=========================================================
Maintenance for IBM Connect:Direct FTP Plus Version 1.3.0
=========================================================
This maintenance archive includes module replacements for the C:D FTP+ 1.2.0
code base. It is applicable to C:D FTP+ version 1.3.0, and contains all the new
functionality and fixes as described in the C:D FTP+ 1.3.0 Release notes, as
well as fixes for the issues listed below.
After applying the maintenance, the banner displayed when initiating a
connection to a server will report that your C:D version is 1.3.0.x, where x is
the current Fix Pack. It will also display the
date that the maintenance was created.
For more information, please refer to the C:D FTP+ 1.3.0 Release Notes.
NOTICE: Beginning with iFix 1.3.0.0.iFix023 below, security updates will be
described as either affected or vulnerable, based on the following
definitions from IBM:
Affected: The software product contains code which has a documented
vulnerability. Based on currently available information,
however, we believe that the issue is likely not exploitable.
However, as a best practice and from an abundance of caution,
we recommend customers update their systems as soon as
practical. Vulnerabilities evolve, and a means of exploiting
any issue may emerge at any time.
Vulnerable: The software product contains code, which has a documented
vulnerability. Our analysis shows that the issue may be
exploitable.
Issues classified as affected will not be published in security
bulletins, in most cases.
==========================
iFixes to C:D FTP+ 1.3.0.0
==========================
001) RTC455801 / APAR IT07069 commit date: 11 Feb 2014
--------------------------------------------------------
SSLv3 contains a vulnerability that has been referred to as the Padding
Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566).
SSLv3 is enabled by default in Connect:Direct FTP+ when Secure+ is enabled.
Fix changes the default protocol from SSLv3 to TLS.
002) RTC491210 / APAR IT14195 commit date: 08 Mar 2016
--------------------------------------------------------
Connect:Direct FTP+ (CDFtp+) running on all supported UNIX platforms except
for HP-UX uses IBM� Runtime Environment Java� Technology Edition, Version
7.0.9. CDFtp+ running on HP-UX PA_RISC uses IBM� Runtime Environment Java�
Technology Edition, Version 6.0.14.
Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK
updates for October 2015, CDFtp+ is vulnerable to:
CVE-2015-4872: An unspecified vulnerability related to the Security
component has no confidentiality impact, partial integrity
impact, and no availability impact.
Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK
updates in January 2016 and includes the vulnerability commonly referred to
as �SLOTH�, CDFtp+ is vulnerable to:
CVE-2016-0475: An unspecified vulnerability related to the Libraries
component has partial confidentiality impact, partial
integrity impact, and no availability impact.
CVE-2015-7575: The TLS protocol could allow weaker than expected security
caused by a collision attack when using the MD5 hash
function for signing a ServerKeyExchange message during a
TLS handshake. An attacker could exploit this vulnerability
using man-in-the-middle techniques to impersonate a TLS
server and obtain credentials. This vulnerability is
commonly referred to as �SLOTH�.
Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK
updates for October 2015, CDFtp+ is vulnerable to:
CVE-2015-4872: An unspecified vulnerability related to the Security
component has no confidentiality impact, partial integrity
impact, and no availability impact.
Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK
updates in January 2016 and includes the vulnerability commonly referred to
as �SLOTH�, CDFtp+ is vulnerable to:
CVE-2015-7575: The TLS protocol could allow weaker than expected security
caused by a collision attack when using the MD5 hash
function for signing a ServerKeyExchange message during a
TLS handshake. An attacker could exploit this vulnerability
using man-in-the-middle techniques to impersonate a TLS
server and obtain credentials. This vulnerability is
commonly referred to as �SLOTH�.
003) RTC496774 / APAR IT14554 commit date: 31 Mar 2016
--------------------------------------------------------
Connect:Direct FTP+ (CDFtp+) running on HP-UX Itanium uses IBM� Runtime
Environment Java� Technology Edition, Version 7.0.9. CDFtp+ running on HP-
UX PA_RISC uses IBM� Runtime Environment Java� Technology Edition, Version
6.0.16.16.
Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK
updates for October 2015, CDFtp+ is vulnerable to:
CVE-2015-4872: An unspecified vulnerability related to the Security
component has no confidentiality impact, partial integrity
impact, and no availability impact.
Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK
updates in January 2016 and includes the vulnerability commonly referred to
as �SLOTH�, CDFtp+ is vulnerable to:
CVE-2016-0475: An unspecified vulnerability related to the Libraries
component has partial confidentiality impact, partial
integrity impact, and no availability impact.
CVE-2015-7575: The TLS protocol could allow weaker than expected security
caused by a collision attack when using the MD5 hash
function for signing a ServerKeyExchange message during a
TLS handshake. An attacker could exploit this vulnerability
using man-in-the-middle techniques to impersonate a TLS
server and obtain credentials. This vulnerability is
commonly referred to as �SLOTH�.
Of the issues in JRE 6.0.16.16 that were disclosed as part of the IBM Java
SDK updates in January 2016, CDFtp+ is vulnerable to:
CVE-2016-0475: An unspecified vulnerability related to the Libraries
component has partial confidentiality impact, partial
integrity impact, and no availability impact.
004) RTC503673 / APAR IT15845 commit date: 23 Jun 2016
--------------------------------------------------------
Connect:Direct FTP+ uses Flexera InstallAnywhere, which is vulnerable to
the following issue:
CVE-2016-4560: Flexera InstallAnywhere could allow a remote attacker to
execute arbitrary code on the system. The application does
not directly specify the fully qualified path to a
dynamic-linked library when running on Microsoft Windows.
By persuading a victim to open a specially-crafted file
from a WebDAV or SMB share using a vulnerable application,
a remote attacker could exploit this vulnerability via a
specially-crafted library to execute arbitrary code on the
system.
005) RTC518198 / APAR IT17607 commit date: 19 Oct 2016
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE)
Version 7.0.9.30 (6.0.16.20 on the HP-UX PA_RISC platform). These JREs are
vulnerable to the following issue, disclosed as part of the IBM Java SDK
updates in April 2016:
CVE-2016-3426: An unspecified vulnerability related to the JCE component
could allow a remote attacker to obtain sensitive
information resulting in a partial confidentiality impact
using unknown attack vectors.
006) RTC539217 / APAR IT20756 commit date: 24 May 2017
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE)
Version 7.0.9.50 (6.0.16.30 on the HP-UX PA_RISC platform). These JREs are
vulnerable to the following issues, disclosed as part of the IBM Java SDK
updates in January 2017:
CVE-2016-5546: An unspecified vulnerability related to the Libraries
component has no confidentiality impact, high integrity
impact, and no availability impact.
CVE-2016-5548: An unspecified vulnerability related to the Libraries
component could allow a remote attacker to obtain sensitive
information resulting in a high confidentiality impact
using unknown attack vectors.
CVE-2016-5549: An unspecified vulnerability related to the Libraries
component could allow a remote attacker to obtain sensitive
information resulting in a high confidentiality impact
using unknown attack vectors.
CVE-2016-5547: An unspecified vulnerability related to the Libraries
component could allow a remote attacker to cause a denial
of service resulting in a low availability impact using
unknown attack vectors.
CVE-2016-5552: An unspecified vulnerability related to the Networking
component has no confidentiality impact, low integrity
impact, and no availability impact.
CVE-2016-2183: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the DES/3DES cipher,
used as a part of the SSL/TLS protocol. By capturing large
amounts of encrypted traffic between the SSL/TLS server and
the client, a remote attacker able to conduct a man-in-the-
middle attack could exploit this vulnerability to recover
the plaintext data and obtain sensitive information. This
vulnerability is known as the SWEET32 Birthday attack.
NOTICE: This is the last release to be published for C:D FTP+ 1.3.0 for
HP-UX PA_RISC. In the future, releases for this platform will
be available on demand only from Customer Support.
