================================================= Maintenance for IBM Connect:Direct for UNIX 6.0.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.0.0 code base. It is applicable to C:D UNIX version 6.0.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.0.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.0.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.0.0 Release Notes. NOTICE: Beginning with iFix 6.0.0.2.iFix148 below, security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. ================================================= iFixes listed below apply to C:D for UNIX 6.0.0.0 ================================================= 001) MFT-10001 / APAR IT26905 commit date: 16 Nov 2018 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.5.15 and 7.0.10.25. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2018: CVE-2018-12539: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. 002) CDUA-1234 commit date: 10 Dec 2018 ----------------------------------------- Trace file names having absolute path are set correctly for PMGR/CMGR/SMGR. 003) CDUA-1235 commit date: 24 Dec 2018 ----------------------------------------- Delete Secure+ remote node operation, whose alias node name with upper case letter is present, returns Error code SPCG270E. 004) MFT-10047 / APAR IT27442 commit date: 11 Jan 2019 -------------------------------------------------------- When upgrading a C:D UNIX node with an existing keystore, a keystore password is not required. However, the automated install script, cdinstall_a, fails reporting CDAI003E when the cdai_installCmd is set to "upgrade" and no cdai_keystorePassword parameter is coded. 005) CDUA-1287/CDUA-1291 commit date: 15 Jan 2019 --------------------------------------------------- CDUA-1287-cfgcheck crash is observed.Due to cfgcheck crash, silent installation/upgrade procedure fails with rc=22 CDUA-1291-cdpmgr crash observed if process started with root.Process runs normal with user account. 006) CDUA-1296 commit date: 16 Jan 2019 ----------------------------------------- Not able to restore from 6.0 to 4.3 by taking backup manually on Solaris. 007) CDUA-1292 commit date: 17 Jan 2019 ----------------------------------------- When upgrade with silent installer fails, the service which was previously up before upgrade is not up after auto restore of C:D UNIX node. 008) MFT-9526 / APAR IT26469 commit date: 23 Jan 2019 ------------------------------------------------------- To run C:D UNIX on Solaris 10 requires Update 10 or greater. Updates may be applied as a full release or as a patchset. cdinstall correctly recognizes a full release Update, but wasn't recognizing a patchset update and failed the install. 009) CDUA-1295 commit date: 25 Jan 2019 ----------------------------------------- When upgraded with silent installer on Solaris, the client port remains in TIME_WAIT state and takes some time to clear, as a result of which silent installation fails with rc=34. 010) CDUA-1324 commit date: 28 Jan 2019 ----------------------------------------- Silent installation on Solaris fails with rc=22. 011) CDUA-1328 commit date: 29 Jan 2019 ----------------------------------------- On a Solaris system with IPV6 connectivity configured, cdpmgr start up may fail reporting an XIPT002I message, and CLI connections may fail reporting an XIPT003I message. 012) MFT-9523 commit date: 04 Feb 2019 ---------------------------------------- Control Center not reading CDU Secure+ presence correctly. 013) CDUA-1233 commit date: 06 Feb 2019 ----------------------------------------- SEAServer node's Override,ClientAuth,EncryptData parameter's update request should return error and shall not be displayed over SPCLI 014) MFT-9917 / APAR IT27019 commit date: 13 Feb 2019 ------------------------------------------------------- An ICC select process command submitted to C:D UNIX may occasionally fail with CNCD058E message. 015) CDUA-1380 commit date: 19 Feb 2019 ----------------------------------------- Update white label script notices,licensing information, and ports. 016) MFT-10143 / APAR IT28061 commit date: 25 Feb 2019 ------------------------------------------------------- A proxy update issued by a KQV client does not complete successfully if the user name or node name contains a period. 017) MFT-9967 / APAR IT26865 commit date: 08 Mar 2019 ------------------------------------------------------- CD UNIX may allow a user with sudo access restricted to certain CD UNIX executable files to expand access beyond the restriction, as indicated in the following issue: CVE-2018-1903: IBM Sterling Connect:Direct for UNIX could allow a user with restricted sudo access on a system to manipulate CD UNIX to gain full sudo access. 018) CDUA-1336 commit date: 25 Mar 2019 ----------------------------------------- Transfer rate to AWS S3 needs improvement. This fix also adds support to direct access to S3 from on-premises node. The following new properties are available and can be used in initparm.cfg file or sysopts: s3.endPointUrl IP or hostname to access S3 services. Amazon S3 endpoint is the default. Example: s3.endpointUrl=my.s3provider.com s3.endPointPort Port to use if any. No default value. Example: s3.endpointPort=8080 s3.endPointSecure Secure or non secure access. HTTPS or HTTP requests. YES is the default. Example: s3.endpointSecure=NO s3.profilePath Credential file to use. Amazon credentials search order is the default. Example: s3.profilePath='/opt/some path/credentials' s3.profileName Profile name to use from credential file. default is the amazon S3 default [default] Example: s3.profileName=otherprofile s3.executorQueue Parallel transfer upload queue size. Default is 5. s3.executorMinPool Parallel upload. Initial number of transfer upload threads to use. Default is 10. s3.executorMaxPool Parallel upload. Maximum number of transfer upload threads to use. Default is 30. Max value is AmazonS3 max connections (50). 019) CDUA-1399 commit date: 01 Apr 2019 ----------------------------------------- snode work directory file names are not unique enough for high stress scenarios. 020) MFT-10116 / APAR IT27777 commit date: 17 Apr 2019 -------------------------------------------------------- A COPY to the local destination file /dev/null fails with error XSQF006I, feedback code 22. 021) MFT-10212 / APAR IT28704 commit date: 17 Apr 2019 -------------------------------------------------------- A protocol violation and session failure occur after a remote RUNTASK step executed in C:D Unix fails due to a user permissions error. 022) MFT-9971 / APAR IT28761 commit date: 18 Apr 2019 ------------------------------------------------------- In the statistics log entry recording maximum achieved parallel sessions (RECI=SCNT), the LCNT001I message text does not display the maximum sessions or time achieved. 023) MFT-4757 / APAR IT28892 commit date: 25 Apr 2019 ------------------------------------------------------- Restarted copy steps fail with XCPR011I if the snode was cold started (work directory cleared) between the initial session and the restarted session. 024) MFT-10273 / APAR IT28898 commit date: 26 Apr 2019 ------------------------------------------------------- Restarted copy steps fail with XCPR011I if the destination file was deleted between the initial session and the restarted session. 025) CDUA-1429 commit date: 06 May 2019 ----------------------------------------- cfgcheck takes lot of time to validate thousands of netmap entries. 026) MFT-9588 / APAR IT26481 commit date: 22 May 2019 ------------------------------------------------------- In rare circumstances, a process may fail to start, reporting an XSCM006E error, all users are denied access to CD from the SACL, even though the Strong Access Control (SACL) directory and file appear to have correct ownership and permissions set. 027) MFT-10147 / APAR IT29097 commit date: 23 May 2019 -------------------------------------------------------- When multiple copy processes are in session to a C:D snode running in a load balanced cluster and that node is abruptly killed, the pnode will restart the processes and the copies will complete successfully on another snode in the cluster. However, in rare cases, the copy termination record of some of the restarted processes is not logged on the snode side, and temporary work files may be left in the shared snode work directory. 028) MFT-10277 / APAR IT28732 commit date: 28 May 2019 -------------------------------------------------------- Supersedes MFT-9969(IT27224) Using the Amazon S3 file IO exit to receive a zero byte file fails, reporting message FIOX044E. 029) MFT-10328 commit date 28 May 2019 -------------------------------------- AWS S3 Messages too long for statistics 030) CDUA-1448 commit date 28 May 2019 -------------------------------------- S3 Write checkpoint functionality broken 031) MFT-10389 / APAR IT29296 commit date: 29 May 2019 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.5.25, 8.0.5.20, and 7.0.10.30. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in January 2019: CVE-2018-12547: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVE-2018-1890: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. 032) CDUA-1521 commit date: 30 May 2019 ----------------------------------------- Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct File Agent (CVE-2018-1890, CVE-2018-12547), which is bundled with Connect:Direct for UNIX. Also, the File Agent installer may fail on some UNIX systems with error "Installer User Interface Mode Not Supported". 