================================================= Maintenance for IBM Connect:Direct for UNIX 6.3.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.3.0 code base. It is applicable to C:D UNIX version 6.3.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.3.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.3.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.3.0 Release Notes. NOTICE: Security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. ================================================= iFixes listed below apply to C:D for UNIX 6.3.0.0 ================================================= 001) CDUA-4217 commit date: 28 Jun 2023 ----------------------------------------- Config file opens from CDU can occasionally fail with XCFF001I and fdbk EINTR. 002) CDUA-4037 commit date: 01 Jun 2023 ----------------------------------------- Corrected secure processing for several AWS related environment variables. 003) CDUA-3662 commit date: 03 Mar 2024 ----------------------------------------- The maximum concurrent sessions limit imposed by the system and the user who initiated C:D are two items that may be useful to know, but were not being logged. Fix updates the NUIS record with the initiating user, including uid and umask setting, and adds a new message that records the maximum concurrent sessions the system will allow. 004) MFT-14483 / APAR IT43918 commit date: 08 Jun 2023 -------------------------------------------------------- CDU uses GSKit 8.0.55.12. This version is vulnerable to the following issue: CVE-2023-32342. 005) CDUA-4248 commit date: 12 Jun 2023 -------------------------------------------------------- When a command is issued from Connect:Direct Browser to delete a user entry from userfile.cfg file, we get a success response even when the user does not exist. Added a fix to show relevant error in such a case. 006) MFT-14357 / APAR IT43960 commit date: 20 Jun 2023 -------------------------------------------------------- The CDU server terminates abruptly following a COPY failure with error FIOC004E. 007) CDUA-4086 / APAR IT44103 commit date: 14 Jul 2023 ----------------------------------------- When Interactive upgrade is executed while cwd is CDU install directory, it removes all ndm directory items except SACL dir. 008) CDUA-4222 commit date: 27 Jun 2023 ----------------------------------------- During installation of Connect:Direct for UNIX on NFS with root squash enabled, a warning message is displayed saying chmod: changing permissions of '/opt/cdunix/file_agent/config': Operation not permitted. 009) CDUA-4274 commit date: 30 Jun 2023 ----------------------------------------- Install Agent logs grow indefinitely leading to very big log files over a period of time. Updated Install Agent to clear logs periodically. 010) MFT-14561 / APAR IT44029 commit date: 30 Jun 2023 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX and Linux platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.8.0. Some issues in this version were disclosed as part of recent IBM Java SDK updates. This JRE version is vulnerable to the following issues: CVE-2023-21930, CVE-2023-21967, and CVE-2023-21968. This JRE version is affected by the following issues: CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. 011) CDUA-4299 commit date: 05 Jul 2023 ----------------------------------------- Updated UBI base image for CDU container to latest version which is UBI 8.8-1009 and removed unwanted libnsl and nis_nss packages from the container image. 012) CDUA-3346 commit date: 10 Jul 2023 ----------------------------------------- Currently cdinstall_a assumes pwd is the deployment directory. If the Automation installation script cdinstall_a, is called with relative path or absolute reference, like from outside the directory which have installer_script, CPIO_file and also the certificates, the installation is getting failed with the error code 127 (cdinstall is not present at this directory). 013) Java components updates commit date: 20 Jul 2023 ------------------------------------------------------- Update_01 MFT-14410 -------------------- The Integrated File Agent component uses Spring Framework that is affected by the following issue: CVE-2023-20863. Update_02 MFT-14439 / APAR IT44099 ----------------------------------- The Integrated File Agent and the Object Store IO Exit components use FasterJackson that is affected by the following issue: PRISMA-2023-0067. Update_03 MFT-14580 / APAR IT44101 ----------------------------------- The Integrated File Agent, Install Agent and the Object Store IO Exit components use FasterJackson that is affected by the following issue: CVE-2023-35116. Update_04 MFT-14581 / APAR IT44102 ----------------------------------- The Integrated File Agent and the Object Store IO Exit components use Netty that is affected by the following issue: CVE-2023-34462. Update_05 CDUA-4331 -------------------- The Integrated File Agent and the Object Store IO Exit components use Google Guava that is affected by the following issue: CVE-2023-2976. Update_06 MFT-14738 / APAR IT44465 ----------------------------------- The Integrated File Agent component includes versions of FasterXML jackson-dataformat-properties that are affected by the following issue: CVE-2023-3894. 