Fixed reported problems
Review the list of fixed problems to see whether your reported problem was fixed in the release or within a fix pack.
The changes for fixed problems are included within the following fix packs and releases:
- IBM Cloud Private 3.2.0.2003 fix pack
- IBM Cloud Private 3.2.0.2001 fix pack
- IBM Cloud Private 3.2.0.1911 fix pack
- IBM Cloud Private 3.2.0.1910 fix pack
- IBM Cloud Private 3.2.0.1909 fix pack
- IBM Cloud Private 3.2.0.1908 fix pack
- IBM Cloud Private 3.2.0.1907 fix pack
- IBM Cloud Private 3.2.0.1906 fix pack
- IBM Cloud Private 3.2.0
For more information about how to apply fixes to your cluster, see Applying fix packs to your cluster.
Reported problems that are fixed in the IBM Cloud Private 3.2.0.2003 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
| Issue | Category | Description |
|---|---|---|
| 34260 | Custom metrics adapter | This fix updates the Go programming language version to version 1.12.12. |
| 32959 | Metrics server | This fix updates the Go programming language version to version 1.12.17. |
| 32959 | MinIO storage | This fix updates the Go programming language version to version 1.12.17. |
| 34691 32705 |
Platform UI | This fix pack includes the following fixes: - The console Overview page is updated to display all resources and associated values. - The Nodes page and Configmaps page are updated to reduce load times. |
| 1334 | Policy Administration Point (PAP) | This fix resolves an issue that caused a CreateContainerError with icp-mongodb pods by reusing a single mongodb connection for policy APIs in the Policy Administration Point (PAP). |
| 36345 | Security-IAM | This fix pack includes the following fixes: - WebSphere Application Server Liberty is upgraded to version 20.0.0.2. - The IDTOKEN_LIFETIME parameter format is updated to support minutes and seconds. The IBM SDK, Java Technology Edition Quarterly CPU is updated to the January 2020 version. |
| 35939 | Vulnerability Advisor | This fix updates the sas-base and ma-file-annotator image version to version 3.2.0.2003 to remediate a nodejs security vulnerability. |
Review the list of security-related vulnerabilities that are fixed in this fix pack.
| Issue | CVE-ID | Description |
|---|---|---|
| 35335 35454 |
CVE-2019-4732  |
IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618. |
| 32959 32710 |
CVE-2019-16276 |
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
| 35335 35454 |
CVE-2020-2583 |
An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
| 35335 35454 |
CVE-2020-2593 |
An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. |
| 35335 35454 |
CVE-2020-2604 |
An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to take control of the system. |
| 35335 35454 |
CVE-2020-2659 |
An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
Reported problems that are fixed in the IBM Cloud Private 3.2.0.2001 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
| Issue | Category | Description |
|---|---|---|
| 34557 34721 |
Catalog-UI | This fix pack includes the following fixes: - The status for releases that are superseded is corrected. - The instance details page is updated to correct overlapping text and notifications. |
| 32710 32899 34614 |
Certificate Management - cert-manager, cert-manager-webhook, cert-manager-cainjector | This fix updates the Go programming language version to version 1.13.2. |
| 32959 | IBM Cloud Private registry | This fix updates icp-registry version 2.6.2.4.2001 to upgrade the Go programming language version to version 1.12.3. |
| 33042 | Identity and Access Management (IAM) - platform-auth-service, platform-oidc ingress | This fix updates HTTP request headers to prevent a CORS vulnerability. |
| 32959 | Image enforcement | This fix updates image-enforcement version 0.2.1.2001 to upgrade the Go programming language version to version 1.12.3. |
| 32959 | Image manager | This fix updates image-manager version 2.2.5.2001 to upgrade the Go programming language version to version 1.12.3. |
| 35216 | Istio | This fix updates the cert-manager-controller image version to version 0.7.0-f2001. |
| 34461 | Metering | This fix resolves an issue that caused the metering reader to crash when the productID annotation for the workload exists but the productName or productVersion annotations are missing. |
| 34204 34735 |
Platform API | This fixpack includes the following fixes: - The management console is updated to prevent IP addresses from being disclosed on the Install CLI tools page. - Node affinity is added into the chart YAML to constrain the nodes where the pod is eligible to be scheduled. |
| 34043 34227 |
Platform Header | This fix updates the management console to redirect users to the Login page when a session expires. |
| 33797 33912 |
Platform UI | This fixpack includes the following fixes: - The namespace dropdown for all namespaced resource pages is now searchable. - The namespace dropdown will now default to the first namespace within the list, rather than All Namespaces. - Performance improvements have been added to the deployments page to decrease loading times when many namespaces are present. - A DISABLE_LAUNCH_LINKS environment variable can now be added to the platform-ui daemonset to disable launch links on the overview deployments page to further decrease loading times. |
| 34406 | Policy governance, risk and compliance | This fix updates the Lodash version to version 4.17.15 to address a denial of service vulnerability. |
| 34307 34916 |
Security-IAM | This fix pack includes the following fixes: - The Go programming language version is updated to version 1.13.4 - WebSphere Liberty is upgraded to version 19.0.0.12. |
Review the list of security-related vulnerabilities that are fixed in this fix pack.
