Download
Abstract
This document lists the fixes contained in IBM Cloud Pak® System Version 2.3.3.6 interim fix 1.
Download Description
To download Version 2.3.3.6 interim fix 1, go to the IBM Cloud Pak System product page on IBM Fix Central.
Security vulnerabilities
IBM Cloud Pak System Version 2.3.3.6 interim fix 1 includes fixes for these security vulnerabilities:
| CVE | Summary |
|---|---|
| CVE-2012-0881 | Apache Xerces 2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. |
| CVE-2019-10172 | Jackson-mapper-asl might allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when XML data is processed. |
| CVE-2019-10202 | Jackson-mapper CVE-2019-10202 - Red Hat JBoss Enterprise Application Platform (EAP) might allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization in Codehaus. |
| CVE-2022-3517 | minimatch is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the braceExpand function. |
| CVE-2022-40609 | IBM SDK, Java Technology Edition 7.1.5.18, and 8.0.8.0 might allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. |
| CVE-2022-41717 | Golang Go is vulnerable to a denial of service, caused by a flaw when HTTP/2 requests are handled in the Go server. |
| CVE-2022-41720 | Golang Go might allow a remote attacker to obtain sensitive information, caused by improper access control by the os.DirFS function and http.Dir type. |
| CVE-2022-41725 | Golang Go is vulnerable to a denial of service, caused by a flaw when multipart form parsing is performed with mime/multipart.Reader.ReadForm. |
| CVE-2023-24532 | Golang Go is vulnerable to P256 Curve unspecified. |
| CVE-2023-24534 | Golang Go is vulnerable to a denial of service, caused by memory exhaustion in the common function in HTTP and MIME header parsing. |
| CVE-2023-24539 | Go is vulnerable to HTML injection. |
| CVE-2023-24540 | |
| CVE-2023-29400 | |
| CVE-2023-29402 | Golang Go might allow a remote attacker to execute arbitrary code on the system, caused by the generation of unexpected code at build time when cgo is used. |
| CVE-2023-29403 | Golang Go might allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw when a binary is run with the setuid/setgid bits. |
| CVE-2023-29404 | Golang Go is vulnerable to a denial of service, caused by memory exhaustion in the common function in HTTP and MIME header parsing. |
| CVE-2023-29405 | Golang Go might allow a remote attacker to execute arbitrary code on the system, caused by a flaw when "go get" is run on a malicious module. |
| CVE-2023-29406 | Golang Go is vulnerable to HTTP header injection, caused by improper content validation of the Host header by the HTTP/1 client. |
| CVE-2022-45685, CVE-2022-45693 | Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. |
| Jettison is vulnerable to a denial of service, caused by an infinite recursion when you construct a JSONArray from a Collection that contains a self-reference in one of its elements. | |
| CVE-2022-46175 | JSON5 might allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parse method. |
| CVE-2023-28154 | Webpack might allow a remote attacker to bypass security restrictions, caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. |
| CVE-2023-25930, CVE-2023-26021, CVE-2023-26022, CVE-2023-27555, CVE-2023-27559, CVE-2023-29255 | Db2 is vulnerable to a denial of service. |
| CVE-2023-29257 | Db2 is vulnerable to remote code execution. |
For more information about IBM Product Security articles, see these links:
- https://www.ibm.com/support/pages/bulletin/
- https://www.ibm.com/support/pages/ibm-security-vulnerability-management
IBM Cloud Pak System APARs
The following table contains the Authorized Program Analysis Reports (APARs) and other fixes that are included in this release. If an integrated pattern or component is not listed, there are no fixes for that pattern or component in this version. The upgrade recommendation is to move directly to 2.3.3.6 interim fix 1.
| APAR | APAR Description |
|---|---|
| IT41902 | CWZIP1200E Unable to communicate with the virtual management software by using an IP address. |
| IT43849 | CWZIP6239E The amount of free space on the /data/www/ipas/dumps file system is critical. |
|
CWZIP8804W The battery degraded messages keep being raised after battery replacement.
|
|
|
Red Hat OpenShift Container Platform accelerator deployment fails when a delay occurs in registering with the Red Hat Satellite Server during deployment.
|
|
| IT44015 |
CWZIP6239E The amount of free space on the /data/www/ipas/dumps file system is critical.
Note: This problem is fixed as part of APAR IT43849.
|
|
Service 33 does not come up after failover on the leader Platform System Manager (PSM) as part of the upgrade.
|
|
|
Email notification failure marks the system backup job as failed.
Note: Additional problems resolved - CWZIP3301W warning is fixed when the deprecated Automatic health check option is enabled.
|
|
| IT44528 | IBM Spectrum Scale (IBM Storage Scale) does not autostart after a virtual machine reboot. |
Off
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFQSV","label":"IBM Cloud Pak System Software"},"ARM Category":[],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"2.3.3","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
05 February 2024
UID
ibm17017282