014) MFT-14579 / APAR IT44100 commit date: 01 Aug 2023 -------------------------------------------------------- The Integrated File Agent and Install Agent components, included in IBM Sterling Connect:Direct for UNIX, uses Bouncy Castle version 1.70. This version is affected by the following issue: CVE-2023-33201. 015) CDUA-4358 commit date: 03 Aug 2023 ---------------------------------------- Install Agent poll script does not return correct status of Install Agent process. 016) CDUA-4392/CDUA-4394 commit date: 21 Aug 2023 -------------------------------------------------- Updated the UBI base image to UBI 8.8-1032 and corrected the K8s minimum version requirement to v1.23 017) MFT-14718 / APAR IT44425 commit date: 07 Jun 2024 -------------------------------------------------------- A copy step executed by a user configured with a directory restriction specified may fail, reporting XCPR015I or XCPR017I, even when the specified file resides properly within the restriction. The partner node may log an XCPS002I or XCPS003I message when this happens. 018) CDUA-4393 commit date: 28 Aug 2023 ----------------------------------------- Statistics generated after an upgrade are lost if an emergency restore procedure is executed. 019) CDUA-4406 commit date: 31 Aug 2023 ----------------------------------------- Add client type and remote address to client logon failure message. It shows who tried to log in, but not the type of client or the remote address. 020) CDUA-4416 commit date: 06 Sep 2023 ----------------------------------------- API commands not logged by default in a fresh CDU installation. 021) MFT-14816 / APAR IT44560 commit date: 22 Sep 2023 -------------------------------------------------------- After running for an extended time, Integrated File Agent may fail and generate java core dumps. 022) MFT-14595 / APAR IT44192 commit date: 26 Sep 2023 -------------------------------------------------------- The following warning with code SPCG774W may occur while updating the Key Certificate Label in the .Client record in Secure+: "The Certificate Label 'xxx' chain does not include a root certificate." Users will not see any warnings if root certificate is already present in certificate chain. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.3.0.1 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 6.3.0.1 ================================================= 001) CDUA-4489 commit date: 03 Oct 2023 ----------------------------------------- Fix added for addressing invalid IPV4 addresses in Port Check ignore list where the address has more than 4 segments present. 002) MFT-14723 / APAR IT44653 commit date: 04 Oct 2023 -------------------------------------------------------- When a large number of processes are in the HOLD queue the cdpmgr's CPU utilization may approach 100%. 003) CDUA-4182 / APAR IT43670 commit date: 06 Oct 2023 -------------------------------------------------------- Attempts to update Integrated File Agent configuration from C:D Web Services UI may fail and report XCMM076I. The details of the error scenario logged with this message may be incomplete or otherwise unhelpful. 004) MFT-14939 / APAR IT44736 commit date: 13 Oct 2023 -------------------------------------------------------- When the certificate information exceeds a length of 196, the complete information is recorded in the statistics file but the output of 'select statistics' command is truncated and the CERT information is displayed only upto 196 characters. 005) Integrated File Agent component updates commit date: 17 Oct 2023 ----------------------------------------------------------------------- Update_01 CDUA-4516 -------------------- For CDU node installed on Ubuntu, an attempt to update the Integrated File Agent (IFA) configuration via Connect:Direct Web Services (CDWS) may fail, indicating "Something went wrong. Please try again later." Update_02 MFT-14924 / APAR IT44625 ----------------------------------- Integrated File Agent scan of a Google Storage resource fails when the bucket name contains an underscore character Update_03 MFT-14960 / APAR IT44764 ----------------------------------- Integrated File Agent component configured with certificate based authentication may fail to connect, with IFA logs indicating NullPointerException. 006) Object Store component updates commit date: 18 Oct 2023 -------------------------------------------------------------- Update_01 MFT-14703 / APAR IT44273 ----------------------------------- A copy step that refers to an object store name that contains space characters may fail, generating an FIOX043E message. Update_02 MFT-14922 / APAR IT44639 ----------------------------------- If a copy step sending from an object store fails due to lack of read access to the object, likely generating an FIOX011E message, a zero byte destination file may be created. Update_03 MFT-14983 / APAR IT44765 ----------------------------------- A copy step will fail when it references a Google Storage bucket that contains an underscore character. 