| Issue | CVE-ID | Description |
|---|---|---|
| 34916 | CVE-2019-4663 |
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245. |
| 32589 32707 32708 33422 33424 |
CVE-2019-10744 |
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. |
| 32781 34260 32843 |
CVE-2019-11253 |
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. |
| 32710 32899 32900 32959 34260 |
CVE-2019-16276 |
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
| 34245 34307 34614 34657 |
CVE-2019-17596 |
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. |
| 34391 34406 |
CVE-2019-1010266 |
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11. |
Reported problems that are fixed in the IBM Cloud Private 3.2.0.1911 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
| Issue | Category | Description |
|---|---|---|
| 32708 | Catalog-UI | This fix updates the packaged Lodash is updated from version 4.17.5 to version 4.17.12. |
| 28870 32054 32707 32838 |
Helm-Tiller (helm-repo, mgmt-repo, helm-api, and rudder) |
This fix pack includes the following fixes: - The Go programming language version is updated to version 1.12.11. - The packaged Lodash is updated from version 4.17.5 to a version that is greater than 4.17.12. |
| 28870 32054 32707 32838 |
Helm-Tiller (tiller) | This fix pack includes the following fixes: - The Go programming language version is updated to version 1.12.11. - The default tiller_ciphersuites value in the installer was corrected to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384. - A conditional statement is added to check the Kuberenetes cluster type and confirm that the type is icp before the installer sets the hostNetwork variable. |
| 32956 33082 |
IBM Multicloud Manager | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11. |
| 32503 32688 32875 32940 33389 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - Support is added for enabling and disabling SAML without requiring WebSphere Liberty to be restarted. - WebSphere Liberty is upgraded to version 19.0.0.11. - An issue is fixed that caused nil values during authorization to be handled improperly. - An issue is fixed that caused the at_hash field for the identity token that is generated by the platform-identity-provider to not conform to OPENID specifications. |
| 34175 | Istio | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911. |
| 171 32710 32950 |
Key Management Service (KMS) | This fix updates the Go programming language version to version 1.13.1. |
| 32710 32950 |
Key Management Service (KMS) plug-in | This fix updates the Go programming language version to version 1.13.1. |
| 32862 | Kubernetes | This fix resolves an issue for high availability (HA) that caused a pod to still be in the Running state even when the Docker service was stopped on the master node. As part of this fix, the following changes are included: - A readiness probe is added for the kube-dns DaemonSet and additional default toleration. - A readiness and liveness probe is added for the IBM Cloud Private management ingress DaemonSet and additional default toleration. |
| 33422 | Metering | This fix updates the packaged Lodash version to a version greater than 4.17.12. |
| 32904 32952 33331 33388 |
Platform-API | This fix pack includes the following fixes: - The packaged Kubernetes CLI (kubectl) is updated from version 1.13.9 to version 1.13.11. - The Swagger UI is updated to version 3.24.0. |
| 32355 32463 32711 32771 33424 |
Platform UI | This fix pack includes the following fixes: - The kubectl version is updated to version 1.13.11. - The packaged Lodash is updated to version 4.17.12. - The platform UI is updated to not delete service IDs from a team when a new user is added. - The management console is updated to display an error message when an error occurs during the deletion of a service ID that is associated with a team. |
| 32953 | System healthcheck service | This fix updates the Go programming language version to version 1.13.2. |
| 34176 | Vulnerability Advisor | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11. |
| 32904 32952 33331 33388 |
Web-terminal | This fix removes the tar command for security-related reasons. |
Review the list of security-related vulnerabilities that are fixed in this fix pack.
