Download
Abstract
This document lists the fixes contained in IBM Cloud Pak® System Version 2.3.3.7 interim fix 1.
Download Description
To download Version 2.3.3.7 interim fix 1, go to the IBM Cloud Pak System product page on IBM Fix Central.
Security vulnerabilities
IBM Cloud Pak System Version 2.3.3.7 interim fix 1 includes fixes for these security vulnerabilities:
| Relevant vulnerabilities | Summary | Security bulletin |
|---|---|---|
| CVE-2012-0881 | Vulnerable library xercesImpl-2.9.1.jar raised by scan report | https://www.ibm.com/support/pages/node/7038004 |
| CVE-2019-10172, CVE-2019-10202 | Vulnerabilities in Jackson-mapper-1.9.2 | https://www.ibm.com/support/pages/node/7038004 |
| CVE-2022-1471 | snakeyaml-1.33.jar (Publicly disclosed vulnerability found by Mend) | https://www.ibm.com/support/pages/node/7081596 |
|
CVE-2023-39319 |
Golang go (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7101432 |
|
CVE-2023-39318 |
Golang go (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7101432 |
|
CVE-2022-38900 |
decode-uri-component-0.2.0.tgz (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7101428 |
|
CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-2597 |
IBM SDK, Java Technology Edition Quarterly CPU - Apr 2023 - Includes Oracle April 2023 CPU plus CVE-2023-2597 |
https://www.ibm.com/support/pages/node/7105298 |
|
CVE-2023-38273 |
Inadequate Account Lockout Mechanism |
https://www.ibm.com/support/pages/node/7105357 |
| CVE-2020-17521 | Java deserialization filters (JEP 290) ignored during IBM ORB deserialization | https://www.ibm.com/support/pages/node/7037890 |
|
CVE-2016-6814, CVE-2015-3253 |
Multiple vulnerabilities in groovy |
https://www.ibm.com/support/pages/node/7106768 |
|
CVE-2022-31129 |
moment-2.29.2.tgz (Publicly disclosed vulnerability found by WhiteSource) |
https://www.ibm.com/support/pages/node/7105324 |
| 240631 | Docker (Publicly disclosed vulnerability) | https://www.ibm.com/support/pages/node/7081607 |
|
256137 |
Jackson - 256137 (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7105096 |
|
CVE-2022-25881 |
http-cache-semantics-4.1.0.tgz (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7101437 |
| CVE-2023-28154 | webpack-5.74.0.tgz (Publicly disclosed vulnerability found by Mend) | https://www.ibm.com/support/pages/node/7038776 |
|
CVE-2023-28155 |
request-2.88.2.tgz (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7105187 |
|
CVE-2018-25032 |
zlib (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7105138 |
|
CVE-2022-37866, CVE-2022-37865 |
ivy-2.2.0.jar (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7105142 |
|
CVE-2022-43929, CVE-2022-43927, CVE-2014-3577, CVE-2022-43930 |
Db2 is affected by multiple vulnerabilities (February 8, 2023). |
https://www.ibm.com/support/pages/node/7105374 |
|
CVE-2023-26115 |
word-wrap-1.2.3.tgz (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7101427 |
|
CVE-2022-25883 |
semver-5.7.1.tgz (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7101438 |
|
CVE-2023-24998 |
IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Apache Commons FileUpload |
https://www.ibm.com/support/pages/node/7105176 |
|
CVE-2023-24998 |
commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7081596 |
|
CVE-2022-41724 |
Golang go (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7105143 |
|
CVE-2022-3676 |
IBM Java - OpenJ9 |
https://www.ibm.com/support/pages/node/7105376 |
|
CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619 |
IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU |
https://www.ibm.com/support/pages/node/7105250 |
|
CVE-2022-31836 |
Beego vulnerability |