007) MFT-14704 / APAR IT44390 commit date: 19 Oct 2023 -------------------------------------------------------- In some cases, if a process with a copy step to object store fails to specify a disposition for the object, the step will fail reporting an FIOX022E message. 008) CDUA-4480 commit date: 19 Oct 2023 ----------------------------------------- After upgrade, stale libraries left behind from the previous installation, may cause some issues in Connect:Direct functionalities. 009) Object Store component updates commit date: 27 Oct 2023 -------------------------------------------------------------- Update_01 MFT-14705 -------------------- Alternative methods of establishing credentialed access to Azure were missing. Fix adds the following to the existing credentials mechanisms, in this order: 1. ManagedIdentityCredential - If the application deploys to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account. 2. WorkloadIdentityCredential - If the app is deployed on Kubernetes with environment variables set by the workload identity webhook, DefaultAzureCredential will authenticate the configured identity. 3. EnvironmentCredential - The DefaultAzureCredential will read account information specified via environment variables and use it to authenticate. new configuration properties added: az.workloadTenantId az.workloadServiceTokenFilePath az.managedIdClientId az.workloadIdClientId See documentation for details. Update_02 CDUA-2888 -------------------- Certificates required for secure connections to object stores were only accessed from the JRE truststore. Fix adds configuration option, store.keyStore, to use C:D S+ trusted certificates in addition to or in place of JRE truststore. This option takes the following values: JRE_ONLY (default): the JRE keystore will be used as the unique source for CAs SP_ONLY: The secure Plus keystore will be used as the unique source for CAs JRE_SP: the JRE keystore is the first source for CAs, next Secure Plus keystore will be used SP_JRE: the Secure Plus keystore is the first source for CAs, next the JRE keystore will be used See documentation for details. Update_03 CDUA-4410 -------------------- Azure shared access signature (SAS) resource access was not supported. Fix adds support for SAS token with new az.sasToken property. Azure access credentials order is now: - Connection string if az.connectionString provided - Shared key if az.accountName and az.accountKey - SAS token if az.sasToken provided - Managed identity credentials if az.managedIdentityId provided - Workload identity credentials if az.worloadIdentityId provided, plus optional properties az.workloadTenantId, az.workloadServiceTokenFilePath. These properties only work inside Azure. - Environment credentials See documentation for details. Update_04 MFT-14773 -------------------- While C:D is accessing an AWS S3 object store with temporary credentials, it is possible that the temporary credentials will be updated in anticipation of expiration. C:D would not recognize that new credentials were available in this case, and access would fail. Fix enables C:D to monitor and refresh credentials files when the files are updated. Update_05 MFT-14933 / APAR IT44839 ----------------------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use netty-handler versions that are vulnerable to the following issue: CVE-2023-4586. Update_06 MFT-15020 / APAR IT44840 ----------------------------------- When Integrated File Agent (IFA) is watching an object store bucket, the IFA log files may show an inappropriate message indicating "error object '' does NOT exist", referring to the bucket being watched. Update_07 FLAG-275 ------------------- IFA now has the ability to use fileio.exit records defined in C:D initparm.cfg with the store.configFromCD property. See documentation for details. 010) MFT-14731 / APAR IT44469 commit date: 10 Nov 2023 -------------------------------------------------------- Sending to an object store with invalid credentials or region specified results in FIOX022E message and abrupt termination of the connection with the remote node. 011) CDUA-4405 commit date: 10 Nov 2023 ----------------------------------------- Address CDU failure to log messages about Integrated File Agent events, such as agent startup, or agent startup failure. 012) Accumulated security updates commit date: 20 Nov 2023 ------------------------------------------------------------ Update_01 CDUA-4619 -------------------- Updated UBI base image for CDU container to latest version which is UBI 9.3-1361.1699548029 Update_02 MFT-14796/MFT-14797/MFT-14798 ---------------------------------------- The Install Agent component uses Jetty that is affected by the following issue: CVE-2022-2047, CVE-2022-2048, CVE-2023-26048, CVE-2023-26049, CVE-2021-28169, CVE-2021-34429, and PRISMA-2021-0182. Update_03 MFT-14848 -------------------- The IBM Certified container uses ncurses package which is affected by the following issue: CVE-2023-29491 Update_04 MFT-14842 / APAR IT44998 ----------------------------------- The IBM Certified container uses procps-ng package which is affected by the following issue: CVE-2023-4016 013) CDUA-4627 commit date: 22 Nov 2023 ----------------------------------------- Added support in Connect Direct for Unix to run pre and post upgrade actions from Control Center Director. 