Readme file for: IBM® Power Virtualization Center Publication Date: September 27, 2024 This iFix applies to IBM PowerVC 2.1.1.1 Note: Ensure that the name of the maintenance file is not changed when it is downloaded. This change might be intentional, or it might be an inadvertent change that is caused by certain web browsers or download utilities. This iFix addresses the following issues: CVE-2024-3372: Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25. CVE-2024-5569: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp. CVE-2023-43804: urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. CVE-2023-45803: urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. CVE-2021-33503: An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Installation steps :- ------------------ 1) Take a backup of PowerVC. 2) Copy the included IT46632-2.1.1.1-POWERVC.tgz file to the PowerVC primary node. 3) Run the following command from the primary node to apply the iFix on all the PowerVC nodes one by one: powervc-opsmgr apply-ifix --ifix -c --host Example : powervc-opsmgr apply-ifix --ifix /root/IT46632-2.1.1.1-POWERVC.tgz -c --host Note: The yum repo-pkgs ifix-IT46632-2.1.1.1-POWERVC list --showduplicates Expected Output: --------------- RHEL: ---- #yum repolist repo id repo name ifix-IT46038-2.1.1.1-OPSMGR ifix-IT46038-2.1.1.1-OPSMGR ifix-IT46632-2.1.1.1-POWERVC ifix-IT46632-2.1.1.1-POWERVC powervc-ifix-IT45562-2.1.1.1-OPSMGR IT45562-2.1.1.1-OPSMGR powervc-noarch POWERVC Openstack noarch powervc-opsmgr-noarch POWERVC Opsmgr noarch powervc-opsmgr-x86_64 POWERVC Opsmgr x86_64 powervc-x86_64 POWERVC Openstack x86_64 pvc-openstack-multiarch-rhel9 POWERVC Openstack multiarch rhel9 pvc-openstack-noarch POWERVC Openstack noarch pvc-openstack-noarch-rhel9 POWERVC Openstack noarch rhel9 pvc-openstack-x86_64 POWERVC Openstack x86_64 --- End of list --- Copyright and trademark information http://www.ibm.com/legal/copytrade.shtml Notices INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. Third-Party License Terms and Conditions, Notices and Information The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version. Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions: * the Excluded Components are provided on an "AS IS" basis * IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * IBM will not be liable to you or indemnify you for any claims related to the Excluded Components * IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components.