033) MFT-10379 / APAR IT29303 commit date: 30 May 2019 -------------------------------------------------------- Connect direct fails to start on AIX due to linking with older versions of GSkit present in default system libraries. 034) CDUA-1444 commit date: 03 Jun 2019 ----------------------------------------- CDP validation adds extra parameters hold,retain,priority with default values. 035) CDUA-1537 commit date: 10 Jun 2019 ----------------------------------------- Make certificate mandatory for CDU installation in Docker Container. 036) CDUA-1542 / APAR IT29487 commit date: 19 Jun 2019 -------------------------------------------------------- A restarted process may log an inappropriate XSQF009I message referring to a file that ends with ".savedCTRstatLog". Also, the direct CLI output of a detailed select statistics command may include a message id and a Short Text description of the message. The Short Text description might be truncated if the text is very long. Note: It's remotely possible that a restarted process may fail on the snode side with an XSMG235I or XSMG239I message that refers to a file ending with .savedCTRstatLog. This indicates that there may be a copy step of the indicated process that is missing its CTRC record on the snode side. If user investigates and determines the CTRC record is logged, or is not necessary, then they may get past these errors by removing the indicated file that ends with .savedCTRstatLog and then releasing the process again. 037) CDUA-1529 commit date: 21 Jun 2019 ----------------------------------------- Cfgcheck does not accept more than one file.ioexit entry in initparm.cfg 038) CDUA-1403 commit date: 25 Jun 2019 ----------------------------------------- Display SEAserver node response over CDWS shall not display Override parameter 039) CDUA-1489 commit date: 09 Jul 2019 ----------------------------------------- Any process submitted using C:D Web Browser or C:D Web Services for validation with STARTT parameter in process or submit step having some valid values, then validation passes with errorneous conversion of STARTT parameter at C:D end. This might affect the parsing of response from C:D server. 040) CDUA-1477/CDUA-1461 commit date: 15 Jul 2019 --------------------------------------------------- Any process submitted using any C:D client with restart parameter set to some valid value in runtask for validation, then the process is validated without showing any detail about restart paramater in response from C:D server. 041) CDUA-1578 commit date: 15 Jul 2019 ----------------------------------------- If checkpoint value in a process is incorrect or disabled either implicitly or explicitly, and the connection gets restarted, the transfer never completes. 042) MFT-10324 / APAR IT29156 commit date: 15 July 2019 --------------------------------------------------------- When CD Unix performs a COPY RECEIVE, a restart of the COPY may fail with a Signal 11. 043) CDUA-1378 commit date: 18 Jul 2019 ----------------------------------------- After setting non-existing trace file path for cdpmgr, new CLI/other clients fail to connect with CDU. 044) MFT-10469 / APAR IT29950 commit date: 09 Aug 2019 -------------------------------------------------------- Copy steps fail with message XSQF006I and feedback code 9 on AIX when upload or download directory restrictions are configured. Same symptoms are encountered for a custom user file open exit compiled on AIX. Custom user file open exits compiled on Linux x86 platforms fail with copy steps reporting XCPR017I and XCPS002I messages. 045) MFT-6817 / APAR IT09719 commit date: 14 Aug 2019 ------------------------------------------------------- During certain stress situations, cdpmgr may become unresponsive for some minutes. During this time, select statistics will show multiple XLKL004I messages in sequence. 046) MFT-10398 / APAR IT29723 commit date: 19 Aug 2019 -------------------------------------------------------- A CD Plex redirection is logged with SCPA007I, RC=8. The completion code has been changed to RC=0. 047) MFT-10282 / APAR IT29243 commit date: 24 May 2019 ------------------------------------------------------- During FASP transfer at Pnode, API command select process with details times out. 048) MFT-10192 / APAR IT28399 commit date: 12 Mar 2019 -------------------------------------------------------- Copy fails with error XIPT019E when CRC check is enabled. 049) CDUA-1689 commit date: 23 Aug 2019 ----------------------------------------- Added support in CD Unix for Control Center Director. Also, added support for License governance. 050) CDUA-1652 commit date: 27 Aug 2019 ----------------------------------------- On HP-UX and Solaris systems, client and server connection attempts end abruptly if the local.node record in netmap.cfg contains configurations that generate warning messages, e.g. sess.total parameter value being less than sess.pnode.max parameter value. Direct CLI connections in this scenario, for example, will terminate and report XSEC012I and XAPI006I messages, and statistics will show a "CMGR terminated by signal." message. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.0.0.1 NOTICE: Previous maintenance packages delivered on Fix Central consisted of compressed CPIO files. After a downloaded CPIO file was uncompressed, the installation scripts would then need to be extracted from it in order to apply the maintenance. All future maintenance, including this Fix Pack, will be packaged as uncompressed tar balls containing the uncompressed CPIO installation file and the installation scripts. Please refer to the Maintenance Installation Instructions that accompany maintenance downloads for more details. ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 6.0.0.1 ================================================= 001) MFT-10562 / APAR IT30282 commit date: 16 Sep 2019 -------------------------------------------------------- A run task step executing a command that should normally take less than a second to run may take a full second to complete. 002) MFT-6320 / APAR IT30283 commit date: 18 Sep 2019 ------------------------------------------------------- cdinstall_a executing an upgrade from a fresh deployment directory (i.e., there are no artifacts left from a previous upgrade) will display a rm command error indicating the upgradersps.txt file does not exist. 003) CDUA-1721 commit date: 20 Sep 2019 ----------------------------------------- Corrections made to the scripts for CCD support. a. Added support for upgrade from 6.0.0.1 to higher versions via manual installer. The upgrade support was present but it did not upgrade the install agent component. b. When upgrading from an older version to 6.0.0.1, the agent related parameters should automatically get added to userfile.cfg and initparm.cfg. 004) MFT-7909 / APAR IT30318 commit date: 19 Sep 2019 ------------------------------------------------------- When the sending side of a HSAO (FASP) copy step has tcp.max.time.to.wait=0, the step may fail with FASP022E reported on the sending side and FASP009E on the receiving side. 005) MFT-10391 / APAR IT29954 commit date: 24 Sep 2019 -------------------------------------------------------- IBM License Metric Tool (ILMT) fails to discover CD UNIX because the ILMT tag file extension is incorrect. 006) MFT-9816 / APAR IT27957 / CVE-2019-4529 commit date: 30 Sep 2019 ----------------------------------------------------------------------- IBM Sterling Connect:Direct for UNIX could allow a user who is authorized for limited CD privileges to attack through a custom application written using the CD UNIX C/C++ API by replacing the system implementation of getuid() with a malicious implementation and gain unauthorized privilege to access to the CD UNIX Server. 007) MFT-10591 commit date: 01 Oct 2019 ----------------------------------------- Installation of the optional C:D File Agent (CDFA) may fail on some systems with limited 32 bit library support, reporting "JRE libraries are missing or not compatible." Also, CDFA installed on an EFS file system in an Amazon Web Services EC2 instance will fail to start, reporting "Error: missing `j9vm' JVM". 008) CDUA-1749 commit date: 08 Oct 2019 ----------------------------------------- On Solaris systems, the cdinstall_a script may fail, reporting "test: argument expected." Also, the cdcust script may insert extra install.agent records in the initparm.cfg file, or extra client.cert_auth parameters in the admin local user record in the userfile.cfg file. 009) MFT-10626 commit date: 08 Oct 2019 ----------------------------------------- On S3, when bucket ACL does not allow write and object sent to this bucket is empty, error from S3 is not returned to CD and copy step terminates with RC=0. 010) MFT-10211 commit date: 10 Oct 2019 ----------------------------------------- Destination file can be corrupted if the file is received to a CDU cluster that is not configured with a shared work area (snode.work.path). 