring to the bucket being watched. Update_07 FLAG-275 ------------------- IFA now has the ability to use fileio.exit records defined in C:D initparm.cfg with the store.configFromCD property. See documentation for details.