| Issue | CVE-ID | Description |
|---|---|---|
| 32379 | CVE-2019-16843 |
Fixed for the NGINX ingress component only. nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. |
| 32379 | CVE-2019-16844 |
Fixed for the NGINX ingress component only. nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. |
| 31863 | CVE-2019-1547 |
Fixed for the NGINX ingress component only. Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
| 31863 | CVE-2019-1549 |
Fixed for the NGINX ingress component only. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). |
| 31863 | CVE-2019-1563 |
Fixed for the NGINX ingress component only. In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
| 32602 32688 32875 32940 33389 |
CVE-2019-4304 |
IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950. |
| 32607 32688 32875 32940 33389 |
CVE-2019-4305 |
IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951. |
| 32608 32688 32875 32940 33389 |
CVE-2019-4441 |
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177. |
| 32379 | CVE-2019-9511 |
Fixed for the NGINX ingress component only. Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 32688 32875 32979 33389 |
CVE-2019-9512 |
Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 32379 | CVE-2019-9513 |
Fixed for the NGINX ingress component and icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. |
| 32875 32688 32979 33389 |
CVE-2019-9514 |
Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. |
| 32875 32688 32979 33389 |
CVE-2019-9515 |
Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 32379 | CVE-2019-9516 |
Fixed for the NGINX ingress component only. Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. |
| 32688 32875 32979 33389 |
CVE-2019-9517 |
Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. |
| 32688 32875 32979 33389 |
CVE-2019-9518 |
Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. |
| 32589 32707 32708 33422 33424 |
CVE-2019-10744 |
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. |
| 32771 32839 33082 33331 |
CVE-2019-11251 |
Kubernetes could allow a remote attacker to gain unauthorized access to the system, caused by an error in kubectl cp that allows a combination of two symlinks to copy a file outside of its destination directory. An attacker could exploit this vulnerability to write arbitrary files outside of the destination tree. |
| 32710 32838 32904 32950 32952 32953 32956 |
CVE-2019-16276 |
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
| 32904 32975 33388 |
CVE-2019-17495 |
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that |
Reported problems that are fixed in the IBM Cloud Private 3.2.0.1910 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
| Issue | Category | Description |
|---|---|---|
| 32779 | Certificate management | The duration for the default Root CA certificate is changed from 3650 days to 824 days to support changes to the trusted certificate requirements for macOS 10.15. |
| 32108 | Docker | This fix corrects a Docker installation issue that prevented Docker from installing on Linux x86_64 hosts. |
| 31147 | IBM Multicloud Manager | The kubectl image version is updated to version 1.13.9 to be consistent with the Kubernetes version. This fix also upgrades the IBM Multicloud Manager API golang version to version 1.12.10 to fix a publicly disclosed vulnerability. |
| 31931 32051 32503 32837 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - The Go programming language version is updated to version 1.12.10 to fix a publicly disclosed vulnerability. - Support is added for enabling and disabling SAML without requiring WebSphere Liberty to be restarted. - An issue is fixed that caused the state parameter to be missing from callback URLs during OpenID Connect (OIDC) authentication. - An issue is fixed that caused cloudctl login failure for users with the Auditor role. |
| 32685 | Install | The installation path for adding management nodes is updated to correct an issue with the fact collection of Red Hat Ansible during the generation of the persistent volume (PV) request for logging. |
| 28889 | Istio | The kubectl image version is updated to version 1.13.9 to be consistent with the Kubernetes version. |
| 31655 31723 |
Management console | This fix pack includes the following fixes: - The management console is updated to avoid frequent reloads of the Teams page to request authorization of the user before the user can access the page again. - An error is corrected that caused the Overview page in the management console to have blank or missing resource overview cards when data is missing. |
| 31501 | MongoDB | mongoDB is updated from version 4.0.6 to version 4.0.12. |
| 28889 | Platform-API | The packaged Kubernetes CLI (kubectl) version is updated from version 1.13.5 to version 1.13.9. |
| 32302 | Vulnerability Advisor | The kubectl image version is updated to version 1.13.9 to be consistent with the Kubernetes version. |
Review the list of security-related vulnerabilities that are fixed in this fix pack.