014) CDUA-4626 commit date: 22 Nov 2023 ----------------------------------------- Transmission Control Queue processing optimized for better performance. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.3.0.2 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.3.0.2 =========================================================== 001) Java component updates commit date: 13 Dec 2023 ------------------------------------------------------ Update_01 MFT-15057 -------------------- On occasion, javax.net.debug is defined for an object store when debugging SSL/TLS connection problems. The output from setting this property was routed to stdout, instead of the object store log file. Update_02 MFT-15107 -------------------- There may be scenarios where endpoint override is required for sending an object to Google Storage (GS), but this feature was not implemented. Fix adds three specific GS properties, gs.endPointUrl, gs.endPointPort and gs.endPointSecure, with definitions similar to the other object store provider properties of the same name. Since all supported object store providers now support endpoint overrides, general properties are also added, store.endPointUrl, store.endPointPort and store.endPointSecure. Note: if both specific and general object store endpoint overrides are specified, the specific property takes precedence. Update_03 MFT-15109 -------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use versions of Google libraries grpc-core and grpc-protobuf that are affected by the following issues: CVE-2023-33953 CVE-2023-44487 and CVE-2023-4785. Update_04 MFT-15182 / APAR IT45121 ----------------------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use a reactor-netty version that is affected by the following issue: CVE-2023-34062. Fix updates reactor-netty to 1.1.13. Update_05 MFT-15185 / APAR IT45583 ----------------------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use a reactor-netty version that is affected by the following issue: CVE-2023-34054. Fix updates reactor-netty to 1.1.13. Update_06 FLAG-303 ------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use an Azure-Identity version that is affected by the following issues: CVE-2023-36414 and CVE-2023-36415. Fix updates Azure-Identity to 1.11.1. Update_07 FLAG-305 ------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use Spring Boot versions that are affected by the following issue: CVE-2023-34055. Fix updates Sprint Boot to 2.7.18. Update_08 MFT-15174 / APAR IT45135 ----------------------------------- After a recent change, when a connection to S3 Object store is made, the aws-crt native library is loaded inside the /tmp directory with every transfer. So, once the /tmp goes out of space after a number of file transfers, java error starts to occur. Updated Connect:Direct for Unix to remove the usage of aws-crt native libraries. Update_09 MFT-15122 -------------------- Communicating with AWS S3 object Stores fails when a bucket policy requires http header x-amz-content-sha256 valued with request body content hash. 002) Accumulated security updates commit date: 21 Dec 2023 ------------------------------------------------------------ Update_01 MFT-15160 -------------------- Updated UBI base image to 9.3-1476 in CDU container. Update_02 MFT-15138 -------------------- CDU container uses binutils package which is affected by the following issues: CVE-2022-45703, CVE-2021-45078, CVE-2022-47695, CVE-2022-47673, CVE-2021-46174 003) CDUA-4670, CDUA-4671 commit date: 29 Dec 2023 -------------------------------------------------- Processes submitted with maxdelay stuck in PE (For max 30 second) until maxdelay time expires. Submitted processes often wait 30 seconds in PE before beginning execution. 004) MFT-15184 / APAR IT45239 commit date: 09 Jan 2024 ------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) uses versions of IBM(R) Runtime Environment Java(TM) (JRE) that have vulnerabilities disclosed as part of recent IBM Java SDK updates. JRE versions on Linux and AIX platforms are vulnerable to CVE-2023-5676 and CVE-2023-22081, and affected by CVE-2023-22045 and CVE-2023-22049. JRE versions on Solaris platform are vulnerable to CVE-2023-5676, CVE-2023-22081, CVE-2023-21930, CVE-2023-21967, and CVE-2023-21968, and affected by CVE-2023-22045, CVE-2023-22049, CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. JRE versions on HP-UX platform are vulnerable to CVE-2023-21930, CVE-2023-21967, and CVE-2023-21968, and affected by CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, CVE-2023-2597, CVE-2023-21830, CVE-2023-21843, and CVE-2022-21426. Updated bundled JRE to version 8.0.8.15 for Linux, AIX, and Solaris platforms. Updated bundled JRE to version 8.0.8.5 for HP-UX platform. 005) MFT-15225 / APAR IT45241 commit date: 09 Jan 2024 ------------------------------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, uses jetty-io and jetty-server versions that are vulnerable to CVE-2023-36478, CVE-2023-44487 and CVE-2023-40167, and affected by CVE-2023-36479 and CVE-2023-41900. 