007) RTC546237 / APAR IT21636 commit date: 30 Jul 2017
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ uses jzlib version 1.1.3. This jzlib
version is vulnerable to the following issues:
CVE-2016-9840: zlib is vulnerable to a denial of service, caused by an
out-of-bounds pointer arithmetic in inftrees.c. By
persuading a victim to open a specially crafted document, a
remote attacker could exploit this vulnerability to cause a
denial of service.
CVE-2016-9841: zlib is vulnerable to a denial of service, caused by an
out-of-bounds pointer arithmetic in inftrees.c. By
persuading a victim to open a specially crafted document, a
remote attacker could exploit this vulnerability to cause a
denial of service.
CVE-2016-9842: zlib is vulnerable to a denial of service, caused by an
undefined left shift of negative number. By persuading a
victim to open a specially crafted document, a remote
attacker could exploit this vulnerability to cause a denial
of service.
CVE-2016-9843: zlib is vulnerable to a denial of service, caused by a big-
endian out-of-bounds pointer. By persuading a victim to
open a specially crafted document, a remote attacker could
exploit this vulnerability to cause a denial of service.
008) RTC552784 / APAR IT22755 commit date: 12 Oct 2017
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE)
Version 7.0.10.1 (6.0.16.41 on the HP-UX PA_RISC platform). These JREs are
vulnerable to the following issue, disclosed as part of the IBM Java SDK
updates in January 2017:
CVE-2017-10115: An unspecified vulnerability related to the Java SE JCE
component could allow an unauthenticated attacker to
obtain sensitive information resulting in a high
confidentiality impact using unknown attack vectors.
CVE-2017-10116: An unspecified vulnerability related to the Java SE
Security component could allow an unauthenticated attacker
to take control of the system.
009) RTC569886 commit date: 01 Jun 2018
-----------------------------------------
IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java�
(JRE) Version 7.0.10.10. This JRE is vulnerable to the following issues,
disclosed as part of the IBM Java SDK updates in January and April 2018:
CVE-2018-2633: An unspecified vulnerability related to the Java SE JNDI
component could allow an unauthenticated attacker to take
control of the system.
CVE-2018-2603: An unspecified vulnerability related to the Java SE
Libraries component could allow an unauthenticated
attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVE-2018-2579: An unspecified vulnerability related to the Java SE
Libraries component could allow an unauthenticated
attacker to obtain sensitive information resulting in a
low confidentiality impact using unknown attack vectors.
CVE-2018-2618: An unspecified vulnerability related to the Java SE JCE
component could allow an unauthenticated attacker to
obtain sensitive information resulting in a high
confidentiality impact using unknown attack vectors.
CVE-2018-2602: An unspecified vulnerability related to the Java SE I18n
component could allow an unauthenticated attacker to
cause low confidentiality impact, low integrity impact,
and low availability impact.
CVE-2018-2783: An unspecified vulnerability related to the Java SE
Security component could allow an unauthenticated
attacker to cause high confidentiality impact, high
integrity impact, and no availability impact.
010) MFT-10002 / APAR IT26935 commit date: 08 Nov 2018
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java�
(JRE) Versions 8.0.5.16, 8.0.5.15, and 7.0.10.25. These JREs are
vulnerable to the following issues, disclosed as part of the IBM Java SDK
updates in July 2018:
CVE-2018-12539: Eclipse OpenJ9 could allow a local attacker to gain
elevated privileges on the system, caused by the failure
to restrict the use of Java Attach API to connect to an
Eclipse OpenJ9 or IBM JVM on the same machine and use
Attach API operations to only the process owner. An
attacker could exploit this vulnerability to execute
untrusted native code and gain elevated privileges on
the system.
CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling
Framework for Java (DTFJ) does not protect against path
traversal attacks when extracting compressed dump files.
011) MFT-10291 / APAR IT28838 commit date: 12 Apr 2019
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java�
(JRE) Versions 8.0.5.25, 8.0.5.20, and 7.0.10.30. These JREs are
vulnerable to the following issues, disclosed as part of the IBM Java SDK
updates in October 2018 and January 2019:
CVE-2018-3180: An unspecified vulnerability related to the Java SE JSSE
component could allow an unauthenticated attacker to
cause low confidentiality impact, low integrity impact,
and low availability impact.
