================================================= Maintenance for IBM Connect:Direct for UNIX 6.3.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.3.0 code base. It is applicable to C:D UNIX version 6.3.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.3.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.3.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.3.0 Release Notes. NOTICE: Security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. ================================================= iFixes listed below apply to C:D for UNIX 6.3.0.0 ================================================= 001) CDUA-4217 commit date: 28 Jun 2023 ----------------------------------------- Config file opens from CDU can occasionally fail with XCFF001I and fdbk EINTR. 002) CDUA-4037 commit date: 01 Jun 2023 ----------------------------------------- Corrected secure processing for several AWS related environment variables. 003) CDUA-3662 commit date: 05 Jun 2023 ----------------------------------------- The maximum concurrent sessions limit imposed by the system and the user who initiated C:D are two items that may be useful to know, but were not being logged. Fix updates the NUIS record with the initiating user, and adds a new message that records the maximum concurrent sessions the system will allow. 004) MFT-14483 / APAR IT43918 commit date: 08 Jun 2023 -------------------------------------------------------- CDU uses GSKit 8.0.55.12. This version is vulnerable to the following issue: CVE-2023-32342. 005) CDUA-4248 commit date: 12 Jun 2023 -------------------------------------------------------- When a command is issued from Connect:Direct Browser to delete a user entry from userfile.cfg file, we get a success response even when the user does not exist. Added a fix to show relevant error in such a case. 006) MFT-14357 / APAR IT43960 commit date: 20 Jun 2023 -------------------------------------------------------- The CDU server terminates abruptly following a COPY failure with error FIOC004E. 007) CDUA-4086 / APAR IT44103 commit date: 14 Jul 2023 ----------------------------------------- When Interactive upgrade is executed while cwd is CDU install directory, it removes all ndm directory items except SACL dir. 008) CDUA-4222 commit date: 27 Jun 2023 ----------------------------------------- During installation of Connect:Direct for UNIX on NFS with root squash enabled, a warning message is displayed saying chmod: changing permissions of '/opt/cdunix/file_agent/config': Operation not permitted. 009) CDUA-4274 commit date: 30 Jun 2023 ----------------------------------------- Install Agent logs grow indefinitely leading to very big log files over a period of time. Updated Install Agent to clear logs periodically. 010) MFT-14561 / APAR IT44029 commit date: 30 Jun 2023 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX and Linux platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.8.0. Some issues in this version were disclosed as part of recent IBM Java SDK updates. This JRE version is vulnerable to the following issues: CVE-2023-21930, CVE-2023-21967, and CVE-2023-21968. This JRE version is affected by the following issues: CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. 011) CDUA-4299 commit date: 05 Jul 2023 ----------------------------------------- Updated UBI base image for CDU container to latest version which is UBI 8.8-1009 and removed unwanted libnsl and nis_nss packages from the container image. 012) CDUA-3346 commit date: 10 Jul 2023 ----------------------------------------- Currently cdinstall_a assumes pwd is the deployment directory. If the Automation installation script cdinstall_a, is called with relative path or absolute reference, like from outside the directory which have installer_script, CPIO_file and also the certificates, the installation is getting failed with the error code 127 (cdinstall is not present at this directory). 013) Java components updates commit date: 20 Jul 2023 ------------------------------------------------------- Update_01 MFT-14410 -------------------- The Integrated File Agent component uses Spring Framework that is affected by the following issue: CVE-2023-20863. Update_02 MFT-14439 / APAR IT44099 ----------------------------------- The Integrated File Agent and the Object Store IO Exit components use FasterJackson that is affected by the following issue: PRISMA-2023-0067. Update_03 MFT-14580 / APAR IT44101 ----------------------------------- The Integrated File Agent, Install Agent and the Object Store IO Exit components use FasterJackson that is affected by the following issue: CVE-2023-35116. Update_04 MFT-14581 / APAR IT44102 ----------------------------------- The Integrated File Agent and the Object Store IO Exit components use Netty that is affected by the following issue: CVE-2023-34462. Update_05 CDUA-4331 -------------------- The Integrated File Agent and the Object Store IO Exit components use Google Guava that is affected by the following issue: CVE-2023-2976. Update_06 MFT-14738 / APAR IT44465 ----------------------------------- The Integrated File Agent component includes versions of FasterXML jackson-dataformat-properties that are affected by the following issue: CVE-2023-3894. 