| Issue | CVE-ID | Description |
|---|---|---|
| 31863 32147 |
CVE-2019-1547 |
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases, it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used, then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
| 31863 32147 |
CVE-2019-1549 |
OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). |
| 31863 32147 |
CVE-2019-1563 |
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
| 31501 | CVE-2019-2389 |
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22. |
| 31501 | CVE-2019-2390 |
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility. |
| 30633 | CVE-2019-9511 |
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 19587 31145 31147 30632 |
CVE-2019-9512 |
Fixed for Heketi only. Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 30633 | CVE-2019-9513 |
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. |
| 19587 30632 31147 |
CVE-2019-9514 |
Fixed for Heketi only. Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. |
| 30633 | CVE-2019-9515 |
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
| 30633 | CVE-2019-9516 |
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. |
| 30633 | CVE-2019-9517 |
Some HTTP/2 implementations are vulnerable to unconstrained internal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. |
| 30633 | CVE-2019-9518 |
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. |
| 19587 31145 32681 |
CVE-2019-9947 |
Fixed for the icp-storage-util image only. An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. |
| 19587 31145 32681 |
CVE-2019-9948 |
Fixed for the icp-storage-util image only. urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. |
| 24980 | CVE-2019-11244 |
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation. |
| 29620 | CVE-2019-11247 |
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. |
| 29673 | CVE-2019-11248 |
The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. |
| 29620 | CVE-2019-11249 |
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user's machine when kubectl cp is called, limited only by the system permissions of the local user. Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. |
| 31724 | CVE-2019-11250 |
The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected. |
| 19587 31145 |
CVE-2018-14647 |
Fixed for the icp-storage-util image only. Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable. |
| 19587 31145 31147 |
CVE-2019-14809 |
Fixed for Heketi only. net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. |
| 32837 | CVE-2019-16276 |
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
Reported problems that are fixed in the IBM Cloud Private 3.2.0.1909 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
| Issue | Category | Description |
|---|---|---|
| 28889 | Istio | The kubectl image version is updated to version 1.13.7 to be consistent with the Kubernetes version. |
| 27506 30554 27276 29523 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - Support is added for the use of more special characters in Bind DN for authenticating LDAP. Support is added for using parentheses "()", colons ":", and the "@" symbol. - Support is added for skipping LDAP filter validation during LDAP configuration based on parameter. - An issue is corrected that caused a corrupted content error after logging out of IBM Cloud Private with OpenShift. |
| 28019 | Installation | This fix updates the IBM Cloud Private installer. Helm chart images that are tagged by patches can now be upgraded during an upgrade to 3.2.0.1909 or later. |
| 28332 | Certificate management | This fix adds support for using your own certificate authority (CA) certificate that is not self-signed. |
Review the list of security-related vulnerabilities that are fixed in this fix pack.
| Issue | CVE-ID | Description |
|---|---|---|
| 29699 | CVE-2019-2766 CVE-2019-2786 CVE-2019-2816 CVE-2019-2762 CVE-2019-2769 CVE-2019-4473 |
There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 8 that is used by IBM Cloud Private. IBM Cloud Private has addressed the applicable CVEs. |
| 31272 | CVE-2019-14809 |
Go - parsing validation issue (Publicly disclosed vulnerability) |
| 26053 | CVE-2018-15664 |
(All) Docker (Publicly disclosed vulnerability) |
Reported problems that are fixed in the IBM Cloud Private 3.2.0.1908 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
| Issue | Category | Description |
|---|---|---|
| 27683 | Role-based access control | This fix updates the Operator and Administrator role-based access controls for client custom resource definitions in deployments for IBM Cloud Private with OpenShift. |
| 28440 | Kubernetes | The namespace resource list that a user accesses from the management console is updated. With this fix, resources that are deleted by using kubectl no longer appear in the list of team resources within the management console. |
| 26704 26712 27946 |
Identity and Access Management (IAM) | With this fix, the auth-idp daemonset is updated to support a custom client ID and secrets other than the default client ID and secret. - This fix corrects an issue where requests that included additional query parameters lost parameters in state during the authentication callback. With this fix, requests that contain additional query parameters are propagated correctly. - This fix also updates the platform identity provider image and platform-login ingress. |
| 26643 | Management console | The platform-header image is updated to support redirects to a referrer URL for the management console after a user logs in. With this fix, a user that opens a URL to a specific page in the console and is then prompted to log in can now be redirected to that page after logging in. Without this fix, the use is always redirected to the Overview page in the management console after logging in. |