006) CDUA-4727 commit date: 11 Jan 2024 ----------------------------------------- Linux customers may want to manage C:D as a systemd service. Fix adds an example systemd unit configuration file, cdu.service, in the C:D etc directory when installed on a Linux system. Fix also adds in the ndm/bin directory for all platforms a start script, cduStart, a stop script, cduStop, and some source files, cdenv.sh and cdenv.csh, used for setting CLI environment variables in a user's current shell. 007) CDUA-4692 commit date: 19 Jan 2024 ---------------------------------------- While interactively upgrading, an access issue referring to /dev/null may be seen. 008) CDUA-4768 commit date: 29 Jan 2024 ---------------------------------------- Upgraded Red Hat UBI base image to 9.3-1552 in CDU container image for latest security fixes. 009) Accumulated container updates commit date: 29 Jan 2024 ------------------------------------------------------------- Update_01 MFT-14889/IT45372 ---------------------------- CDU container cannot authenticate LDAP user using both ldap or ldaps protocol. Update_02 MFT-15264/IT45374 ---------------------------- When store service tries to use CDU keystore in container using option -Dstore.keyStore=SP_ONLY in ioexit configuration then file transfer fails with msgid XCPR009I and object store logs would give error as "Error while setting the Secure+ trust environment". Update_03 CDUA-4772 -------------------- CDU container helm chart would be supported on OCP 4.14 and K8s 1.27. 010) CDUA-4512 commit date: 30 Jan 2024 ---------------------------------------- Installation failure during customisation step with root user as installer and admin. 011) MFT-15241 / APAR IT45370 commit date: 31 Jan 2024 -------------------------------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, uses kotlin-stdlib versions that are affected by the following issue: CVE-2022-24329. 012) MFT-15242 / APAR IT45371 commit date: 31 Jan 2024 -------------------------------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, use gradle-buildconfig-plugin versions that are affected by the following issues: CVE-2019-15052, CVE-2023-35947, CVE-2021-29428, CVE-2020-11979, CVE-2021-32751, CVE-2023-44387, CVE-2019-11065, CVE-2019-16370, CVE-2021-29429, CVE-2023-35946, CVE-2023-42445. 013) CDUA-4777 commit date: 5 Feb 2024 ---------------------------------------- Update the cdu.service example systemd unit file so that the service start and stop commands are executed by the CDU installer. 014) MFT-15399 / APAR IT45539 commit date: 27 Mar 2024 -------------------------------------------------------- Compilation of user exit program may fail due to some newly added threading APIs in Connect:Direct for UNIX. Fix removes the inclusion of new APIs from user exit program. 015) MFT-14279 / APAR IT45554 commit date: 21 Feb 2024 ------------------------------------------------------------------- When CDU has received around 400GB of data over a TLS 1.3 session using AES cipher suites, the receive may fail, reporting a series of CSPA204E and CSPA095E messages. The initial CSPA204E message will indicate "rsn=gsk_secure_soc_read() returned - GSK_ERROR_UNKNOWN_ERROR - Internal unknown error". When this happens, the sender shows a series of messages that may include XSMG622I, XIPT008I, and XSMG625I. The receive may be a single large file, or a series of large files over the same session, a wildcard copy step, for example. Part of the fix is to periodically restart the secure session during the transfer, and should be transparent. If this restart fails, then two new messages may be seen, CSPA330E, Remote node does not support TLS Restart, and CSPA331E, The Secure+ TLS session restart failed. 016) MFT-15486 / APAR IT45679 commit date: 11 Mar 2024 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) uses releases of IBM(R) Runtime Environment Java(TM) (JRE) 8 that have vulnerabilities disclosed as part of recent IBM Java SDK updates. JRE 8 releases on all supported platforms are vulnerable to CVE-2024-20945 and CVE-2023-33850, and affected by CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20919, and CVE-2024-20926. Updated bundled JRE 8 to 8.0.8.20 for all supported platforms. 017) MFT-15501 / APAR IT45734 commit date: 13 Mar 2024 -------------------------------------------------------- When Standalone File Agent is used with this Connect:Direct for UNIX version, user may see the following error in CDFA logs while submitting processes: "ERROR - ParseException Unrecognized option: -P" 018) CDUA-4802 commit date: 18 Mar 2024 ----------------------------------------- When silent upgrade fails on AIX due to some reason, a rollback failure to previous version may be observed. 019) CDUA-4814 commit date: 21 Feb 2024 ----------------------------------------- In some cases, customers may desire to use a file open exit to invoke a pipe IO stream without requiring pipe=yes to be coded in process text sysopts. Additionally, customers may find useful some additional process information passed into the file open exit, such as process submitter, submitter node, name, and number. Fix includes updated exit_skeleton.[c|C] files demonstrating these new features. NOTE: File open exits compiled against previous builds will need to be recompiled with this build. 