011) MFT-7541 / APAR IT13224 commit date: 24 Oct 2019 ------------------------------------------------------- When copying text files to or from an EBCDIC remote node, C:D UNIX translates ASCII data to EBCDIC and vice versa as needed. In some cases, an alternative to the default ASCII to EBCDIC translation provided by C:D UNIX is desired. While the product includes options for users to create their own custom xlate tables or to use codepage translation, for convenience, new xlate tables are provided that convert ISO-8859-1 ASCII text to IBM-037 EBCDIC and back. These xlate tables are located in {C:D UNIX install dir}/ndm/xlate directory. They may be specified in copy step sysopts, or be made the default translation by specifying them in the global copy record of the initparm.cfg file. 012) MFT-7394 commit date: 25 Mar 2021 ---------------------------------------- The cdcustrpt script executed by a user other than root will display "Permission denied" in reference to several files. 013) CDUA-1475 commit date: 30 Oct 2019 ----------------------------------------- Add support for C:D UNIX to run on SUSE Linux Enterprise Server for IBM POWER (ppc64le) systems. Fix also corrects cdinstall script issue which may have caused the indicated disk space required to be understated. 014) MFT-10606 / APAR IT30399 commit date: 04 Nov 2019 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX running on AIX uses IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.5.30. This JRE is vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2019: CVE-2019-4473: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. CVE-2019-11771: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system. 015) MFT-10710 / APAR IT30961 commit date: 20 Nov 2019 -------------------------------------------------------- A process coded with a copy step that correctly uses pipe I/O function (sysopts parameter pipe=yes) for the source may fail to produce a data stream. I.E., the step will complete successfully, but will show zero bytes read. 016) MFT-10666 / APAR IT31047 commit date: 27 Nov 2019 -------------------------------------------------------- During upgrade to 6.0.0.1, ownership of userfile.cfg changes to root. 017) MFT-10727 / APAR IT31176 commit date: 05 Dec 2019 -------------------------------------------------------- An inappropriate XCPZ007I message is returned after a copy step writing to an S3 bucket completes successfully. 018) MFT-10668 / APAR IT31157 commit date: 10 Dec 2019 -------------------------------------------------------- If netmap checking is on, and the incoming connection's IP address to check is specified in alternate.comminfo and listed past the 256th character in that field, the session will fail with a netmap check error. Fix extends the alternate.comminfo field length to 1023. If the field maximum length is exceeded, a new message, XCFM001I, will be generated and provide specific information about the error condition. 019) MFT-10721 / APAR IT31162 commit date: 10 Dec 2019 -------------------------------------------------------- In a rare circumstance, when using cdinstall_a script to upgrade or uninstall a node, the value of the cdai_adminUserid parameter may be incorrectly determined. 020) MFT-10754 / APAR IT31304 commit date: 16 Dec 2019 -------------------------------------------------------- If the strong password encryption (SPE) feature is in a bad state, a submit process command can fail with no error message indicating the reason for the failure. SPE will be in a bad state, for example, if the base product without Secure+ is running when Secure+ is installed. 021) MFT-10771 / APAR IT31319 commit date: 18 Dec 2019 -------------------------------------------------------- CDU opens a UDP socket on the same port used to listen for incoming API connections on TCP. 022) MFT-10694 commit date: 19 Dec 2019 ----------------------------------------- The XSTL006W message regarding recent slow stat log write times provided limited information. In addition to a slow stat log write count, fix adds slow write time average and longest slow write time. 023) MFT-10726 / APAR IT31361 commit date: 20 Dec 2019 -------------------------------------------------------- An installation or upgrade of C:D Unix sets the installation directory permissions to 700, instead of the expected 755. 024) MFT-10810 commit date: 07 Jan 2020 ----------------------------------------- The Secure+ CLI help command output does not list the "display keystore" command. "help display keystore" generates an SPCL010E error message. 025) MFT-10796 / APAR IT31480 commit date: 13 Jan 2020 -------------------------------------------------------- C:D Unix rejects proxy updates received from IBM Control Center if the proxy string contains character '!', '$', or '#'. 026) MFT-10758 commit date: 14 Jan 2020 ----------------------------------------- Message JGIS049E missing from message file. 027) MFT-10767 / APAR IT31550 commit date: 16 Jan 2020 -------------------------------------------------------- A new parameter "agent.enable" has been added into record "install.agent" of initparm.cfg to start/stop install agent. Default value of the parameter is set to y(Enabled). To stop install agent, change value of agent.enable to n(Disabled). It takes upto 5 mins to start/stop install agent. 028) CDUA-1893 commit date: 28 Jan 2020 ----------------------------------------- The C:D Unix container image is an IBM Certified Container which offers a Red Hat certified IBM Connect:Direct for UNIX image and Helm chart, and can be used to deploy a production-ready IBM Connect:Direct image into Red Hat OpenShift / Kubernetes Service. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.0.0.2 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 6.0.0.2 ================================================= 001) CDUA-1903 commit date: 04 Feb 2020 ----------------------------------------- File transfer to S3 Object Storage providers fails as one of the java jars was updated and its dependent jars were on the older version. Updated the dependent java jars to the same version. 002) MFT-10314 / APAR IT29530 commit date: 05 Feb 2020 -------------------------------------------------------- The C:D Unix cust report generates error XRIA002I "unknown field name" when parameter 'udp.src.ports.list.iterations' is included in the initparms.cfg file. 003) MFT-10884 commit date: 06 Feb 2020 ----------------------------------------- CD Agent doesn't start after upgrade from CCD. 004) MFT-10718 / APAR IT31764 commit date: 05 Feb 2020 -------------------------------------------------------- cdcustrpt generated report cascades errors of initparm.cfg into other configuration files 005) CDUA-1913 commit date: 18 Feb 2020 ---------------------------------------- the scripts to create pod security policy (PSP) and security constraints context (SCC) for kubernetes and openshift was throwing error. 006) MFT-10716 / APAR IT31781 commit date: 26 Feb 2020 -------------------------------------------------------- Upgrade to C:D Unix 6.0.0.1 from older versions fails, when "install" directory is present inside the C:D Unix installation. 007) CDUA-1897 commit date: 27 Feb 2020 ----------------------------------------- The *all keyword value is not always accepted by some C:D AIJ commands. To be understood the value has to be specified in uppercase which is not what the documentation specifies. 008) MFT-10938 commit date: 28 Feb 2020 ----------------------------------------- cdpmgr may continue to execute after an apparently successful stop command was issued. 009) MFT-10917 / APAR IT32026 commit date: 27 Feb 2020 -------------------------------------------------------- cdinstall_a failed to override the options in the Options File. 010) MFT-10900 / APAR IT32064 commit date: 25 Sep 2020 -------------------------------------------------------- On systems where /tmp is mounted with the noexec option enabled, C:D Install Agent or File Agent installation may fail, indicating "JRE libraries are missing or not compatible". There may also be an indication that a security file or directory is missing. 011) CDUA-1945 commit date: 05 March 2020 ------------------------------------------- Record CDIA001I gets logged into stats every 5 minutes if CD agent fails to start. 012) CDUA-1764 commit date: 09 Mar 2020 ----------------------------------------- The default values for the silent installer arguments serverPort (1364) and clientPort (1363) are not working contrary to what the documentation says. 013) CDUA-1883 commit date: 10 Mar 2020 ----------------------------------------- Crash of cdpmgr when initparm.cfg is modified and pmgr trace level is 4. 014) MFT-10834 / APAR IT32010 commit date: 17 Mar 2020 -------------------------------------------------------- On HP-UX and Solaris systems, cdpmgr may terminate unexpectedly with message XPMM001I. 015) CDUA-1838 commit date: 20 Mar 2020 ----------------------------------------- Various C:D UNIX executable modules, including cdpmgr, may fail to run on RHEL 8 and SLES 15 systems, indicating "error while loading shared libraries: libnsl.so.1". The error may also refer to libtirpc.so.1. 016) MFT-10902 / APAR IT32092 commit date: 24 Mar 2020 -------------------------------------------------------- Under some circumstances, a submit process statement (not the submit command, but the submit statement coded within a process script) may generate an inappropriate CSPE007E message. When this happens, it is also possible that the ndmsmgr may terminate unexpectedly with a signal 11 (segmentation violation). 