| 28310 | Software installation | The IBM Cloud Private installer is updated for IBM Cloud Private with OpenShift. This fix corrects an issue where the archive (archive_addons) installer was not available for IBM Cloud Private with OpenShift, which prevented specified
archives from being installed by using the installer. |
Reported problems that are fixed in the IBM Cloud Private 3.2.0.1907 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
| Issue | Category | Description |
|---|---|---|
| 27127 | IBM Multicloud Manager | Support for the IBM Cloud Pak for Multicloud Management is added. |
| 26931 | Identity and Access Management (IAM) policy decision | With this fix, the auth-pdp daemonset ensures that any API key that is created for a specific resource is usable for only that single resource. Requests for other resources to use that API Key are denied. This fix ensures backward
compatibility with earlier versions of the authorization service. |
| 27189 | Key Management Service (KMS) key rotation | With this fix, the Key Management Service sends a POST request to the Identity and Access Management (IAM) to obtain authorization for a key rotation action. Previously, the Key Management Service sent a GET request, which resulted in a 401 unauthorized error. |
| 27609 27665 25878 |
Kubernetes | This fix increases the character limit for the last name of a domain name in the Subject Alternative Names (SANs) list of the image manager and IBM Cloud Private management ingress certificate. The character limit is increased from 6 characters
to 62 characters. This fix also corrects an issue for IBM Cloud Private with OpenShift that caused the NGINX ingress controller to return a TLS handshake error. |
| 27163 | Upgrading IBM Cloud Private | Upgrade override values are added so the auth-idp Helm chart can handle the integer value for the icp_port setting. These values correct an issue that caused an error during an auth-idp Helm chart upgrade. |
| 27346 | Cluster access | The ibmcloud-cluster-ca-cert role is updated to correct an error when accessing the kube-public/ibmcloud-cluster-ca-cert secret. Without this fix, the role cannot access the cluster information without extra privileges.
This restriction prevents pods from trusting the cluster ca without special access. |
| 26242 | Catalog | With this fix, two terminology updates are included within the Catalog: - What was previously referred to as a Solution Pak is now referred to as an IBM Cloud Pak. - What was previously referred to as a Cloud Pak is now referred to as an IBM Certified Container. |
| 27288 | Management console | The platform-header image is updated. Event Management now displays for IBM Multicloud Manager in the management console when IBM Cloud Event Management is installed in the kube-system namespace. |
Review the list of security-related vulnerabilities that are fixed in this fix pack.
| Issue | CVE-ID | Description |
|---|---|---|
| 27641 | CVE-2019-11246 |
Kubernetes (Publicly disclosed vulnerability) |
| 25886 | CVE-2019-4120 |
Identity and Access Management (IAM) (Reflected cross-site scripting (or XSS)) |
| 27969 | CVE-2016-6153 CVE-2017-10989 CVE-2017-13685 CVE-2017-2518 CVE-2017-2519 CVE-2017-2520 CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 CVE-2019-8457 CVE-2019-9936 CVE-2019-9937 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-7149 CVE-2019-7150 CVE-2019-7665 |
Istio component vulnerabilities - istio-pilot - istio-galley - istio-proxyv2 - istio-node-agent-k8s - istio-coredns-plugin |
Reported problems that are fixed in the IBM Cloud Private 3.2.0.1906 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
| Issue | Category | Description |
|---|---|---|
| 26237 26495 26231 |
Catalog | An issue that prevented users from viewing and selecting more than 20 namespaces during the configuration flow is fixed. With this fix, the remote cluster deployment process is updated to use the cluster namespace that is sent to the Klusterlet instead of the namespace that a user selected to deploy the Helm chart. This fix also adjusts the styling on the configuration page to adjust the configuration footer to improve the web terminal usability. |
| 26606 | GlusterFS | The performance of GlusterFS on IBM Z (s390x) is improved. By applying this fix pack, the ibm-glusterfs Helm chart is upgraded to deploy the updated GlusterFS Docker image that is shipped with the fix pack. |
| 26587 | Identity and Access Management (IAM) policy decision | With this fix, the auth-pdp daemon set overrides the user information from the token with the user information that is provided in the user authorization request. This fix ensures compatibility with earlier versions of the authorization
service. |
| 25229 25851 |
Istio | Support for Istio version 1.1.7 is added to resolve an issue that causes the HTTP probe to fail with a 503 status code. You need to upgrade to Istio version 1.1.7 to adopt the changes that are required to fix this issue. |
| 26762 | Monitoring | An issue that prevented users from using persistent volumes with the monitoring component is fixed. The initContainers for the monitoring component are changed to provide the required directory permissions to store the persisted data that is needed for users to use persistent volumes. |
| 20922 | Kubelet configuration | This fix changes the kubelet "--authorization-mode" argument from "AlwaysAllow" to "Webhook". With this change, the kubelet allows only requests that are explicitly authorized from the API server.