CVE-2018-1890: IBM SDK, Java Technology Edition Version 8 on the AIX
platform uses absolute RPATHs which may facilitate code
injection and privilege elevation by local users.
CVE-2018-12547: Eclipse OpenJ9 is vulnerable to a buffer overflow,
caused by improper bounds checking by the jio_snprintf()
and jio_vsnprintf() functions. By sending an overly long
argument, a remote attacker could overflow a buffer and
execute arbitrary code on the system or cause the
application to crash.
012) MFT-10607 / APAR IT30889 commit date: 26 Sep 2019
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ running on AIX uses IBM� Runtime
Environment Java� (JRE) Version 8.0.5.30. This JRE is vulnerable to the
following issues, disclosed as part of the IBM Java SDK updates in July
2019:
CVE-2019-4473: Multiple binaries in IBM SDK, Java Technology Edition on
the AIX platform use insecure absolute RPATHs, which may
facilitate code injection and privilege elevation by local
users.
CVE-2019-11771: Eclipse OpenJ9 could allow a local attacker to gain
elevated privileges on the system, caused by the inclusion
of unused RPATHS in AIX builds. An attacker could exploit
this vulnerability to inject code and gain elevated
privileges on the system.
013) MFT-10611 / APAR IT30425 commit date: 26 Sep 2019
--------------------------------------------------------
Installation on some systems with limited 32 bit library support may fail,
reporting �JRE libraries are missing or not compatible.� Also, C:D FTP+
installed on an EFS file system in an Amazon Web Services EC2 instance will
fail to start, reporting �Error: missing `j9vm' JVM�.
014) MFT-10963 commit date: 06 Apr 2020
-----------------------------------------
Installation fails on Windows Server 2019, reporting the following or
similar error: "Flexeraaw7$aaa: Windows DLL failed to load".
015) MFT-11035 / APAR IT32539 commit date: 13 Apr 2020
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ running on Microsoft Windows uses IBM�
Runtime Environment Java� (JRE) Versions 8.0.5.40. This JRE is vulnerable
to the following issue, disclosed as part of the IBM Java SDK updates in
January 2020:
CVE-2019-4732: IBM SDK, Java Technology Edition Version could allow a local
authenticated attacker to execute arbitrary code on the
system, caused by DLL search order hijacking vulnerability
in Microsoft Windows client. By placing a specially-crafted
file in a compromised folder, an attacker could exploit this
vulnerability to execute arbitrary code on the system.
016) MFT-11081 / APAR IT32747 commit date: 04 May 2020
--------------------------------------------------------
When using the GUI and connected to C:D z/OS, a directory listing on z/OS
will not show files that have a volser that begins with digits.
017) MFT-11341 / APAR IT33951 commit date: 09 Mar 2021
--------------------------------------------------------
IBM Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE)
Versions 8.0.6.0, 8.0.5.30, and 7.0.10.40. These JREs are vulnerable to the
following issues, disclosed as part of the IBM Java SDK updates in March
and August 2020:
CVE-2020-2654: An unspecified vulnerability in Java SE related to the Java
SE Libraries component could allow an unauthenticated
attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVE-2020-14579: An unspecified vulnerability in Java SE related to the
Libraries component could allow an unauthenticated attacker
to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVE-2020-14578: An unspecified vulnerability in Java SE related to the
Libraries component could allow an unauthenticated attacker
to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain
sensitive information resulting in a low confidentiality
impact using unknown attack vectors.
018) MFT-11441 / APAR IT34448 commit date: 05 Oct 2020
--------------------------------------------------------
When configured for SSLv3, connection attempts fail, indicating �550
Connection failure - possible Secure+ definition error.� A debug log of
this failure shows �java.io.IOException: Error creating the SSLSocket:
java.security.NoSuchAlgorithmException: no such algorithm: SSLv3 for
provider IBMJSSE2�.