017) MFT-10759 / APAR IT31456 commit date: 08 Jan 2020 -------------------------------------------------------- Netmap file with incorrect record crashes CDU at UTC zero hour. 018) MFT-10926 / APAR IT32306 commit date: 30 Mar 2020 -------------------------------------------------------- CDU can't read a Statistics log file with a 4-digit extension. 019) CDUA-1479 commit date: 7 Apr 2020 ---------------------------------------- cfgcheck reports error in netmap.cfg and userfile when there is an invalid value in initparm.cfg file. 020) MFT-10745 / APAR IT32488 commit date: 08 Apr 2020 -------------------------------------------------------- A CLI session on Solaris fails with errors XSEC013I and XAPI005I when host names are specified in the keys.client and keys.server files for session authentication. The issue may also manifest, regardless of the keys.* files specification, as a CLI session failure reporting message XSEC010I when multiple CLI connections are made in rapid sequence. When this happens, CDU statistics will log an XIPT016I message when the local.node's tcp.max.time.to.wait specification has elapsed after the CLI failure. 021) CDUA-1997 commit date: 08 Apr 2020 ----------------------------------------- tcqconvert does not run in containerized environment in case of upgrade or recovery. Although, it logs "Run the tcqconvert" in CDStartup.log. 022) CDUA-2005 commit date: 10 Apr 2020 ----------------------------------------- The connection between CD and SEAServer fails to come up. This issue is observed in AIX, HPUXIT, Solaris and Zlinux platforms of CDU. The SEAServer drop the connection with the error message "ACPT002E Zero-length request received". 023) CDUA-1674 commit date: 27 Nov 2018 ----------------------------------------- In CDU versions previous to 6.0.0, gsk8capicmd displays certificate-date-attributes incorrectly. 024) CDUA-1434 commit date: 10 Apr 2020 ----------------------------------------- cfgcheck inappropriately indicates ERROR referring to a configuration file that generates only a WARNING level message. 025) CDUA-2023/CDUA-2024/CDUA-2025 commit date: 14 Apr 2020 ------------------------------------------------------------- Following enhancements in docker image and certified container software has been made. CDUA-2023-the additional selinux capabilities have been removed from the pod security policy and security context constraints. CDUA-2024-the logging has been enhanced for container logs. More detailed logs and additional error scenario logging has been added. CDUA-2025-Updated the decription for certificate file name to be rendered on Orchestration UI. Also, few unwanted error logs for cp command from container has been removed. 026) CDUA-2032 commit date: 20 Apr 2020 ----------------------------------------- As we would be supporting dynamic UID/GID for cduser in containerized CD Unix, this fix would enable to upgrade and rollback supportfor certified container software. 027) CDUA-1996 commit date: 20 Apr 2020 ----------------------------------------- The cdsu user group from the container instance has been removed. Earlier, cduser had the immutable UID/GID as 1000. Now, it can be changed in both plain vanilla container and container certified software. Also, cdsu user group is now removed. 028) CDUA-1560 commit date: 21 Apr 2020 ----------------------------------------- Silent installation fails in case an invalid .crt,.cer,.pem file is in deployment directory. 029) CDUA-2038/CDUA-2039 commit date: 25 Apr 2020 --------------------------------------------------- The install/upgrade using Certified Container software was failing due to introduction of new paramters/key in vvalues.yaml for Kubernetes/Openshift. 030) MFT-10783 / APAR IT31279 commit date: 05 May 2020 -------------------------------------------------------- Silent upgrade fails when traces are disabled. 031) MFT-10918 / APAR IT32508 commit date: 06 May 2020 -------------------------------------------------------- If a netmap entry has sess.pnode.max=0 (no outgoing sessions allowed) and sess.default=1 or more, incoming sessions fail with an XNMP007E message. 032) CDUA-2050 commit date: 07 May 2020 ----------------------------------------- On HP-UX silent install/upgrade displays "cdinstall_a[41]: ==: A test command parameter is not valid." at completion. 033) CDUA-2047 commit date: 11 May 2020 ----------------------------------------- If install/agent/bin/install-agent.jar is not present than a)back up is not created for agent b)restore doesn't happen if upgrade fails c)Agent stop/start doesn't happen during upgrade. 034) MFT-11091 / APAR IT32816 commit date: 13 May 2020 -------------------------------------------------------- C:D UNIX shouldn't check space requirements during upgrade. 035) CDUA-1801 commit date: 18 May 2020 ----------------------------------------- On RHEL 8 and SLES 15 systems, cdinstall_a execution may fail indicating an error loading shared libraries referring to libtirpc.so.1. On SLES 15 systems, cdinstall_a execution may fail indicating a command was not found referring to ifconfig or netstat. 036) MFT-10851 / APAR IT32402 commit date: 22 May 2020 -------------------------------------------------------- When a process that has established a session and is executing fails with a retriable error, it is placed in the Timer queue to be executed again after a wait period. Due to the intelligent session retry facility, it's possible that this process could immediately be placed back into execution without a delay. However, there are some scenarios where executing again too soon after being placed in Timer could cause resynchronization issues at the snode. 037) MFT-11014 / APAR IT32981 commit date: 28 May 2020 -------------------------------------------------------- CCD License Data Collector not working properly. The issue occurs around daylight savings time changes. 038) CDUA-2107 commit date: 02 Jun 2020 ----------------------------------------- Message file was missing a number of messages, including Sterling Secure Proxy messages added for its antivirus scanning support. 039) MFT-11039 / APAR IT32975 commit date: 27 Oct 2020 ------------------------------------------------------- Using CMPrlevel/WINdowsize/MEMlevel parameters causes XPAC011I on AIX CDU. This issue occurs around format specifier which is used to convert the string from lex parser into numbers. 040) CDUA-2052 commit date: 04 Jun 2020 ----------------------------------------- Resolved content verfication (cv) linter issue IBM Certified Container Software with new cv release 041) CDUA-2046 commit date: 05 Jun 2020 ----------------------------------------- On deploying IBM CCS on Openshift platform it gave unwanted permission denied errors in the output of "oc logs " command, although the deployment is successful. 042) CDUA-2089 commit date: 10 Jun 2020 ----------------------------------------- Install Agent logs are owned by and can only be read by root. 043) CDUA-2067 commit date: 11 Jun 2020 ----------------------------------------- Typo error in CDStartup.log file when SIGINT signal is received by containers. 044) CDUA-2068 commit date: 11 Jun 2020 ----------------------------------------- Due to liveness and readiness check in IBM Container Certified Software, the STAT gets filled with messages showing "TCP lost the connection. System error is Success." 045) CDUA-2104 commit date: 11 Jun 2020 ----------------------------------------- In Certified container software, the PVC get bound to any available PV in the cluster fulfilling the need to requirement depending on size, accessmode. The PVC should bound to the PV where the prerequisite files are present on mount path. 046) MFT-11199 / APAR IT33267 commit date: 18 Jun 2020 -------------------------------------------------------- CDAIJ cdNode.getConnectionInfo().getGmtOffset() returns 0 instead of +8. 047) MFT-11216 / APAR IT33334 commit date: 30 Nov 2020 -------------------------------------------------------- On HP-UX and Solaris systems, while clients are rapidly submitting a series of processes, for example when C:D File Agent is processing many files recently added to a watch directory, it is possible that some of the process submissions will fail, with the client seeing XTQP001I and XPRG001I messages. 048) MFT-11178 / APAR IT33144 commit date: 30 Jun 2020 -------------------------------------------------------- Eliminate creation of the obsolete STS folders 'import' and 'export' in the secure+ folder when installing the Secure+ feature. 049) MFT-11236 / APAR IT33402 commit date: 02 Jul 2020 -------------------------------------------------------- Incoming session requests fail with netmap check error XSMG016I following an IP address mismatch even when alternate.comminfo=*. 050) MFT-11137 / APAR IT33438 commit date: 6 Jul 2020 ------------------------------------------------------- On HPUX and Linux, Secure+ transfers may fail with error "Secure+ initialization failure" "gsk_environm ent_init() failed" when there is a GSKit installed globally. Note: User will have to take care of the following restriction on HP-UX. On HP-UX, a setuid executable(CD server in this case), when executed by a non-root user cannot load libraries(GSKit in this case) from any path other than standard system paths. Please refer to "man dld.so" on HP-UX for more details. A compatible GSKit is shipped with CDU and gets installed at a non-standard system path. CDserver will need help form the root user to load the compatible GSKit libraries: 1. Create(if not exists) /etc/dld.sl.conf and make it writable by root ONLY. 2. /etc/dld.sl.conf must contain a ":" separated list of following paths: i) ${ndm.path}/ndm/lib/gsk/lib64/ ii) ${ndm.path}/ndm/lib/ 3. Make sure the above 2 paths exist. Please get the ${ndm.path} from initparm.cfg 051) CDUA-1435 commit date: 09 Jul 2020 ----------------------------------------- Connect:Direct for UNIX Installer does not prompt for password verify for the Keystore password. 