Previously, the kubelet allowed all authenticated requests, including anonymous requests, without requiring explicit authorization checks from the API server. |
| 15602 | OpenID Connect (OIDC) client registration watcher | Support for the client registration watcher is added to manage OAuth clients. Users can create, update, and delete OAuth clients by using a new custom resource definition (CRD) named 'client'. Note: If you plan to roll back the 3.2.0.1906 fix pack to the IBM Cloud Private 3.2.0 version, you cannot roll back this client registration watcher support. The helm chart for this client registration watcher is introduced with this fix pack and is not available in the IBM Cloud Private 3.2.0 version. To remove this helm chart, you need to directly uninstall the oidcclient-watcher helm chart. For more information, see Rolling back a fix pack. |
| 26264 | Search aggregation | Search aggregation fixes a memory leak that can cause many restarts on the search-aggregator pod. |
| 21678 | Vulnerability Advisor | Vulnerability Advisor scanning support is added for Docker images and containers that use the SUSE Linux Enterprise Server (SLES) operating system. The supported SLES versions include SLES 11, SLES 12, and SLES 15. |
Reported problems that are fixed in IBM Cloud Private 3.2.0
Review the list of fixed problems to see whether your reported problem was fixed in this release.
| Issue | Description |
|---|---|
| 21259 | How to deploy a Helm release without manually changing the image repository |
| 21733 | Web terminal does not work |
| 25482 | IBM Cloud Private - web terminal issue |
| 21187 | Installer does not upload the password rule of default admin into ICP API service |
| 23733 | Worker nodes still displayed via cloudctl command after removing them |
| 21703 | CF 3.1.2 Offline Install Failing: Unable to Find Image cfp-config-manager-3.1.2-024 |
| 21044 | Client needs a patch or steps to update TLS 1.2 for port 443 (ingress) |
| 19766 | Low SSL vulnerabilities still showing after upgrading from 2.1.0.3 to 3.1 |
| 23949 | The server version - openresty/1.13.6.2 was disclosed in the HTTP server response header. |
| 19088 | vulnerability is 42873 - SSL Medium Strength Cipher Suites Supported |
| 17024 | Kibana service is in red status: config: Error 503 Service Unavailable |
| 24087 | "Internal Server Error" when attempt to view audit log on Kibana using a user who has Auditor role |
| 23975 | Auditor user can see application logs in Kibana discover |
| 20773 | cluster domain name starting with "svc" is breaking mongodb install |
| 24305 | Grafana direct rendering: Error "templating init failed: Unauthorized" |
| 22673 | ICP Mongodb in PodInitializing state |
| 20292 | Audit Log volume or rate is causing ELK to become unstable - Customer would like ingestion of Audit Logs to be disabled |
| 18073 | Installing Core service: Mongodb patch for IBM Cloud Private version 2.1.0.3 clusters breaks helm-api |
| 22130 | monitoring-prometheus fails to start with an error - "Opening storage failed lock DB directory: resource temporarily unavailable" |
| 23037 | There is not authority control in logging and monitoring when switched to them from ICP console. |
| 18989 | cloudctl load chart fails from time to time |
| 19475 | EVRY: ICP 311: a user which is restricted to a given namespace cannot run helm |
| 23061 | Helm chart/repo resources rights |
| 25319 | How to restore local repo |
| 21408 | ibm-mariadb-dev helm chart broken for PPC platform on 3.1.1 |
| 20582 | Issues to apply some ICP 3.1.1 fixes |
| 24890 | skip_pre_check does not actually skip the cluster_CA_domain check |