014) MFT-14579 / APAR IT44100 commit date: 01 Aug 2023 -------------------------------------------------------- The Integrated File Agent and Install Agent components, included in IBM Sterling Connect:Direct for UNIX, uses Bouncy Castle version 1.70. This version is affected by the following issue: CVE-2023-33201. 015) CDUA-4358 commit date: 03 Aug 2023 ---------------------------------------- Install Agent poll script does not return correct status of Install Agent process. 016) CDUA-4392/CDUA-4394 commit date: 21 Aug 2023 -------------------------------------------------- Updated the UBI base image to UBI 8.8-1032 and corrected the K8s minimum version requirement to v1.23 017) MFT-14718 / APAR IT44425 commit date: 23 Aug 2023 -------------------------------------------------------- A copy step executed by a user configured with a directory restriction specified may fail, reporting XCPR015I. The partner node may log an XCPS002I or XCPS003I message when this happens. 018) CDUA-4393 commit date: 28 Aug 2023 ----------------------------------------- Statistics generated after an upgrade are lost if an emergency restore procedure is executed. 019) CDUA-4406 commit date: 31 Aug 2023 ----------------------------------------- Add client type and remote address to client logon failure message. It shows who tried to log in, but not the type of client or the remote address. 020) CDUA-4416 commit date: 06 Sep 2023 ----------------------------------------- API commands not logged by default in a fresh CDU installation. 021) MFT-14816 / APAR IT44560 commit date: 22 Sep 2023 -------------------------------------------------------- After running for an extended time, Integrated File Agent may fail and generate java core dumps. 022) MFT-14595 / APAR IT44192 commit date: 26 Sep 2023 -------------------------------------------------------- The following warning with code SPCG774W may occur while updating the Key Certificate Label in the .Client record in Secure+: "The Certificate Label 'xxx' chain does not include a root certificate." Users will not see any warnings if root certificate is already present in certificate chain. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.3.0.1 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 6.3.0.1 ================================================= 001) CDUA-4489 commit date: 03 Oct 2023 ----------------------------------------- Fix added for addressing invalid IPV4 addresses in Port Check ignore list where the address has more than 4 segments present. 002) MFT-14723 / APAR IT44653 commit date: 04 Oct 2023 -------------------------------------------------------- When a large number of processes are in the HOLD queue the cdpmgr's CPU utilization may approach 100%. 003) CDUA-4182 / APAR IT43670 commit date: 06 Oct 2023 -------------------------------------------------------- Attempts to update Integrated File Agent configuration from C:D Web Services UI may fail and report XCMM076I. The details of the error scenario logged with this message may be incomplete or otherwise unhelpful. 004) MFT-14939 / APAR IT44736 commit date: 13 Oct 2023 -------------------------------------------------------- When the certificate information exceeds a length of 196, the complete information is recorded in the statistics file but the output of 'select statistics' command is truncated and the CERT information is displayed only upto 196 characters. 005) Integrated File Agent component updates commit date: 17 Oct 2023 ----------------------------------------------------------------------- Update_01 CDUA-4516 -------------------- For CDU node installed on Ubuntu, an attempt to update the Integrated File Agent (IFA) configuration via Connect:Direct Web Services (CDWS) may fail, indicating "Something went wrong. Please try again later." Update_02 MFT-14924 / APAR IT44625 ----------------------------------- Integrated File Agent scan of a Google Storage resource fails when the bucket name contains an underscore character Update_03 MFT-14960 / APAR IT44764 ----------------------------------- Integrated File Agent component configured with certificate based authentication may fail to connect, with IFA logs indicating NullPointerException. 