052) CDUA-2159 commit date: 10 Jul 2020 ----------------------------------------- On Solaris, during silent install/upgrade error message "startInstallAgent() CD Agent not started. agent.enable is set to ." is displayed. 053) MFT-11258 / APAR IT33538 commit date: 15 Jul 2020 -------------------------------------------------------- Disabling Install Agent on Solaris10 causes CDIA002I to be logged every 5 minutes in Statistics. 054) MFT-11245 / APAR IT33344 commit date: 06 Oct 2020 -------------------------------------------------------- The cdinstall script fails with a scripting error when executed on Solaris. 055) MFT-11234 / APAR IT33616 commit date: 20 Jul 2020 -------------------------------------------------------- When there is limited disk space available on the file system where CDU is or will be installed, the upgrade or install procedure may fail while configuring the Secure+ JRE and show messages about missing files or directories. 056) CDUA-2110 commit date: 28 Jul 2020 ----------------------------------------- If parameters in the initparm.cfg install.agent or license records are missing or improperly specified, the resulting XRIA001I or XRIA002I messages may not be formatted correctly. 057) MFT-11320 / APAR IT33840 commit date: 07 Aug 2020 -------------------------------------------------------- IBM Connect:Direct for UNIX could allow a user to manipulate CD UNIX to gain root privilege, as indicated in the following issue: CVE-2020-4587: IBM Connect:Direct for UNIX is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local attacker could manipulate CD UNIX to obtain root privileges. 058) MFT-11072 / APAR IT33855 commit date: 08 Dec 2020 -------------------------------------------------------- Upgrade from CCD changes ownership of install\downloads directory. 059) MFT-11176 / APAR IT33837 commit date: 10 Aug 2020 -------------------------------------------------------- On a system(running under a load balancer), silent Install/Upgrade might fail with following error: "Connect:Direct installation verification failed. Task is select statistics for sample process." 060) MFT-11334 / APAR IT33867 commit date: 17 Aug 2020 -------------------------------------------------------- Superseded by 6.0.0.2.iFix091. 061) MFT-11260 / APAR IT33773 commit date: 24 Aug 2020 -------------------------------------------------------- SMGR terminated by Signal=11 due to a malformed proxy record in file userfile.cfg. 062) MFT-11365 / APAR IT34116 commit date: 04 Sep 2020 -------------------------------------------------------- If a copy step that is using pipe IO functionality (sysopts pipe=yes) for the destination side is traced, ndmsmgr is killed with a segmentation violation (SIGSEGV). 063) MFT-11275 / APAR IT33992 commit date: 04 Sep 2020 -------------------------------------------------------- cdmsgutil lacks a trace option to assist with diagnosing any issues with it that may arise. Fix adds a trace option. Invoke cdmsgutil with "-h" to see the usage. 064) MFT-11366 / APAR IT34125 commit date: 08 Sep 2020 -------------------------------------------------------- If a copy step between two CDU nodes specifies sysopts with datatype=text, it may transfer in block mode, which is inappropriate and inefficient for CDU to CDU transfers. 065) MFT-11369 commit date: 15 Sep 2020 -------------------------------------------------------- posInfo array length in s3FileReader may be wrong and positioning on object stream may fail or may be wrong on a process restart. 066) MFT-11088 commit date: 15 Sep 2020 ----------------------------------------- Enable S3 Server Side Encryption (SSE-S3) using new parameter s3.sseS3=YES/NO 067) CDUA-2026 commit date: 15 Sep 2020 ----------------------------------------- vulnerability on LOG4J V1 on S3 IOexit - replaced by LOG4J V2 068) MFT-11278 / APAR IT34263 commit date: 18 Sep 2020 -------------------------------------------------------- When multiple clients are connecting in rapid succession to a CDU server on Solaris or HP-UX, some of the connections may fail indicating XSEC010I. When this happens, the ndmcmgr process will hang, and, in most cases, eventually timeout, logging an XIPT016I message. It is also possible for an inappropriate XPMD005I message to be generated. 069) MFT-11398 / APAR IT34160 commit date: 23 Sep 2020 -------------------------------------------------------- CDWS Proxy user settings cannot handle entry with 2 @ symbols in it. 070) MFT-11096 / APAR IT34401 commit date: 30 Sep 2020 -------------------------------------------------------- In a rare circumstance, CDU servers running on HP-UX or Solaris may get stuck in a loop of message XIPT007I followed by message XPMC002I after a CLI connection is attempted or the port the server is listening on for client connections is probed. 071) MFT-11502 / APAR IT34639 commit date: 22 Oct 2020 -------------------------------------------------------- If the source side of a copy step is pipe IO (a data stream invoked with the pipe=yes sysopts) and the stream is ended abnormally (bad command, terminated by signal, etc.), the abnormal termination is not detected. The copy step will complete as though the pipe IO data stream was received and ended normally. 072) MFT-11518 / APAR IT34801 commit date: 05 Nov 2020 -------------------------------------------------------- run task steps that end abnormally, i.e., terminated by a signal, are logged as normal completions. Also, if a run task step generates stderr output, the output is not captured or logged in statistics. Fix adds a new warning message, XSMG424I, which captures and logs any stderr generated so it can be analyzed. 073) MFT-11520 / APAR IT35189 commit date: 12 Nov 2020 -------------------------------------------------------- IBM Connect:Direct for UNIX could allow a non-authorized user to gain application privileges, as described in the vulnerability below. CVE-2020-4747: IBM Connect:Direct for UNIX can allow a local or remote user to obtain an authenticated CLI session due to improper authentication methods. 074) MFT-11457 / APAR IT35091 commit date: 27 Nov 2020 ------------------------------------------------------- In case the default Install Agent port is busy and an upgrade of CDU instance is performed from an older version without Install Agent to a newer version with Install Agent, the IA service fails to start due to unavailibility of the port. The upgrade fails but without indicating the correct reason for failure. Also, in such a case as a part of rollback process restore to the previous Install Agent version is attemped, which never existed. 075) CDUA-2173 commit date: 06 Dec 2020 ----------------------------------------- Umask is not consistent on system wrt to the cdpmgr process inside container. The umask of system shown is 022 while umask shown for cdpmgr is 077. So, corrected the default umask setting inside container. 076) CDUA-2386 / APAR IT35188 commit date: 14 Dec 2020 -------------------------------------------------------- The CLI/Server authentication can fail if the local DNS returns the peer's host name in upper or mixed case. 077) CDUA-2420 commit date: 13 Jan 2021 ----------------------------------------- Analyzing CLI connection security issues can be difficult. Fix improves CLI connection messaging and logging. 078) CDUA-2476 / APAR IT35442 commit date: 07 Jan 2021 -------------------------------------------------------- It is possible in certain scenarios for C:D events to occur and not get logged to statistics. 079) CDUA-2304 commit date: 08 Jan 2021 ----------------------------------------- User Authority gets converted to User Proxy if userId contains "@" in value. If a client such as C:D Web Services attempts to create local user with an invalid "@" character imbedded in the user name, CDU will create a proxy record instead of responding with an error condition. 080) MFT-11488 / APAR IT35273 commit date: 13 Jan 2021 -------------------------------------------------------- cdinstall_a script - on AIX the silent install hangs if there is no 'mktemp' binary on the server. 081) MFT-11571 / APAR IT35287 commit date: 15 Jan 2021 -------------------------------------------------------- cdpmgr responsiveness can be degraded when statistics exit processing takes a long time to complete. Fix adds XSTL007W and XSTL008W messages to warn when increased time is needed for the statistics exit to process a statistics log. Fix also adds code to restart the statistics exit if it's not running when it's time to send a statistics log. 082) MFT-11547 / APAR IT35148 commit date: 22 Jan 2021 -------------------------------------------------------- When using SPAdmin and SPCli to import a file with multiple unique certificates that have labels equal to existing certificates in the keystore, and with the ImportMode set to AddUniqueLabel, only the first certificate in the file will get added with a unique label. Subsequent certificates in the import file will overwrite existing certificates that have the same label. 