Download
Abstract
This document lists the fixes contained in IBM PureApplication System Version 2.2.1.0
Download Description
Version 2.2.1.0 includes fixes for these security vulnerabilities:
CVEID: CVE-2016-0701
DESCRIPTION: OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of weak Diffie-Hellman parameters based on unsafe primes that are generated and stored in X9.42-style parameter files. By performing multiple handshakes using the same private DH exponent, an attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVEID: CVE-2015-3197
DESCRIPTION: OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by an error related to the negotiation of disabled SSLv2 ciphers by malicious SSL/TLS clients. An attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVEID: CVE-2016-0705
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVEID: CVE-2016-0798
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in SRP servers. An attacker could exploit this vulnerability using a specially crafted username value to cause a denial of service.
CVEID: CVE-2016-0797
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the BN_hex2bn/BN_dec2bn() function. An attacker could exploit this vulnerability using specially crafted data to cause a denial of service.
CVEID: CVE-2016-0799
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory error in the BIO_*printf() functions. An attacker could exploit this vulnerability using specially crafted data to trigger an out-of-bounds read.
CVEID: CVE-2016-0702
DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys.
CVEID: CVE-2016-0704
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions. The s2_srvr.c code overwrites the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. An attacker could exploit this vulnerability using a Bleichenbacher oracle to decrypt sessions.
CVEID: CVE-2016-3426
DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVEID: CVE-2016-0264
DESCRIPTION: A buffer overflow vulnerability in the IBM JVM facilitates arbitrary code execution under certain limited circumstances.
The following tables contain the Authorized Program Analysis Reports (APARs) and other fixes that are included in this release. If an integrated pattern or component is not listed, there were no fixes for that pattern or component in this version.
APAR | Abstract |
| PureApplication System: CWZIP1900E internal error during component backup operation | |
| PureApplication System: A cloud group and environment profile with external shared service can be deleted | |
| Virtual image with multiple network cards defined in the OVF cannot be used in a virtual system pattern | |
| IBM PureApplication System flagged event CMM-77777703 as "Customer Servicable" | |
| PureApplication System: Performance listing virtual system patterns decreases with higher number of patterns | |
| PureApplication System: Virtual machine view shows 0% utilization for virtual memory value | |
| PureApplication System: Performance issue occurs for non-administrative user listing virtual system patterns | |
| PureApplication System: Add-ons lost after reordering of script packages and add-ons in the pattern builder | |
| PureApplication System: Parameters are not passed to scripts during execute in new architecture virtual system patterns | |
| PureApplication System: Creating snapshot fails with "Error writing to zip archive" | |
| PureApplication System: Extend and captured images cannot be used and saved correctly in the pattern builder | |
| CWZIP6203E The compute node: [] has been quiesced because one (or both) of the VIOS have degraded filesystems | |
| PureApplication System: The fixpack list for the MQ Pattern is empty | |
| PureApplication System: User with "Create new catalog content" permission cannot add virtual appliances | |
| PureApplication System: Unable to deploy after upgrading to PureApplication System 2.2.0.0 | |
| PureApplication System: Failed to start a stored virtual machine | |
| PureApplication System: CWZIP6124E Compute node error during validation. The error is: Connection is closed | |
| PureApplication System: User activity report generates an error | |
| PureApplication System: Capturing an AIX custom image does not preserve multiple disk attachments | |
| PureApplication System: Pattern type or software component with "non-catalog product licenses" not being tracked | |
| PureApplication System: GPFSBLOCKDISKMANAGER logging code can throw an illegal state exception | |
| PureApplication System: Maintenance fixpacks operation displays "Fixpack information is not available" | |
| PureApplication System: Configuring an SNMP trap with forwarding destination produces no results | |
| PureApplication System: Service console cannot connect suing HTTPS on service level access page. |
APAR | Abstract |
| PureApplication Software: Cloned image used in pattern builder is not saved correctly | |
| PureApplication Software: Virtual machine usage report is leaking records into the system database |
APAR | Abstract |
| PureApplication System: Virtual system monitoring instances switching between running and launching states repeatedly | |
| PureApplication System: IBM HTTP Server node left in "Error" status after a pattern type update | |
| PureApplication System: Cannot install multiple emergency fixes on the same pattern type instance | |
| PureApplication System: Re-try logic when downloading files from Storehouse does not re-generate the security token |
APAR | Abstract |
| PureApplication System: Patterns that include GPFS client policy get MMLSCONFIG lock error |
APAR | Abstract |
| PureApplication System: Some AIX virtual machines have 8 SMT threads and other have 4 SMT threads per processor setting |
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24042382