006) Object Store component updates commit date: 18 Oct 2023 -------------------------------------------------------------- Update_01 MFT-14703 / APAR IT44273 ----------------------------------- A copy step that refers to an object store name that contains space characters may fail, generating an FIOX043E message. Update_02 MFT-14922 / APAR IT44639 ----------------------------------- If a copy step sending from an object store fails due to lack of read access to the object, likely generating an FIOX011E message, a zero byte destination file may be created. Update_03 MFT-14983 / APAR IT44765 ----------------------------------- A copy step will fail when it references a Google Storage bucket that contains an underscore character. 007) MFT-14704 / APAR IT44390 commit date: 19 Oct 2023 -------------------------------------------------------- In some cases, if a process with a copy step to object store fails to specify a disposition for the object, the step will fail reporting an FIOX022E message. 008) CDUA-4480 commit date: 19 Oct 2023 ----------------------------------------- After upgrade, stale libraries left behind from the previous installation, may cause some issues in Connect:Direct functionalities. 009) Object Store component updates commit date: 27 Oct 2023 -------------------------------------------------------------- Update_01 MFT-14705 -------------------- Alternative methods of establishing credentialed access to Azure were missing. Fix adds the following to the existing credentials mechanisms, in this order: 1. ManagedIdentityCredential - If the application deploys to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account. 2. WorkloadIdentityCredential - If the app is deployed on Kubernetes with environment variables set by the workload identity webhook, DefaultAzureCredential will authenticate the configured identity. 3. EnvironmentCredential - The DefaultAzureCredential will read account information specified via environment variables and use it to authenticate. new configuration properties added: az.workloadTenantId az.workloadServiceTokenFilePath az.managedIdClientId az.workloadIdClientId See documentation for details. Update_02 CDUA-2888 -------------------- Certificates required for secure connections to object stores were only accessed from the JRE truststore. Fix adds configuration option, store.keyStore, to use C:D S+ trusted certificates in addition to or in place of JRE truststore. This option takes the following values: JRE_ONLY (default): the JRE keystore will be used as the unique source for CAs SP_ONLY: The secure Plus keystore will be used as the unique source for CAs JRE_SP: the JRE keystore is the first source for CAs, next Secure Plus keystore will be used SP_JRE: the Secure Plus keystore is the first source for CAs, next the JRE keystore will be used See documentation for details. Update_03 CDUA-4410 -------------------- Azure shared access signature (SAS) resource access was not supported. Fix adds support for SAS token with new az.sasToken property. Azure access credentials order is now: - Connection string if az.connectionString provided - Shared key if az.accountName and az.accountKey - SAS token if az.sasToken provided - Managed identity credentials if az.managedIdentityId provided - Workload identity credentials if az.worloadIdentityId provided, plus optional properties az.workloadTenantId, az.workloadServiceTokenFilePath. These properties only work inside Azure. - Environment credentials See documentation for details. Update_04 MFT-14773 -------------------- While C:D is accessing an AWS S3 object store with temporary credentials, it is possible that the temporary credentials will be updated in anticipation of expiration. C:D would not recognize that new credentials were available in this case, and access would fail. Fix enables C:D to monitor and refresh credentials files when the files are updated. Update_05 MFT-14933 / APAR IT44839 ----------------------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use netty-handler versions that are vulnerable to the following issue: CVE-2023-4586. Update_06 MFT-15020 / APAR IT44840 ----------------------------------- When Integrated File Agent (IFA) is watching an object store bucket, the IFA log files may show an inappropriate message indicating "error object '' does NOT exist", referring to the bucket being watched. Update_07 FLAG-275 ------------------- IFA now has the ability to use fileio.exit records defined in C:D initparm.cfg with the store.configFromCD property. See documentation for details. 010) MFT-14731 / APAR IT44469 commit date: 10 Nov 2023 -------------------------------------------------------- Sending to an object store with invalid credentials or region specified results in FIOX022E message and abrupt termination of the connection with the remote node. 011) CDUA-4405 commit date: 10 Nov 2023 ----------------------------------------- Address CDU failure to log messages about Integrated File Agent events, such as agent startup, or agent startup failure. 