083) CDUA-2507 / APAR IT35570 commit date: 27 Jan 2021 -------------------------------------------------------- When using SPCli to update the KeyCertLabel of the local node or a remote node and no other parameters are specified, SPCli inappropriately reports "SPCL108E rc=8 All mandatory key word value pairs must be entered." 084) CDUA-2450 commit date: 28 Jan 2021 ----------------------------------------- The version of CDFA bundled with CDU is 1.4.0.0, which doesn't support certificate based client authentication. Fix updates C:D File Agent bundled with CDU to 1.4.0.1, which includes support for configuring certificate-based user authentication. 085) MFT-10091 / APAR IT28000 commit date: 25 Jun 2019 -------------------------------------------------------- Cerificate serial number is displayed in different formats over stats and SPAdmin GUI 086) CDUA-2130 commit date: 09 Feb 2021 ----------------------------------------- When dynamic provisioning is enabled on AWS managed services for Openshift platform, the ownership of SACL directory becomes root:cduser and permission of sysacl.cfg file changes to 660 due to which the CD process fails with XSCM006E message. This scenario is seen when pod gets created with previously deployed pod's CDU data ie, after the restore of previous configuration the issue is observed. 087) CDUA-2035 commit date: 14 Feb 2021 ----------------------------------------- a). CDU Upgrade fails in case cfgCheck exits with a warning. b). cfgCheck exits with wrong return codes in case of error/warning. 088) CDUA-2542 commit date: 25 Feb 2021 ----------------------------------------- If processes fail with an XSCM006E message indicating incorrect permission settings for the SACL directory, cdcust should be run to reset permissions correctly. In some rare cases, cdcust may not reset SACL permissions correctly and the problem will not be resolved. 089) MFT-11792 / APAR IT35919 commit date: 02 Mar 2021 -------------------------------------------------------- The system-defined hard and soft limits for "max open files" are not passed to a run task or run job created by the CD session manager. 090) CDUA-2512 commit date: 9 March 2021 ------------------------------------------ Removed malformed proxies with invalid or empty localid value to appear in api calls. This doesnt detect a valid localid but a non existent user. 091) MFT-11905 / APAR IT36111 commit date: 26 Aug 2021 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX, Linux, and Solaris platforms use IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.6.15 and 8.0.5.40. CDU on HP-UX platform uses JRE Versions 8.0.6.0 and 8.0.5.35. These JREs are vulnerable to the following issues, disclosed as part of recent IBM Java SDK updates: CVE-2020-27221: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVE-2020-14782: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVE-2020-14579: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14578: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVE-2019-17639: Eclipse OpenJ9 could allow a remote attacker to obtain sensitive information, caused by the premature return of the current method with an undefined return value. By invoking the System.arraycopy method with a length longer than the length of the source or destination array can, an attacker could exploit this vulnerability to obtain sensitive information. CVE-2020-2781: An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-2654: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. 092) CDUA-2506 commit date: 19 Mar 2021 ----------------------------------------- CDU should detect expired password when authenticating credentials using standard security 093) MFT-11951 / APAR IT36389 commit date: 30 Mar 2021 -------------------------------------------------------- When receiving a native i5 file with long records (LRECL > 27998), C:D UNIX may inappropriately fail the step with an XCPR001I message. 094) MFT-11787 / IT36460 commit date: 06 Apr 2021 --------------------------------------------------- The S3 read process can partially fill and corrupt target file with inconsistant data 095) MFT-11901 / APAR IT36440 commit date: 7 Apr 2021 ------------------------------------------------------- A process submit step (submit within a process) may fail and report an XPAE003I message if the submitted process text contains a comment on the first line. 096) MFT-11907 / APAR IT36234 commit date: 09 Apr 2021 -------------------------------------------------------- When a file is being transferred to or from a z/OS PDS member, the member name is information that might be useful when opening the source or destination file in the C:D UNIX file open exit, but it was not getting passed in. NOTICE: File open exits must be recompiled after applying this fix. 097) CDUA-2545 / APAR IT36615 commit date: 21 Apr 2021 -------------------------------------------------------- Newly created Secure+ remote node entries set Override=DefaultToLN by default. If the .Local node entry specifies Override=y, and a remote node entry specifies Override=y or DefaultToLN, then the protocol of incoming secure sessions for that remote node entry may override the remote node entry's configured protocol. 098) CDUA-2645 commit date: 05 May 2021 --------------------------------------- Cdinstall script should display Installed C:D Version during upgrade. 099) MFT-11763 / APAR IT35945 commit date: 6 May 2021 ------------------------------------------------------ Added the support of agent enable silent installation parameter. This parameter can be specified at fresh installation to start/not start the Install Agent after installation. Usage in silent installation options file: cdai_agentEnable= Corresponding to this option, agent.enable field is added to Install Agent record in initparm.cfg file. Default value of this field is 'y'. 100) CDUA-2287 commit date: 07 May 2021 ----------------------------------------- CDU should throw exceptions for invalid values of Install Agent and License governance parameters and added exception handling for Agent_Enable. 101) MFT-12010 / APAR IT36815 commit date: 10 May 2021 -------------------------------------------------------- C:D Unix ndm_auth failure with errors XSEC000I, XAPI005I. When a Solaris 'direct' client connects to a C:D server on a different platform, the authorization may fail. NOTICE: In a distributed client/server environment, if a Solaris client or server installation is upgraded with this or any later iFix, any corresponding Solaris server or client must also be upgraded. 102) MFT-12173 / APAR IT37036 commit date: 18 Oct 2021 -------------------------------------------------------- When validating user credentials, C:D UNIX may consider a valid password to be expired in some scenarios and inappropriately fail the validation. 103) MFT-11874 / APAR IT36691 commit date: 15 Jun 2021 -------------------------------------------------------- Errors during a multi steps copy process generate stat records like "...|MSGI=FIOX044E|...|MSGT=IOExitFactory.createWriter failed,scheme=s3, error=java.lang.OutOfMemoryError native memory exhausted." as well as associated java core files. 104) CDUA-2831 commit date: 17 Jun 2021 ----------------------------------------- Some AIX and Solaris specific prompts in the manual installation script show the Connect:Direct version as 4.3.0.0. Updated the same to display the current installing version. 105) MFT-12150 / APAR IT37417 commit date: 25 Jun 2021 -------------------------------------------------------- If a run task step runs a UNIX process that produces a great deal of stderr, the step can hang. 106) MFT-12275 / APAR IT37413 commit date: 02 July 2021 -------------------------------------------------------- On AIX, XRIA002I message is seen in stats due to addition of double quotes around agent.enable parameter in initparm.cfg file. The erroneous double quotes get added during an upgrade or installation. 107) MFT-12251 / APAR IT37493 commit date: 12 Jul 2021 -------------------------------------------------------- The cdpmgr process failed to start, logging error XPMD007I in the statistics. 108) MFT-12051 / APAR IT36806 commit date: 23 Jul 2021 -------------------------------------------------------- The ndmcmgr module may terminate with a signal 11 (SIGSEGV) if a client sends invalid information. 109) MFT-12380 / APAR IT37900 commit date: 10 Aug 2021 -------------------------------------------------------- If the name of the S3 IO Exit is different of 'S3', the exception S3IOExitException: S3File: Invalid filename pathname is detected 'null' is raised. 110) CDUA-2980 / APAR IT38016 commit date: 17 Aug 2021 -------------------------------------------------------- After upgrading to C:D Unix 6.0/6.1, an attempt to open the 'direct' prompt with a trace parameter failed with error XAPI005I Return Code: 8 Feedback: 0. Ensure that the ndmauth trace logs are always written to the ndm/bin directory to avoid permissions failures on creation of the trace logs. 111) MFT-12349 / APAR IT38059 commit date: 24 Aug 2021 -------------------------------------------------------- The S3 File IO Exit included in IBM Sterling Connect:Direct for UNIX uses Apache Commons Codec Version 1.11. This version is vulnerable to the following issue, disclosed by Apache Tomcat Information: Third Party Entry 177835: Apache Commons Codec could allow a remote attacker to obtain sensitive information, caused by the improper validation of input. An attacker could exploit this vulnerability using a method call to obtain sensitive information. 