020) CDUA-4836 commit date: 22 Mar 2024 ----------------------------------------- When a CDU snode is receiving files from a multi-step process and one of the copy steps invokes pipe IO via :pipe=yes: sysopts, subsequent non pipe IO copy steps may fail, reporting XSQF006I and XSQF010I messages. 021) MFT-15483 / APAR IT45678 commit date: 26 Mar 2024 -------------------------------------------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use nimbus-jose-jwt versions that are vulnerable to the following issue: CVE-2023-52428. Updated nimbus-jose-jwt to 9.37.3. 022) MFT-15579 / APAR IT45913 commit date: 10 Apr 2024 -------------------------------------------------------- The Object Store service and Integrated File Agent components, included in IBM Sterling Connect:Direct for UNIX, use netty-codec-http versions that are affected by the following issue: CVE-2024-29025. Updated netty-codec-http to 4.1.108. 023) MFT-15625 / APAR IT45933 commit date: 12 Apr 2024 -------------------------------------------------------- In some scenarios, a file open by a user with an upload or download directory restriction coded may fail with XCPR010I, Open failed for copy in OPEN_DEST_DATA, even though the file properly resides within the restriction. This issue is known to occur with 6.3.0.2.iFix021 on RHEL 7.9 systems, although there may be other releases and platforms where the issue may manifest. 024) CDUA-4905 commit date: 16 Apr 2024 ----------------------------------------- During a fresh install, if a container deployment fails or does not complete properly, it may leave behind residue files on Persistent Volume resulting in unexpected behavior. 025) MFT-15275 / APAR IT45689 commit date: 16 Apr 2024 -------------------------------------------------------- When there are incoming health check connections from an IP which is added to trusted addresses list and the health check connection does not contain any data and does not disconnect, then at the same time if a client or server connection is initiated, the connection may fail. For client connections, an ndm_auth failure may be observed. 026) MFT-15480 / APAR IT45977 commit date: 18 Apr 2024 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX may stop and report "XRRF021I, System call lseek() failed", or "XPMM001I, Select system call failed. CDPMGR will exit" failures in Statistics during the file transfer. 027) CDUA-4963 commit date: 26 Apr 2024 ----------------------------------------- IBM Java runtimes bundled with C:D UNIX have been updated to IBM Semeru Runtime 17.0.10.0. For additional information and requirements on Semeru Runtimes, Version 17 support, see https://www.ibm.com/support/pages/semeru- runtimes-support. AIX: XL C++ Runtime 16.1.0.7 or later is required. X11: FreeType font rendering library (typically freetype2) is required when opening x11 configuator UIs, such as SPAdmin. 028) MFT-15655 / APAR IT46042 commit date: 29 Apr 2024 -------------------------------------------------------- When IBM Connect:Direct for UNIX is executing on an Amazon ec2 instance and the instance credentials are set and should be used but when there is no default credentials files (usually located in ~/.aws folder), an error is logged in File Agent log or Connect:Direct and the connection to the S3 server fails with the following message: Error on credentials file /home/ec2-user/.aws/credentials: Profile file '/home/ec2-user/.aws/credentials' does not exist. The default credentials chain set before attempting the connection is always considering the credentials file is available. Fixed code to add the credentials file provider in the credentials chain only when this file exists. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.3.0.3 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.3.0.3 =========================================================== 001) CDUA-4965 commit date: 08 May 2024 ----------------------------------------- When CMS keystore placed at a custom path is in use by Connect:Direct for UNIX, upgrade places the converted PKCS12 keystore at default path ndm/secure+/certificates instead of the custom path. 002) CDUA-4998 commit date: 16 May 2024 ----------------------------------------- Data corruption in TLS 1.3/AES text mode transfers larger than 380GB. A corrupted block of text appears in destination file after 380GB of data has been processed. 003) Accumulated updates commit date: 21 Jun 2024 --------------------------------------------------- Update_01 CDUA-3965 -------------------- Detailed select statistics for the concurrent session count record (RECI=SCNT) did not display concurrent session high water mark information. Update_02 MFT-15260 -------------------- The IBM Certified Container Software for CDU uses openSSH package which is affected by the following issues: CVE-2023-48795, CVE-2023-51385 Update_03 MFT-15074/MFT-14838/MFT-14841/MFT-15288/MFT-15412 ------------------------------------------------------------ The IBM Certified Container Software for CDU uses openSSL package which is affected by the following issues: CVE-2023-5678, CVE-2023-3446, CVE-2023-3817, CVE-2023-6237, CVE-2024-0727 004) Java component updates commit date: 24 May 