========================================================= Maintenance for IBM Connect:Direct FTP Plus Version 1.3.0 ========================================================= This maintenance archive includes module replacements for the C:D FTP+ 1.2.0 code base. It is applicable to C:D FTP+ version 1.3.0, and contains all the new functionality and fixes as described in the C:D FTP+ 1.3.0 Release notes, as well as fixes for the issues listed below. After applying the maintenance, the banner displayed when initiating a connection to a server will report that your C:D version is 1.3.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D FTP+ 1.3.0 Release Notes. NOTICE: Beginning with iFix 1.3.0.0.iFix023 below, security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. ========================== iFixes to C:D FTP+ 1.3.0.0 ========================== 001) RTC455801 / APAR IT07069 commit date: 11 Feb 2014 -------------------------------------------------------- SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). SSLv3 is enabled by default in Connect:Direct FTP+ when Secure+ is enabled. Fix changes the default protocol from SSLv3 to TLS. 002) RTC491210 / APAR IT14195 commit date: 08 Mar 2016 -------------------------------------------------------- Connect:Direct FTP+ (CDFtp+) running on all supported UNIX platforms except for HP-UX uses IBM� Runtime Environment Java� Technology Edition, Version 7.0.9. CDFtp+ running on HP-UX PA_RISC uses IBM� Runtime Environment Java� Technology Edition, Version 6.0.14. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as �SLOTH�, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as �SLOTH�. Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as �SLOTH�, CDFtp+ is vulnerable to: CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as �SLOTH�. 003) RTC496774 / APAR IT14554 commit date: 31 Mar 2016 -------------------------------------------------------- Connect:Direct FTP+ (CDFtp+) running on HP-UX Itanium uses IBM� Runtime Environment Java� Technology Edition, Version 7.0.9. CDFtp+ running on HP- UX PA_RISC uses IBM� Runtime Environment Java� Technology Edition, Version 6.0.16.16. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates for October 2015, CDFtp+ is vulnerable to: CVE-2015-4872: An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as �SLOTH�, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as �SLOTH�. Of the issues in JRE 6.0.16.16 that were disclosed as part of the IBM Java SDK updates in January 2016, CDFtp+ is vulnerable to: CVE-2016-0475: An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact. 004) RTC503673 / APAR IT15845 commit date: 23 Jun 2016 -------------------------------------------------------- Connect:Direct FTP+ uses Flexera InstallAnywhere, which is vulnerable to the following issue: CVE-2016-4560: Flexera InstallAnywhere could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system. 005) RTC518198 / APAR IT17607 commit date: 19 Oct 2016 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) Version 7.0.9.30 (6.0.16.20 on the HP-UX PA_RISC platform). These JREs are vulnerable to the following issue, disclosed as part of the IBM Java SDK updates in April 2016: CVE-2016-3426: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. 006) RTC539217 / APAR IT20756 commit date: 24 May 2017 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) Version 7.0.9.50 (6.0.16.30 on the HP-UX PA_RISC platform). These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in January 2017: CVE-2016-5546: An unspecified vulnerability related to the Libraries component has no confidentiality impact, high integrity impact, and no availability impact. CVE-2016-5548: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2016-5549: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2016-5547: An unspecified vulnerability related to the Libraries component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2016-5552: An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. CVE-2016-2183: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the- middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack. NOTICE: This is the last release to be published for C:D FTP+ 1.3.0 for HP-UX PA_RISC. In the future, releases for this platform will be available on demand only from Customer Support. 007) RTC546237 / APAR IT21636 commit date: 30 Jul 2017 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses jzlib version 1.1.3. This jzlib version is vulnerable to the following issues: CVE-2016-9840: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVE-2016-9841: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVE-2016-9842: zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVE-2016-9843: zlib is vulnerable to a denial of service, caused by a big- endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. 008) RTC552784 / APAR IT22755 commit date: 12 Oct 2017 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) Version 7.0.10.1 (6.0.16.41 on the HP-UX PA_RISC platform). These JREs are vulnerable to the following issue, disclosed as part of the IBM Java SDK updates in January 2017: CVE-2017-10115: An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2017-10116: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system. 009) RTC569886 commit date: 01 Jun 2018 ----------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) Version 7.0.10.10. This JRE is vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in January and April 2018: CVE-2018-2633: An unspecified vulnerability related to the Java SE JNDI component could allow an unauthenticated attacker to take control of the system. CVE-2018-2603: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2018-2579: An unspecified vulnerability related to the Java SE Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVE-2018-2618: An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2018-2602: An unspecified vulnerability related to the Java SE I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. CVE-2018-2783: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause high confidentiality impact, high integrity impact, and no availability impact. 010) MFT-10002 / APAR IT26935 commit date: 08 Nov 2018 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) Versions 8.0.5.16, 8.0.5.15, and 7.0.10.25. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2018: CVE-2018-12539: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. 011) MFT-10291 / APAR IT28838 commit date: 12 Apr 2019 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) Versions 8.0.5.25, 8.0.5.20, and 7.0.10.30. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in October 2018 and January 2019: CVE-2018-3180: An unspecified vulnerability related to the Java SE JSSE component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. CVE-2018-1890: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. CVE-2018-12547: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. 012) MFT-10607 / APAR IT30889 commit date: 26 Sep 2019 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ running on AIX uses IBM� Runtime Environment Java� (JRE) Version 8.0.5.30. This JRE is vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2019: CVE-2019-4473: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. CVE-2019-11771: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system. 013) MFT-10611 / APAR IT30425 commit date: 26 Sep 2019 -------------------------------------------------------- Installation on some systems with limited 32 bit library support may fail, reporting �JRE libraries are missing or not compatible.� Also, C:D FTP+ installed on an EFS file system in an Amazon Web Services EC2 instance will fail to start, reporting �Error: missing `j9vm' JVM�. 014) MFT-10963 commit date: 06 Apr 2020 ----------------------------------------- Installation fails on Windows Server 2019, reporting the following or similar error: "Flexeraaw7$aaa: Windows DLL failed to load". 015) MFT-11035 / APAR IT32539 commit date: 13 Apr 2020 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ running on Microsoft Windows uses IBM� Runtime Environment Java� (JRE) Versions 8.0.5.40. This JRE is vulnerable to the following issue, disclosed as part of the IBM Java SDK updates in January 2020: CVE-2019-4732: IBM SDK, Java Technology Edition Version could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. 016) MFT-11081 / APAR IT32747 commit date: 04 May 2020 -------------------------------------------------------- When using the GUI and connected to C:D z/OS, a directory listing on z/OS will not show files that have a volser that begins with digits. 017) MFT-11341 / APAR IT33951 commit date: 09 Mar 2021 -------------------------------------------------------- IBM Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.6.0, 8.0.5.30, and 7.0.10.40. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in March and August 2020: CVE-2020-2654: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14579: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14578: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. 018) MFT-11441 / APAR IT34448 commit date: 05 Oct 2020 -------------------------------------------------------- When configured for SSLv3, connection attempts fail, indicating �550 Connection failure - possible Secure+ definition error.� A debug log of this failure shows �java.io.IOException: Error creating the SSLSocket: java.security.NoSuchAlgorithmException: no such algorithm: SSLv3 for provider IBMJSSE2�. NOTICE: SSLv3 is an obsolete and insecure protocol. IBM recommends using the TLS protocol instead. 019) MFT-11923 / APAR IT36153 commit date: 31 Aug 2021 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.6.15. CDFtp on HP-UX uses JRE Version 8.0.5.35. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in October 2020 and January 2021: CVE-2020-27221: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVE-2020-14782: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. 020) MFT-12802 / APAR IT39686 commit date: 08 Feb 2022 -------------------------------------------------------- Apache Log4j used by IBM Sterling C:D FTP+ has been upgraded to version 2.17.1. 021) MFT-13412 / APAR IT41221 commit date: 14 Jun 2022 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.6.30. This JRE is vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in October 2021: CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. 022) MFT-14065 / APAR IT43060 commit date: 06 Feb 2023 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.7.10. This JRE is vulnerable to the following issue, disclosed as part of the IBM Java SDK updates in October 2022: CVE-2022-21626: An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. IBM Sterling Connect:Direct FTP+ (CDFtp) on HP-UX platform uses IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.6.30. This JRE is vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in October 2021: CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. NOTICE: C:D FTP+ on Solaris x86 platform is deprecated. Fixes will be available only on demand for this platform until end of support is reached. NOTICE: Going forward, security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. 023) MFT-14244 / APAR IT43733 commit date: 16 May 2023 -------------------------------------------------------- IBM Connect:Direct FTP+ (CDFTP) on AIX, Linux, and Solaris platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.7.20. This JRE version is affected by the following issues, dislosed as part of recent IBM Java SDK updates: CVE-2023-21830, CVE-2023-21843, and CVE-2022-21426. CDFTP on HP-UX platform uses JRE Version 8.0.7.10. This JRE version is affected by the following issue: CVE-2023-30441. This JRE version is vulnerable to the following issue, disclosed as part of recent IBM Java SDK updates: CVE-2022-21626. NOTICE: C:D FTP+ on HP-UX platform is deprecated. Fixes will be available only on demand for this platform until end of support is reached. 024) MFT-14605 / APAR IT44110 commit date: 05 Jul 2023 -------------------------------------------------------- IBM Connect:Direct FTP+ (CDFTP) on AIX, Linux, and Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.8.0. Some issues in this version were disclosed as part of recent IBM Java SDK updates. This JRE version is vulnerable to the following issue: CVE-2023-21967. This JRE version is affected by the following issues: CVE-2023-21930, CVE- 2023-21968, CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. 025) MFT-15198 / APAR IT45282 commit date: 17 Jan 2024 -------------------------------------------------------- IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment Java(TM) (JRE) that have vulnerabilities disclosed as part of recent IBM Java SDK updates. JRE versions on Linux, AIX, and Windows platforms are vulnerable to CVE-2023-5676 and CVE-2023-22081, and affected by CVE-2023-22067, CVE-2023-22045 and CVE-2023-22049. JRE versions on Solaris platform are vulnerable to CVE-2023-5676, CVE-2023-22081, and CVE-2023-21967, and affected by CVE-2023-22067, CVE-2023-22045, CVE-2023-22049, CVE-2023-21954, CVE-2023-21930, CVE-2023-21968, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. Updated bundled JRE version to 17.0.9.0 for Linux, AIX, and Windows platforms, and 8.0.8.15 for Solaris platform. NOTICE: IBM JRE version 17 on AIX requires XL C++ Runtime 16.1.0.7 or later. Refer https://www.ibm.com/support/pages/fix-list-xl-cc-runtime-aix#161X