112) CDUA-2043 / APAR IT37922 commit date: 30 Aug 2021 -------------------------------------------------------- A copy step using zFBA may fail and report message SCZF004E, Could not Open zFBA devices. If this failure is traced, the step may hang in execute state with a rapidly growing trace file output and ndmsmgr consuming significant CPU resource. 113) MFT-12210 / APAR IT37291 commit date: 30 Aug 2021 -------------------------------------------------------- When pulling from a wildcard source specification on the remote node to an S3 bucket on CDU, the first copy step fails reporting FIOX021E. Subsequent steps may succeed, but the source and destination file names will be mismatched in the copy termination records (CTRCs). Wildcard copy steps more generally may have incorrect source and destination file names specified in the local or remote step start records (LSSTs or RSSTs). 114) MFT-12318 / APAR IT37795 commit date: 29 Sep 2021 -------------------------------------------------------- Due to newer versions of Linux not maintaining binary compatibility for the Transport Independent RPC Library (libtirpc) with older versions, RHEL 8 and RHEL 7, for example, CDU binaries executed from a directory other than our ndm/bin directory may fail, indicating "error while loading shared libraries: libtirpc.so.1". See the Known Restrictions page of the CDU Release Notes for more details. The Known Restrictions page also describes a symbolic link which may be created to enable execution of CDU binaries from directories other than ndm/bin. If implementation of this link was desired, it had to be created manually. This fix updates the interactive and automated installation scripts to provide an option for creating this link during installs and upgrades. The interactive installation script, cdinstall, will prompt for the option if the link is not detected. A new parameter, cdai_tirpcCreateLink, has been added to the automated installation script, cdinstall_a, which takes a 'y' or 'n' value to optionally create this link. 115) CDUA-3066 / APAR IT38735 commit date: 20 Oct 2021 -------------------------------------------------------- In some cases on Linux x86 and Linux zSeries platforms, an automated upgrade (cdinstall_a) will fail, with the installation trace file showing finalRc=6, and the exitStatusFile.txt showing CDAI006E, Setting root attributes failed. Also, an automated install or upgrade invoking the --tirpcCreateLink command line option will fail, with the trace file showing finalRc=2, and the exitStatusFile.txt showing CDAI002E Invalid argument found. argument: --tirpcCreateLink. 116) MFT-12577 / APAR IT38803 commit date: 26 Oct 2021 -------------------------------------------------------- A run task may fail to execute, generating an XSMG424I warning that inappropriately indicates "RPC call to stat_log_1() returns null. RPC time out." 117) MFT-12582 / APAR IT38836 commit date: 03 Nov 2021 -------------------------------------------------------- S3 upload fails for 0 byte files when an aws policy denies non server side encrypted (sse) objects. 118) MFT-12538 / APAR IT38957 commit date: 04 Nov 2021 -------------------------------------------------------- When CDU is preparing the list of matching files for a wildcard copy step, for security, matching files that are not readable by the local user are not added to the list. If CDU is snode and one or more of the matching files is unable to be opened, the pnode does not get notified about these files and will consider the copy step to be successful. To fix this issue, when CDU is snode, one matching file that is not readable is allowed to be added to the list of files to be sent, so that one of the individual copy steps will fail, giving the pnode awareness of the situation. For security, snode masks the name of the unreadable matching file before sending the failing step information to pnode. 119) CDUA-2754 commit date: 16 Nov 2021 ----------------------------------------- The SSLV2 hello has been disabled. Note that TLS 1.0 is deprecated by the IETF since March 2021. 120) MFT-12352 / APAR IT38513 commit date: 23 Nov 2021 -------------------------------------------------------- Silent install of CD Unix fails intermittently due to failure in installation of Install Agent. When this issue occurs, a Java stack trace is produced that shows "java.lang.NullPointerException at com.zerog.ia.installer.LifeCycleManager.de". 121) MFT-12634 / APAR IT39304 commit date: 02 Dec 2021 -------------------------------------------------------- When a KQV client, such as C:D Application Interface for Java or C:D Web Services, issues a select statistics or select process request to C:D UNIX that includes a submitter parameter, the command may fail with the C:D UNIX ndmcmgr process killed by a SIGABRT (signal 6) or SIGSEGV (signal 11). 122) CDUA-3056 commit date: 06 Dec 2021 ---------------------------------------- In some scenarios, C:D Control Center may incorrectly conclude that multiple C:D UNIX nodes are running on the same system. 123) MFT-12769 / APAR IT39369 commit date: 16 Dec 2021 -------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache Log4j2 has been upgraded to version 2.15.0. CVE-2021-44228: JNDI features of Apache Log4j2 versions <= 2.14.1, used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. 124) MFT-12710 / APAR IT39420 commit date: 02 Mar 2022 -------------------------------------------------------- On HP-UX Itanium systems using a shadow password file, client connections presenting valid credentials may fail, generating an XCMM038I message. Server connections may fail generating an XSMG245I message. Fix introduces a new requirement for the Password Hash Infrastructure (PHI) package on some HP-UX systems that use shadow password storage. To check for package installation status: 11iv3 (B.11.31): swlist -a state SHA11i3 11iv2 (B.11.23): swlist -a state SHA To download and install the package if necessary: 11iv3 (B.11.31): https://myenterpriselicense.hpe.com/cwp-ui/free-software/PHI11i3 11iv2 (B.11.23): https://myenterpriselicense.hpe.com/cwp-ui/free-software/PHI 125) MFT-12790 / APAR IT39452 commit date: 17 Dec 2021 -------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache log4j2 has been upgraded to version 2.16.0. CVE-2021-45046: Apache Log4j is vulnerable to a denial of service, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data or a Thread Context Map pattern to exploit this vulnerability to craft malicious input data using a JNDI Lookup pattern and cause a denial of service 126) MFT-12807 / APAR IT39480 commit date: 21 Dec 2021 ------------------------------------------------------- The S3 File IO Exit, Install Agent, and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Log4j2 that are vulnerable to the below listed issue. Apache log4j2 has been upgraded to version 2.17.0. CVE-2021-45105: Apache Log4j versions <= 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. 127) MFT-12865 commit date: 24 Jan 2022 ----------------------------------------- Apache log4j2 upgraded to version 2.17.1. 128) CDUA-3245 / APAR IT40116 commit date: 02 Mar 2022 -------------------------------------------------------- cdinstall script run on HP-UX may mistakenly indicate that Password Hash Infrastructure (PHI) package installation is required. PHI is not required on HP-UX systems that use traditional password storage. 129) CDUA-3134 / APAR IT39167 commit date: 11 Mar 2022 -------------------------------------------------------- Expired passwords are not detected by CDU when authenticating credentials on HP-UX Itanium and AIX platforms. Also, when credential validation failed, no reason was logged for the failure. Fix adds a new message, XIDC001I, logged only on the validating side and viewable only by administrators, indicating why credential validation was failed. 130) CDUA-3280 commit date: 30 Mar 2022 ----------------------------------------- On RHEL 8 and SLES 15 systems, cdinstall_a execution may fail indicating a command was not found referring to netstat. 131) MFT-13197 / APAR IT40831 commit date: 06 May 2022 -------------------------------------------------------- The NUIC record may not be logged into the C:D stats intermittently on slower systems. 132) MFT-13381 / APAR IT41151 commit date: 07 Jun 2022 -------------------------------------------------------- In some scenarios, a copy step may fail, indicating XSQF009I and XCPZ001I messages when attempting to open a translation (xlate) table in the default directory {C:D UNIX install dir}/ndm/xlate. 133) MFT-13267 / APAR IT41201 commit date: 20 Jun 2022 -------------------------------------------------------- Upgrade of Connect:Direct for UNIX from Control Center Director may fail sometimes when standalone File Agent is running. 134) MFT-13374 / APAR IT41284 commit date: 20 Jun 2022 -------------------------------------------------------- Connect:Direct for UNIX uses zlib, which is vulnerable to the following issue: CVE-2018-25032: Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash. 135) MFT-13372 / APAR IT41296 commit date: 21 Jun 2022 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX, Linux, and Solaris platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.6.30. This JRE version is vulnerable to the following issues, disclosed as part of recent IBM Java SDK updates: CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. 