2024 ------------------------------------------------------ Update_01 MFT-15720 / APAR IT46224 ---------------------------------- The Install Agent component, included in IBM Sterling Connect:Direct for UNIX, uses commons-configuration2 versions that are affected by the following issues: CVE-2024-29133, and CVE-2024-29131, and jackson-databind versions that are affected by the following issue: CVE-2023-35116. Updated commons-configuration2 versions to 2.10.1, and jackson-databind versions to 2.17.0. Update_02 MFT-15728 / APAR IT46225 ---------------------------------- Secure+, Integrated File Agent, Install Agent and Object Store service components, included in IBM Sterling Connect:Direct for UNIX, use bcprov-jdk18on versions that are affected by the following issues: CVE-2024-30171, CVE-2024-30172 and CVE-2024-34447. Updated bcprov-jdk18on to 1.78 Update_03 MFT-15761 / APAR IT46226 ---------------------------------- Secure+, Integrated File Agent, Install Agent and Object Store service components, included in IBM Sterling Connect:Direct for UNIX, use Bouncy Castle Java versions that are affected by the following issue: CVE-2024-29857. Updated Bouncy Castle Java to 1.78. 005) MFT-15669 / APAR IT46232 commit date: 24 May 2024 ------------------------------------------------------- A process submitted by a user who is defined in the Strong Access Control File (SACL) with deny.access=n, as root is by default, generates a warning message, XSCM004I, indicating the user is running with access limited by the SACL. A warning message in this scenario is unwarranted. Fix prevents the unwarranted message from being logged. 006) CDUA-5034 commit date: 27 May 2024 ----------------------------------------- Integrated File Agent may fail with a NullPointerException when the Object Store service is configured and store.configFromCD property is not set in stores.properties file. 007) CDUA-4993 / APAR IT46219 commit date: 30 May 2024 -------------------------------------------------------- Installing or upgrading C:D for UNIX on AIX with the system-wide Stack Execution Disable (SED) mode set to "all" may fail during Install Agent installation, indicating "./installAgent.bin ... Illegal instruction ... ". 008) CDUA-4279 commit date: 04 June 2024 ------------------------------------------ CDPMGR, when initiated by a C:D administrator other than the C:D installer , would encounter an error message (XCFG001E and fdbk=13) when attempting to update the netmap/userfile from a client such as CDWS. This behavior has been rectified to allow users with the 'admin=y' attribute in the userfile to update the netmap/userfile. 009) Accumulated updates commit date: 03 Jul 2024 --------------------------------------------------- Update_01 MFT-15876 / APAR IT46476 ---------------------------------- The upgrade fails with error "cannot access '/opt/cdunix/ndm/secure+/lib': No such file or directory" while upgrading using IBM Certified Container Software for CDU. Update_02 CDUA-5088 ------------------- Upgraded to Red Hat UBI 9.4-1123.1719560047 in IBM Certified Container Software for CDU. 010) MFT-15900 / APAR IT46509 commit date: 10 Jul 2024 --------------------------------------------------------------- Sending a datatype=binary file with codepage conversion to z/OS may result in a destination file with some records that are too short. 011) Java component updates commit date: 18 Jul 2024 ----------------------------------------------------- Update_01 MFT-15825 / APAR IT46545 ---------------------------------- IBM Connect:Direct for UNIX (CDU) uses releases of IBM(R) Runtime Environment Java(TM) (JRE) 17 that have vulnerabilities disclosed as part of recent IBM Java SDK updates. JRE 17 releases on all supported platforms are affected by CVE-2024-21085, CVE-2024-21012, and CVE-2024-3933. Updated bundled JRE 17 to 17.0.11.0 for all supported platforms. Update_02 CDUA-5126 / APAR IT46541 ---------------------------------- Integrated File Agent and Object Store service components, included in IBM Sterling Connect:Direct for UNIX, use versions of azure-identity and msal4j that are affected by the following issue: CVE-2024-35255. Updated azure-identity to 1.13.0 and msal4j to 1.15.1 012) Accumulated updates commit date: 29 Jul 2024 --------------------------------------------------- Update_01 CDUA-5168 ------------------- Upgraded to Red Hat UBI 9.4-1181 in IBM Certified Container Software. Update_02 MFT-15968 / APAR IT46607 ---------------------------------- IBM Certified Container Software for CDU uses OpenSSH version that is affected by following issue: CVE-2024-6387 013) CDUA-5122 commit date: 08 Aug 2024 ----------------------------------------- PNOD and SNOD values on the RECI=PRIN record are incorrect following a forced flush on a running process. Corrected these SNOD/PNOD values for the RECI=PRIN record. 014) Accumulated updates commit date: 19 Sep 2024 --------------------------------------------------- Update_01 CDUA-5299 ------------------- Upgraded to Red Hat UBI 9.4-1214.1725849297 in IBM Certified Container Software. Update_02 MFT-15935 / APAR IT46923 ---------------------------------- IBM Certified Container Software for CDU uses libuv version that is affected by following issue: CVE-2024-24806 Update_03 MFT-16137 / APAR IT46924 ---------------------------------- IBM Certified Container Software for CDU uses urllib and setuptools version that is affected by following issues: CVE-2024-37891 and CVE-2024-6345. 