https://www.ibm.com/support/pages/node/7101431 |
|
CVE-2022-39161 |
IBM WebSphere Application Server Liberty is vulnerable to spoofing when Web Server plug-ins are used |
https://www.ibm.com/support/pages/node/7105365 |
|
CVE-2023-0482 |
IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy |
https://www.ibm.com/support/pages/node/7101435 |
|
CVE-2023-21830, CVE-2023-21843 |
IBM SDK, Java Technology Edition Quarterly CPU - Jan 2023 - Includes Oracle January 2023 CPU |
https://www.ibm.com/support/pages/node/7005573 |
|
CVE-2022-21426 |
IBM Java XML vulnerability, deferred from Oracle Apr 2022 CPU |
https://www.ibm.com/support/pages/node/7101430 |
|
CVE-2023-4759 |
org.eclipse.jgit-4.0.3.201509231615-r.jar (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7101429 |
|
CVE-2023-29409 |
Golang go (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7105284 |
|
CVE-2022-37865, CVE-2022-46751, CVE-2022-37866 |
ivy-2.1.0-rc1.jar (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7105142 |
|
CVE-2022-46751 |
ivy-2.1.0-rc1.jar (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7105142 |
|
CVE-2023-39325 |
Golang go (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7105284 |
|
CVE-2023-39323 |
Golang go (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7105141 |
|
CVE-2018-6561 |
dojo-dojo-release-1.12.1 (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/7101434 |
|
CVE-2022-40609 |
Java deserialization filters (JEP 290) were ignored during IBM ORB deserialization (Advisory for consuming products) |
https://www.ibm.com/support/pages/node/7037890 |
|
CVE-2023-30447, CVE-2023-30446, CVE-2023-30443, CVE-2023-30448, CVE-2023-30445, CVE-2023-30449, CVE-2023-23487, CVE-2023-30431, CVE-2023-27869, CVE-2023-27867, CVE-2023-27868, CVE-2023-30442, CVE-2023-29256, CVE-2023-27558, CVE-2023-35012 |
Db2 is affected by multiple vulnerabilities (July 7, 2023) |
https://www.ibm.com/support/pages/node/7105329 |
|
CVE-2022-46337 |
derby-10.14.2.0.jar (Publicly disclosed vulnerability found by Mend) |
https://www.ibm.com/support/pages/node/ |
|
CVE-2021-3749, CVE-2020-28168 |
axios-0.19.2.tgz (Publicly disclosed vulnerability found by WhiteSource) |
https://www.ibm.com/support/pages/node/7101436 |
|
CVE-2022-31129 |
moment-2.29.2.tgz (Publicly disclosed vulnerability found by WhiteSource) |
|
| CVE-2022-24785 | moment-2.24.0.tgz (Publicly disclosed vulnerability found by WhiteSource) | https://www.ibm.com/support/pages/node/7105281 |
|
CVE-2022-25858 |
terser-5.14.0.tgz (Publicly disclosed vulnerability found by WhiteSource) |
https://www.ibm.com/support/pages/node/7101433 |
| CVE-2023-29402 | Golang go (Publicly disclosed vulnerability) | https://www.ibm.com/support/pages/node/7037900 |
|
CVE-2023-3894 |
Jackson (Publicly disclosed vulnerability) |
https://www.ibm.com/support/pages/node/7105096 |
For more information about IBM Product Security articles, see these links:
- https://www.ibm.com/support/pages/bulletin/
- https://www.ibm.com/support/pages/ibm-security-vulnerability-management
- https://www.ibm.com/support/pages/bulletin/search/?q=IBM%20Cloud%20Pak%20System%20Software (All security bulletins for IBM Cloud Pak System Software)
IBM Cloud Pak System APARs
The following table contains the Authorized Program Analysis Reports (APARs) and other fixes that are included in this release. If an integrated pattern or component is not listed, there are no fixes for that pattern or component in this version. The upgrade recommendation is to move directly to 2.3.3.7 interim fix 1.
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
11 January 2024
UID
ibm17045119