136) MFT-13560 / APAR IT41681 commit date: 09 Aug 2022 -------------------------------------------------------- The Connect:Direct for UNIX Install Agent and File Agent use versions of Apache Commons Configuration that are vulnerable to the below listed issue. Apache Commons Configuration has been upgraded to version 2.8.0 in Install Agent and File Agent. CVE-2022-33980: Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when using the interpolation defaults. By using a specially-crafted configuratrion, an attacker could exploit this vulnerability to execute arbitrary code or perform unintentional contact with remote servers. 137) CDUA-3085 commit date: 14 Sep 2022 -------------------------------------------------------- When a silent upgrade is performed from a CDU version where Install Agent is not up due to Secure+ not installed/configured, upgrade is marked as failed as Install Agent is unable to start even after upgrade. As a part of this fix, Install Agent startup is not attempted after a silent upgrade, if it was not up before upgrade. 138) MFT-13017 / APAR IT42110 commit date: 26 Sep 2022 -------------------------------------------------------- A transfer between two C:D Unix nodes, using standard compression, may result in a corrupted destination file. 139) MFT-13784 / APAR IT42354 commit date: 08 Nov 2022 -------------------------------------------------------- The Install Agent and File Agent components, included in IBM Sterling Connect:Direct for UNIX use versions of Apache Commons Text that are vulnerable to the below listed issue. Apache Commons Text has been upgraded to version 1.10.0. CVE-2022-42889: Apache Commons Text could allow a remote attacker to execute arbitrary code on the system, caused by an insecure interpolation defaults flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. 140) MFT-13785 / APAR IT42426 commit date: 09 Nov 2022 -------------------------------------------------------- The Amazon S3 component used by File Agent and the S3 IO Exit, included in IBM Sterling Connect:Direct for UNIX uses versions of FasterXML jackson databind that is vulnerable to the below listed issue. Jackson databind has been upgraded to version 2.14.0. CVE-2022-42003: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. 141) MFT-13786 / APAR IT42427 commit date: 09 Nov 2022 -------------------------------------------------------- The Amazon S3 component used by File Agent and the S3 IO Exit, included in IBM Sterling Connect:Direct for UNIX uses versions of FasterXML jackson databind that is vulnerable to the below listed issue. Jackson databind has been upgraded to version 2.14.0. CVE-2022-42004: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. 142) CDUA-3690 commit date: 17 Nov 2022 ----------------------------------------- The Connect:Direct for UNIX node does not get detected on Control Center Director with a NotFoundException in Install Agent logs stating that record 'install.agent' field 'agent.installation_id' not found. 143) CDUA-3635 commit date: 09 Dec 2022 ----------------------------------------- In some scenarios, a duplicate file.ioexit record may be added in initparm.cfg file after an interactive upgrade. 144) MFT-13962 / APAR IT43046 commit date: 03 Feb 2023 -------------------------------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, uses FasterXML jackson-databind version 2.13.3. This version is vulnerable to the following issue: CVE-2022-42003: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. 145) MFT-14043 / APAR IT43024 commit date: 06 Feb 2023 -------------------------------------------------------- Update_01 --------- IBM Connect:Direct for UNIX (CDU) on AIX, Linux, and Solaris platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.7.10. This JRE version is vulnerable to the following issue, disclosed as part of recent IBM Java SDK updates: CVE-2022-21626: An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. Update_02 --------- CDU on HP-UX platform uses JRE Version 8.0.6.30. This JRE version is vulnerable to the following issue, disclosed as part of recent IBM Java SDK updates: CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. 146) MFT-13473 / APAR IT41488 commit date: 02 Mar 2023 -------------------------------------------------------- A process submitted from the CLI may fail with a syntax message, XPAE003I, if the process contains an snodeid or pnodeid parameter where one of the elements, the password, for example, contains a C:D process special character, such as an equals sign. Fix adds the ability to enclose snodeid and pnodeid parameter elements in single quotes, which will cause any C:D process special characters in these elements to be ignored. 147) MFT-14056 / APAR IT43263 commit date: 24 Mar 2023 -------------------------------------------------------- When any of the partner nodes of Connect Direct for UNIX has ostype=OS/390 specified in netmap.cfg file, XRIA002I error messages are generated in the statistics for every login to this node from Connect Direct Web Services. NOTICE: Going forward, security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. 148) MFT-14244 / APAR IT43732 commit date: 11 May 2023 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX, Linux, and Solaris platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.7.20. This JRE version is affected by the following issues, dislosed as part of recent IBM Java SDK updates: CVE-2023-21830, CVE-2023-21843, and CVE-2022-21426. CDU on HP-UX platform uses JRE Version 8.0.7.10. This JRE version is affected by the following issue: CVE-2023-30441. This JRE version is vulnerable to the following issue, disclosed as part of recent IBM Java SDK updates: CVE-2022-21626. 149) CDUA-4037 commit date: 29 May 2023 ----------------------------------------- Added AWS related environmental variables for correcting secure processing for object store service during cdpmgr startup. 150) CDUA-3662 commit date: 05 Jun 2023 ----------------------------------------- The maximum concurrent sessions limit imposed by the system and the user who initiated C:D are two items that may be useful to know, but were not being logged. Fix updates the NUIS record with the initiating user, and adds a new message that records the maximum concurrent sessions the system will allow. 151) MFT-14483 / APAR IT43918 commit date: 08 Jun 2023 -------------------------------------------------------- CDU uses GSKit 8.0.55.12. This version is vulnerable to the following issue: CVE-2023-32342. 152) Java component updates commit date: 05 Jul 2023 ------------------------------------------------------ Update_01 MFT-14561 / APAR IT44029 ----------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX and Linux platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.8.0. Some issues in this version were disclosed as part of recent IBM Java SDK updates. This JRE version is vulnerable to the following issues: CVE-2023-21930, CVE-2023-21967, CVE-2023-21939 and CVE-2023-21968. This JRE version is affected by the following issues: CVE-2023-21954, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. Update_02 MFT-14539 / APAR IT44082 ----------------------------------- Vulnerabilities in the IBM Runtime Environment Java Technology Edition, Version 7 and 8 apply to IBM Sterling Connect:Direct File Agent. Vulnerable: CVE-2023-21930, CVE-2023-21939, CVE-2023-21967, CVE-2023-21968. Affected: CVE-2023-2597, CVE-2023-21937, CVE-2023-21938, CVE-2023-21954. Updated bundled IBM Java to version 8.0.8.5 on AIX, Linux and Windows. 153) Java component package updates commit date: 02 Aug 2023 ------------------------------------------------------------ The Install Agent component and the Amazon S3 component used by File Agent and the S3 IO Exit, included in IBM Sterling Connect:Direct for UNIX uses versions of FasterXML jackson that is affected by the following issues: Update_01 MFT-14439 / APAR IT44099 / PRISMA-2023-0067 Update_02 MFT-14580 / APAR IT44101 / CVE-2023-35116 Jackson libraries have been upgraded to version 2.15.2. 154) CDUA-4331 commit date: 20 Jul 2023 ---------------------------------------- The Amazon S3 component used by File Agent and the S3 IO Exit, included in IBM Sterling Connect:Direct for UNIX uses versions of Google Guava that is affected by the following issue: CVE-2023-2976. Guava has been upgraded to version 32.0.1. 155) MFT-14579 / APAR IT44100 commit date: 02 Aug 2023 -------------------------------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, uses Bouncy Castle version 1.70. This version is affected by the following issue: CVE-2023-33201. 156) MFT-14939 / APAR IT44736 commit date: 30 Oct 2023 -------------------------------------------------------- When the certificate information exceeds a length of 196, the complete information is recorded in the statistics file but the output of 'select statistics' command is truncated and the CERT information is displayed only upto 196 characters. 157) MFT-14796/MFT-14797/MFT-14798 commit date: 01 Dec 2023 ------------------------------------------------------------- The Install Agent component uses Jetty that is affected by the following issues: CVE-2022-2047, CVE-2022-2048, CVE-2023-26048, CVE-2023-26049, CVE-2021-28169, CVE-2021-34429, and PRISMA-2021-0182.