NOTICE: SSLv3 is an obsolete and insecure protocol. IBM recommends using
the TLS protocol instead.
019) MFT-11923 / APAR IT36153 commit date: 31 Aug 2021
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and
Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version
8.0.6.15. CDFtp on HP-UX uses JRE Version 8.0.5.35. These JREs are
vulnerable to the following issues, disclosed as part of the IBM Java SDK
updates in October 2020 and January 2021:
CVE-2020-27221: Eclipse OpenJ9 is vulnerable to a stack-based buffer
overflow when the virtual machine or JNI natives are
converting from UTF-8 characters to platform encoding. By
sending an overly long string, a remote attacker could
overflow a buffer and execute arbitrary code on the system
or cause the application to crash.
CVE-2020-14782: An unspecified vulnerability in Java SE related to the
Libraries component could allow an unauthenticated attacker
to cause no confidentiality impact, low integrity impact,
and no availability impact.
020) MFT-12802 / APAR IT39686 commit date: 08 Feb 2022
--------------------------------------------------------
Apache Log4j used by IBM Sterling C:D FTP+ has been upgraded to version
2.17.1.
021) MFT-13412 / APAR IT41221 commit date: 14 Jun 2022
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and
Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version
8.0.6.30. This JRE is vulnerable to the following issues, disclosed as part
of the IBM Java SDK updates in October 2021:
CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain
sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain
sensitive information resulting in a low confidentiality
impact using unknown attack vectors.
022) MFT-14065 / APAR IT43060 commit date: 06 Feb 2023
--------------------------------------------------------
IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and
Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version
8.0.7.10. This JRE is vulnerable to the following issue, disclosed as part
of the IBM Java SDK updates in October 2022:
CVE-2022-21626: An unspecified vulnerability in Java SE related to the
Security component could allow an unauthenticated attacker
to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
IBM Sterling Connect:Direct FTP+ (CDFtp) on HP-UX platform uses IBM(R)
Runtime Environment Java(TM) (JRE) Version 8.0.6.30. This JRE is vulnerable
to the following issues, disclosed as part of the IBM Java SDK updates in
October 2021:
CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain
sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE
component could allow an unauthenticated attacker to obtain
sensitive information resulting in a low confidentiality
impact using unknown attack vectors.
NOTICE: C:D FTP+ on Solaris x86 platform is deprecated. Fixes will be available
only on demand for this platform until end of support is reached.
NOTICE: Going forward, security updates will be described as either affected or
vulnerable, based on the following definitions from IBM:
Affected: The software product contains code which has a documented
vulnerability. Based on currently available information,
however, we believe that the issue is likely not exploitable.
However, as a best practice and from an abundance of caution,
we recommend customers update their systems as soon as
practical. Vulnerabilities evolve, and a means of exploiting
any issue may emerge at any time.
Vulnerable: The software product contains code, which has a documented
vulnerability. Our analysis shows that the issue may be
exploitable.
Issues classified as affected will not be published in security
bulletins, in most cases.
023) MFT-14244 / APAR IT43733 commit date: 16 May 2023
--------------------------------------------------------
IBM Connect:Direct FTP+ (CDFTP) on AIX, Linux, and Solaris platforms use
IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.7.20. This JRE
version is affected by the following issues, dislosed as part of recent IBM
Java SDK updates: CVE-2023-21830, CVE-2023-21843, and CVE-2022-21426.
CDFTP on HP-UX platform uses JRE Version 8.0.7.10. This JRE version is
affected by the following issue: CVE-2023-30441. This JRE version is
vulnerable to the following issue, disclosed as part of recent IBM Java SDK
updates: CVE-2022-21626.
NOTICE: C:D FTP+ on HP-UX platform is deprecated. Fixes will be available only
on demand for this platform until end of support is reached.
024) MFT-14605 / APAR IT44110 commit date: 05 Jul 2023
--------------------------------------------------------
IBM Connect:Direct FTP+ (CDFTP) on AIX, Linux, and Windows platforms use
IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.8.0. Some issues in
this version were disclosed as part of recent IBM Java SDK updates.