012) Accumulated security updates commit date: 20 Nov 2023 ------------------------------------------------------------ Update_01 CDUA-4619 -------------------- Updated UBI base image for CDU container to latest version which is UBI 9.3-1361.1699548029 Update_02 MFT-14796/MFT-14797/MFT-14798 ---------------------------------------- The Install Agent component uses Jetty that is affected by the following issue: CVE-2022-2047, CVE-2022-2048, CVE-2023-26048, CVE-2023-26049, CVE-2021-28169, CVE-2021-34429, and PRISMA-2021-0182. Update_03 MFT-14848 -------------------- The IBM Certified container uses ncurses package which is affected by the following issue: CVE-2023-29491 Update_04 MFT-14842 / APAR IT44998 ----------------------------------- The IBM Certified container uses procps-ng package which is affected by the following issue: CVE-2023-4016 013) CDUA-4627 commit date: 22 Nov 2023 ----------------------------------------- Added support in Connect Direct for Unix to run pre and post upgrade actions from Control Center Director. 014) CDUA-4626 commit date: 22 Nov 2023 ----------------------------------------- Transmission Control Queue processing optimized for better performance. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.3.0.2 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.3.0.2 =========================================================== 001) Java component updates commit date: 13 Dec 2023 ------------------------------------------------------ Update_01 MFT-15057 -------------------- On occasion, javax.net.debug is defined for an object store when debugging SSL/TLS connection problems. The output from setting this property was routed to stdout, instead of the object store log file. Update_02 MFT-15107 -------------------- There may be scenarios where endpoint override is required for sending an object to Google Storage (GS), but this feature was not implemented. Fix adds three specific GS properties, gs.endPointUrl, gs.endPointPort and gs.endPointSecure, with definitions similar to the other object store provider properties of the same name. Since all supported object store providers now support endpoint overrides, general properties are also added, store.endPointUrl, store.endPointPort and store.endPointSecure. Note: if both specific and general object store endpoint overrides are specified, the specific property takes precedence. Update_03 MFT-15109 -------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use versions of Google libraries grpc-core and grpc-protobuf that are affected by the following issues: CVE-2023-33953 CVE-2023-44487 and CVE-2023-4785. Update_04 MFT-15182 / APAR IT45121 ----------------------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use a reactor-netty version that is affected by the following issue: CVE-2023-34062. Fix updates reactor-netty to 1.1.13. Update_05 MFT-15185 -------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use a reactor-netty version that is affected by the following issue: CVE-2023-34054. Fix updates reactor-netty to 1.1.13. Update_06 FLAG-303 ------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use an Azure-Identity version that is affected by the following issues: CVE-2023-36414 and CVE-2023-36415. Fix updates Azure-Identity to 1.11.1. Update_07 FLAG-305 ------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use Spring Boot versions that are affected by the following issue: CVE-2023-34055. Fix updates Sprint Boot to 2.7.18. Update_08 MFT-15174 / APAR IT45135 ----------------------------------- After a recent change, when a connection to S3 Object store is made, the aws-crt native library is loaded inside the /tmp directory with every transfer. So, once the /tmp goes out of space after a number of file transfers, java error starts to occur. Updated Connect:Direct for Unix to remove the usage of aws-crt native libraries. Update_09 MFT-15122 -------------------- Communicating with AWS S3 object Stores fails when a bucket policy requires http header x-amz-content-sha256 valued with request body content hash. 002) Accumulated security updates commit date: 21 Dec 2023 ------------------------------------------------------------ Update_01 MFT-15160 -------------------- Updated UBI base image to 9.3-1476 in CDU container. Update_02 MFT-15138 -------------------- CDU container uses binutils package which is affected by the following issues: CVE-2022-45703, CVE-2021-45078, CVE-2022-47695, CVE-2022-47673, CVE-2021-46174 003) CDUA-4670, CDUA-4671 commit date: 29 Dec 2023 -------------------------------------------------- Processes submitted with maxdelay stuck in PE (For max 30 second) until maxdelay time expires. Submitted processes often wait 30 seconds in PE before beginning execution. 