Readme file for: IBM Cloud Private 3.2.1.1911 fix pack
Product Release: 3.2.1
Publication Date: 20 December 2019
Last modified Date: 20 December 2019
This fix pack includes fixes to address reported and found problems that affect IBM Cloud Private version 3.2.1.
The following problems are fixed within the fix pack:
Table 1. Fixed problems in IBM Cloud Private 3.2.1.1911 fix pack
| Issue | Category |
Description |
|---|---|---|
| 33385 33475 |
Audit logging | This fix updates the audit logging service so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool, such as QRadar and Splunk, on Red Hat OpenShift Container Platform. |
| 32708 33736 |
Catalog-UI | This fix pack includes the following fixes:
|
| 33420 34132 |
etcd | This fix corrects an issue when etcd fails to run as the etcd user with the ID 2375 when that user already exists on hosts. |
| 28870 32707 32838 |
Helm-Tiller (helm-repo, mgmt-repo, helm-api, and rudder) |
This fix pack includes the following fixes:
|
| 28870 32707 32838 |
Helm-Tiller (tiller) | This fix updates the Go programming language version to version 1.12.1. |
| 32956 33082 |
IBM Multicloud Manager | This fix pack includes the following fixes:
|
| 32688 32875 32940 33363 33389 |
Identity and Access Management (IAM) | This fix pack includes the following fixes:
|
| 33385 | Install | This fix removes an obsolete port check for port 9443. |
| 34175 | Istio | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911. |
| 171 32710 32950 |
Key Management Service (KMS) | This fix updates the Go programming language version to version 1.13.1. |
| 419 32710 32950 |
Key Management Service (KMS) plug-in | This fix updates the Go programming language version to version 1.13.1. |
| 34186 | Knative | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911. |
| 32862 | Kubernetes | This fix resolves an issue for high availability (HA) that caused a pod to still be in the Running state even when the Docker service was stopped on the master node. As part of this fix, a readiness probe is added for the kube-dns DaemonSet
and additional default toleration.
|
| 33422 | Metering | This fix updates the packaged Lodash version to a version greater than 4.17.12. |
| 34181 | Mutation Advisor | The IBM Cloud Private audit service (icp-audit-service) image version is updated to 3.2.1.1911 so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool. |
| 419 32710 |
Notary service | This fix updates the Go programming language version to version 1.13.1. |
| 33331 33388 |
Platform-API | This fix pack includes the following fixes:
|
| 32355 32463 32711 32771 33424 |
Platform UI | This fix pack includes the following fixes:
|
| 34179 | Policy administration point | The IBM Cloud Private audit service (icp-audit-service) image version is updated to 3.2.1.1911 so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool. |
| 34185 | Search | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911. |
| 32953 | System healthcheck service | This fix updates the Go programming language version to version 1.13.2. |
| 33080 | Visual Web Terminal | This fix pack includes the following fixes:
|
| 34176 34183 |
Vulnerability Advisor | This fix pack includes the following fixes:
|
| 32904 | Web-terminal | This fix removes the tar command for security-related reasons. |
Table 2. Fixed vulnerabilities in IBM Cloud Private 3.2.1.1911 fix pack
| Issue |
CVE-ID |
Description |
|---|---|---|
| 32147 32379 |
CVE-2018-16843 | Fixed for the NGINX ingress component only. nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. |
| 32147 32379 |
CVE-2018-16844 | nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. |
| 31863 32147 32379 |
CVE-2019-1547 | Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
| 31863 32147 32379 |
CVE-2019-1549 | OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). |
| 31863 32147 32379 |
CVE-2019-1563 | In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
| 32602 32940 |
CVE-2019-4304 | IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950. |
| 32607 32940 |
CVE-2019-4305 | IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951. |
| 32608 32940 |
CVE-2019-4441 | IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177. |
| 32379 | CVE-2019-9511 | Fixed for the NGINX ingress component only. Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 32979 33389 |
CVE-2019-9512 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 32379 32979 33389 |
CVE-2019-9513 | Fixed for the NGINX ingress component and icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. |
| 32979 33389 |
CVE-2019-9514 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. |
| 32979 33389 |
CVE-2019-9515 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 32379 | CVE-2019-9516 | Fixed for the NGINX ingress component only. Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. |
| 32979 33389 |
CVE-2019-9517 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. |
| 32979 33389 |
CVE-2019-9518 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. |
| 32589 32707 32708 32711 33422 33424 33736 |
CVE-2019-10744 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. |
| 32771 32839 33080 33082 33331 |
CVE-2019-11251 | Kubernetes could allow a remote attacker to gain unauthorized access to the system, caused by an error in kubectl cp that allows a combination of two symlinks to copy a file outside of its destination directory. An attacker could exploit this vulnerability to write arbitrary files outside of the destination tree. |
| 32710 32838 32950 32952 32953 32956 |
CVE-2019-16276 | Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
| 32975 33388 |
CVE-2019-17495 | A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method. |
| 32711 32707 32708 32711 33422 33736 |
CVE-2019-1010266 | lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11. |
The list of fixes that are included within this fix pack are also documented within the IBM Knowledge Center. For more information, see Fixed reported problems.
The process to apply a fix pack is different depending on whether you are applying only the fix pack or you are applying the fix pack as part of installing or upgrading IBM Cloud Private.
Note: After you apply the fix pack or you install or upgrade IBM Cloud Private to the fix pack version, add the root CA certificate to your trust store. With this fix pack, users on macOS 10.15 or newer cannot access the management console until the root CA certificate is added to the trust store. For more information, see:
For detailed instructions to apply the fix pack, see Applying fix packs to your cluster in the IBM Knowledge Center.
If you already have IBM Cloud Private installed, you can upgrade IBM Cloud Private from 3.1.0, 3.1.1, 3.1.2, or 3.2.0 to 3.2.1.1911. For more information, see Upgrading in the IBM Knowledge Center.
Review the installation plan for your cluster. For more information, see Planning your cluster in the IBM Knowledge Center.
Then, install and configure IBM Cloud Private. For more information, see Installation and validation.
Review the installation requirements to plan your installation. For more information, see Preparing to install IBM Cloud Private with OpenShift in the IBM Knowledge Center.
Then install IBM Cloud Private with OpenShift. For more information, see Installing IBM Cloud Private with OpenShift.
Verify that the fix pack is applied. For more information, see Applying fix packs to your cluster in the IBM Knowledge Center.
If you encounter issues due to this fix pack, troubleshoot the issue and reapply this fix pack.
If needed, you can roll back the fix pack changes. For more information about how to roll back a fix pack, see Rolling back a fix pack.
Table 3. List of IBM Cloud Private 3.2.1.1911 fix pack files
| Description | File name |
File extension |
|---|---|---|
| IBM Cloud Private 3.2.1.1911 fix pack readme file | ibm-cloud-private-3.2.1.1911-readme | .html |
| IBM Cloud Private 3.2.1.1911 fix pack | ibm-cloud-private-x86_64-3.2.1.1911 ibm-cloud-private-ppc64le-3.2.1.1911 ibm-cloud-private-s390x-3.2.1.1911 ibm-cloud-private-rhos-3.2.1.1911 |
.tar.gz |
© Copyright IBM Corporation 2019
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.