This JRE version is vulnerable to the following issue: CVE-2023-21967.
This JRE version is affected by the following issues: CVE-2023-21930, CVE-
2023-21968, CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938,
and CVE-2023-2597.
NOTICE: Beginning with the iFix below, CDFTP on AIX requires XL C++ Runtime
16.1.0.7 or later. This is a requirement of IBM JRE version 17. For
more information, see https://www.ibm.com/support/pages/fix-list-xl-cc-
runtime-aix#161X.
025) MFT-15198 / APAR IT45282 commit date: 17 Jan 2024
--------------------------------------------------------
IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment Java(TM)
(JRE) that have vulnerabilities disclosed as part of recent IBM Java SDK updates.
JRE versions on Linux, AIX, and Windows platforms are vulnerable to CVE-2023-5676 and CVE-2023-22081,
and affected by CVE-2023-22067, CVE-2023-22045 and CVE-2023-22049.
JRE versions on Solaris platform are vulnerable to CVE-2023-5676, CVE-2023-22081, and CVE-2023-21967,
and affected by CVE-2023-22067, CVE-2023-22045, CVE-2023-22049, CVE-2023-21954, CVE-2023-21930,
CVE-2023-21968, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597.
Updated bundled JRE version to 17.0.9.0 for Linux, AIX, and Windows platforms, and 8.0.8.15 for Solaris platform.
026) MFT-15198 / APAR IT45847/IT45848 commit date: 29 Mar 2024
----------------------------------------------------------------
IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment Java(TM)
(JRE) that have vulnerabilities disclosed as part of recent IBM Java SDK updates.
JRE versions on Linux, AIX, and Windows platforms are affected by CVE-2024-20932, CVE-2024-20952,
CVE-2024-20918, CVE-2024-20921, CVE-2024-20926, CVE-2024-20945, and CVE-2024-22361.
JRE versions on Solaris platform are affected by CVE-2024-20952, CVE-2024-20918,
CVE-2024-20921, CVE-2024-20919, CVE-2024-20926, CVE-2024-20945, and CVE-2023-33850.
Updated bundled JRE version to 17.0.10.0 for Linux, AIX, and Windows platforms, and 8.0.8.20 for Solaris platform.
027) CDFTP-39 commit date: 05 Apr 2024
----------------------------------------
OWASP scan may report invalid/previously fixed issues.
028) MFT-15888 / APAR IT46642 commit date: 05 Aug 2024
--------------------------------------------------------
IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment
Java(TM) (JRE) that have vulnerabilities disclosed as part of recent IBM
Java SDK updates.
JRE 17 versions on AIX, Linux, and Windows platforms are affected by CVE-
2024-21085, CVE-2024-21012, and CVE-2024-3933.
JRE 8 version on Solaris platform is affected by CVE-2024-21094, CVE-2024-
21085, CVE-2024-21011, and CVE-2023-38264
Fix updates bundled JRE version to 17.0.11.0 for Linux, AIX, and Windows
platforms, and 8.0.8.25 for Solaris platform.
029) MFT-16092 / APAR IT47102 commit date: 18 Oct 2024
--------------------------------------------------------
IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment
Java(TM) (JRE) that have vulnerabilities disclosed as part of recent IBM
Java SDK updates.
JRE 17 versions on AIX, Linux, and Windows platforms are affected by CVE-
2024-21145, CVE-2024-21144, and CVE-2024-21131.
JRE 8 version on Solaris platform is affected by CVE-2024-21147, CVE-2024-
21145, CVE-2024-21140, CVE-2024-21144, CVE-2024-21138, CVE-2024-21131, and
CVE-2024-27267.
Updated bundled JRE version to 17.0.12.0 for Linux, AIX, and Windows
platforms, and 8.0.8.30 for Solaris platform.
NOTICE: C:D FTP+ on Solaris SPARC platform is deprecated. Fixes will be
available only on demand for this platform until end of support is
reached.