004) MFT-15184 / APAR IT45239 commit date: 09 Jan 2024 ------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) uses versions of IBM(R) Runtime Environment Java(TM) (JRE) that have vulnerabilities disclosed as part of recent IBM Java SDK updates. JRE versions on Linux and AIX platforms are vulnerable to CVE-2023-5676 and CVE-2023-22081, and affected by CVE-2023-22045 and CVE-2023-22049. JRE versions on Solaris platform are vulnerable to CVE-2023-5676, CVE-2023-22081, CVE-2023-21930, CVE-2023-21967, and CVE-2023-21968, and affected by CVE-2023-22045, CVE-2023-22049, CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. JRE versions on HP-UX platform are vulnerable to CVE-2023-21930, CVE-2023-21967, and CVE-2023-21968, and affected by CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, CVE-2023-2597, CVE-2023-21830, CVE-2023-21843, and CVE-2022-21426. Updated bundled JRE to version 8.0.8.15 for Linux, AIX, and Solaris platforms. Updated bundled JRE to version 8.0.8.5 for HP-UX platform. 005) MFT-15225 / APAR IT45241 commit date: 09 Jan 2024 ------------------------------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, uses jetty-io and jetty-server versions that are vulnerable to CVE-2023-36478, CVE-2023-44487 and CVE-2023-40167, and affected by CVE-2023-36479 and CVE-2023-41900. 006) CDUA-4727 commit date: 11 Jan 2024 ----------------------------------------- Linux customers may want to manage C:D as a systemd service. Fix adds an example systemd unit configuration file, cdu.service, in the C:D etc directory when installed on a Linux system. Fix also adds in the ndm/bin directory for all platforms a start script, cduStart, a stop script, cduStop, and some source files, cdenv.sh and cdenv.csh, used for setting CLI environment variables in a user's current shell. 007) CDUA-4692 commit date: 19 Jan 2024 ---------------------------------------- While interactively upgrading, an access issue referring to /dev/null may be seen. 008) CDUA-4768 commit date: 29 Jan 2024 ---------------------------------------- Upgraded Red Hat UBI base image to 9.3-1552 in CDU container image for latest security fixes. 009) Accumulated container updates commit date: 29 Jan 2024 ------------------------------------------------------------- Update_01 MFT-14889/IT45372 ---------------------------- CDU container cannot authenticate LDAP user using both ldap or ldaps protocol. Update_02 MFT-15264/IT45374 ---------------------------- When store service tries to use CDU keystore in container using option -Dstore.keyStore=SP_ONLY in ioexit configuration then file transfer fails with msgid XCPR009I and object store logs would give error as "Error while setting the Secure+ trust environment". Update_03 CDUA-4772 -------------------- CDU container helm chart would be supported on OCP 4.14 and K8s 1.27. 010) CDUA-4512 commit date: 30 Jan 2024 ---------------------------------------- Installation failure during customisation step with root user as installer and admin. 011) MFT-15241 / APAR IT45370 commit date: 31 Jan 2024 -------------------------------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, uses kotlin-stdlib versions that are affected by the following issue: CVE-2022-24329. 012) MFT-15242 / APAR IT45371 commit date: 31 Jan 2024 -------------------------------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, use gradle-buildconfig-plugin versions that are affected by the following issues: CVE-2019-15052, CVE-2023-35947, CVE-2021-29428, CVE-2020-11979, CVE-2021-32751, CVE-2023-44387, CVE-2019-11065, CVE-2019-16370, CVE-2021-29429, CVE-2023-35946, CVE-2023-42445. 013) CDUA-4777 commit date: 5 Feb 2024 ---------------------------------------- Update the cdu.service example systemd unit file so that the service start and stop commands are executed by the CDU installer. 014) MFT-15399 / APAR IT45539 commit date: 21 Feb 2024 -------------------------------------------------------- Compilation of user exit program may fail due to some newly added threading APIs in Connect:Direct for UNIX. Fix removes the inclusion of new APIs from user exit program. 015) CDUA-4582, MFT-14279 / APAR IT45554 commit date: 21 Feb 2024 ------------------------------------------------------------------- When CDU has received around 400GB of data over a TLS 1.3 session using AES cipher suites, the receive may fail, reporting a series of CSPA204E and CSPA095E messages. The initial CSPA204E message will indicate “rsn=gsk_secure_soc_read() returned - GSK_ERROR_UNKNOWN_ERROR - Internal unknown error”. When this happens, the sender shows a series of messages that may include XSMG622I, XIPT008I, and XSMG625I. The receive may be a single large file, or a series of large files over the same session, a wildcard copy step, for example. Part of the fix is to periodically restart the secure session during the transfer, and should be transparent. If this restart fails, then two new messages may be seen, CSPA330E, Remote node does not support TLS Restart, and CSPA331E, The Secure+ TLS session restart failed.