015) MFT-16130 / APAR IT46945 commit date: 24 Sep 2024 -------------------------------------------------------- Sending a 0 byte object, such as an Amazon S3 object, in binary mode may fail when the receiver is not C:D for UNIX. For example, Sterling B2B Integrator responds with JMGR014I, "Error receiving message" in this scenario. 016) MFT-16047 / APAR IT46915 commit date: 09 Oct 2024 -------------------------------------------------------- Logging of some statistics records may occasionally fail on a CDU server that is under high load, particularly if there is an agent enabled, such as file or install agent, but configured incorrectly such that the agent fails to start and regularly logs CDIA003E messages. 017) Java component updates commit date: 23 Oct 2024 ------------------------------------------------------ Update_01 MFT-16235 / APAR IT46939 ---------------------------------- IBM Connect:Direct for UNIX (CDU) uses releases of IBM(R) Runtime Environment Java(TM) (JRE) 17 that have vulnerabilities disclosed as part of recent IBM Java SDK updates. JRE 17 releases on all supported platforms are affected by CVE-2024-21145, CVE-2024-21144, and CVE-2024-21131. Updated bundled JRE 17 to 17.0.12.0 for all supported platforms. Update_02 MFT-16256 / APAR IT47024 ---------------------------------- Integrated File Agent component, included in IBM Sterling Connect:Direct for UNIX, is vulnerable to Object Hijack risk and Race Condition Format Flaw. Updated Integrated File Agent component to address these issues. Update_03 MFT-16121 ------------------- Integrated File Agent fails to scan the watch directory when it has a special character in its name or path. Update_04 MFT-16215 ------------------- Object Store Service, included in IBM Sterling Connect:Direct for UNIX, uses versions of Google grpc, which is affected by the following issue: CVE-2024-7246. Updated grpc version to 1.66.0. Update_05 CDUA-5315 ------------------- Integrated File Agent and Object Store components, included in IBM Sterling Connect:Direct for UNIX, use version of protobuf-java, which is affected by the following issue: CVE-2024-7254. Updated protobuf-java version to 3.25.5. Update_06 MFT-16088 / APAR IT47046 ---------------------------------- Multi parts file upload on Google Cloud (GCP) creates visible temporary parts. Object Store component updated by introducing a new property to store these temporary parts in a dedicated folder. The property name is gs.partUploadFolder. Update_07 MFT-16217 / APAR IT47045 ---------------------------------- Unable to upload an object to a bucket when using a Multi Region Access Point. Updated Object Store component to fix the issue. Update_08 MFT-16001 ------------------- File agent takes 20-40 minutes to submit the process when entropy is low on some systems. 018) CDUA-5177 commit date: 11 Oct 2024 ----------------------------------------- cdcusrpt output shows lots of non-standard symbolic links associated w/Java 17 . Updated cdcusrpt to exclude these JRE 17 links. 019) CDUA-5304 commit date: 16 Oct 2024 ----------------------------------------- Configuration update from Connect:Direct Web Services fails when Connect:Direct for UNIX is installed on NFS with root squash enabled. 020) CDUA-5361 commit date: 16 Oct 2024 ----------------------------------------- Updated JVM options for default file.ioexit record added during installation to improve startup times and performance. 021) CDUA-4856 commit date: 21 Oct 2024 ----------------------------------------- cduStop script may indicate File Agent stop was unsuccessful when in fact it was successful. Also, cduStart script used fully qualified file reference to cdpmgr. If the installation directory name is very long, this could result in truncated ps command output. In addition to resolving the above issues, fix also eliminates repetitive messages while waiting for an action to complete, such as "Waiting for the client port to be free" and "cdpmgr still running, waiting 5 seconds to recheck". 022) CDUA-5428 commit date: 25 Oct 2024 ----------------------------------------- On the initparm.cfg stats record added during installation, the default statistics log file size was increased to 10M to improve performance and reduce the amount of files created in the work directory. 023) Object Store Service updates commit date: 01 Nov 2024 ------------------------------------------------------------ Update_01 MFT-16368 -------------------- In some cases, FIOX020E may be inappropriately reported sending to an S3 bucket with an underscore character in the bucket name. Update_02 MFT-16001 ----------=--------- On rare occasion, it may take an unusually long time to establish a secure connection to an object store end point. Update_03 CDUA-5379 -------------------- A copy step that attempts to access an object store with a valid store.partSize specified may inappropriately fail indicating invalid part size.