| 21841 | 310->312 Load balancer address should be same as cluster CA domain, |
| 21832 | pre-check the cluster status before upgrading |
| 24067 | Upgrade to 3.1.2 mandates matching cluster_CA_domain and cluster_lb_address |
| 22726 | The istio-proxy container shows exec format error on Power system |
| 23507 | Compliance UI shows a completely blank window |
| 23266 | MCM 3.1.2. MongoDB pod memory consumption |
| 24297 | Customer needs to restrict the source IP addresses which can access ICP |
| 22811 | CVE-2019-1002100 |
| 18941 | Detail steps to backup/restore on ICP CNE 3.1.x |
| 23586 | Error messages about mariadb occurred repeatedly Error: 105: Key already exists (/mariadb_lock) |
| 19029 | EVRY:High CPU use on Masters in multi-master ICP 311 |
| 21858 | ICP 2.1.0.3 - Failed to activate interim fix: icp-2.1.0.3-build502221 |
| 23721 | ICP 3.1.1 - Garbage collection failing |
| 20719 | Need a patch icp-2.1.0.3-build510945 applicable to amd64 platform |
| 23672 | Reference authority of Docker image from dashboard |
| 21368 | Unisys 2.1.0.3 Deployments Maxing out Workers, Nodes go Unhealthy |
| 14141 | Update ICP 2.1.0.3 to include a critical Kubernetes fix available in v1.10.5 |
| 25394 | /var/lib/calico/nodename should be removed when removing a node |
| 23438 | ICP4D: Failed install of ICP for Data v1.2.1 on RHEL7.5 VM (Softlayer). |
| 23645 | Cannot add additional resources to team / losing previously added ones too |
| 21856 | Container overview page is NOT available in ICP 3.1.2 |
| 23772 | Deployments - CREATED column is not accurate, or totally wrong |
| 21076 | EVRY:ICP 311 selected items are unselected at Edit |
| 21722 | Fresh 3.1.1 install - services are assigned master VIP instead of proxy VIP |
| 20586 | HA cluster: Inconsistency in the pod status - running or terminating |
| 23253 | ICP Web Console Deployments sorting (Created Date) does not work correctly |
| 19933 | LDAP password in plain text in browser UI in ICP 2.1.0.2 |
| 19562 | LDAP User search UI not in sync with backend response |
| 14225 | The popup window is too small to show LDAP string while creating a team |
| 23763 | Usability issue on creating a team page |
| 20867 | Adding LDAPS connection crashes platform-identity-mgmt container |
| 24999 | Console Login Failing with 400 Bad Request, MariaDB ERROR 1210 (HY000) at line 1: WSREP (galera) not started |
| 21567 | ICP 3.1.1 auth-idp pod keeps restarting |
| 21396 | In Group a User appears 2 times |
| 11994 | Inconsistent/erroneous behavior configuring LDAP for ICP |
| 23530 | Issue for fix Denied (LDAP user not recognized as cluster admin) |
| 20463 | LDAPS - incorrect user - error code 49 |
| 19930 | Logging in 10-20 times in a row with cloudctl login successful only 2 or 3 times |
| 21331 | Login via bx pr not working consistently from Jenkins pipeline |
| 22261 | OIDC errors for post-installed products (TA / MC / CAM) when SAML is enabled |
| 21897 | OIDC onboarding for workloads |
| 22980 | Request fix to change port 9443 / TCP over SSL to TLSv1.2 |
| 21555 | Unable to log in with LDAP but can add users with no problem |
| 22583 | Web interface unresponsive when navigating to a team |
| 24112 | MCM 3.1.2. Grafana dashboard does not reflect changes if a component of the Application is moved to other cluster |
| 23954 | New Rule function in Manage Whitelist for Mutation Advisor is vulnerable to stored cross site scripting (XSS) vulnerability. |
| 25439 | ICP 3.1.0 - VA Behavior in case of unsupported images |
| 18542 | Vulnerability Advisor - IP instead of the cluster name in the console |
| 18940 | CAM performance and HA |