Download
Abstract
This document lists the fixes contained in IBM Cloud Pak® System Version 2.3.4.1.
Download Description
To download Version 2.3.4.1, go to the IBM Cloud Pak System product page on IBM Fix Central.
Security vulnerabilities
IBM Cloud Pak System Version 2.3.4.1 includes fixes for these security vulnerabilities:
|
Relevant vulnerabilities |
Summary |
Security Bulletin URL |
|---|---|---|
| CVE-2024-37079, CVE-2024-37080, CVE-2024-37081 |
vCenter Server contains multiple heap-overflow and privilege escalation vulnerabilities
|
https://www.ibm.com/support/pages/node/7232461 |
|
CVE-2024-33883 |
Node.js ejs module denial of service |
https://www.ibm.com/support/pages/node/77168667 |
|
CVE-2023-4091 |
Samba security bypass |
https://www.ibm.com/support/pages/node/7172552 |
|
CVE-2024-38474 |
Apache HTTP Server code execution |
https://www.ibm.com/support/pages/node/7173035 |
|
CVE-2024-38475 |
Apache HTTP Server weakness in mod_rewrite when the first segment of the substitution matches a filesystem path. |
https://www.ibm.com/support/pages/node/7173035 |
| CVE-2024-33599 | glibc netgroup cache buffer overflow | https://www.ibm.com/support/pages/node/7171733 |
| CVE-2015-8383, CVE-2015-8381, CVE-2015-8386, CVE-2015-8388, CVE-2015-8385, CVE-2015-8387, CVE-2015-8391, CVE-2015-8390, CVE-2015-8393, CVE-2015-8395, CVE-2015-8394, CVE-2015-2328, CVE-2015-2327, CVE-2020-14155, CVE-2015-8392, CVE-2023-29258, CVE-2023-45178, CVE-2023-46167, CVE-2023-47701, CVE-2023-43020, CVE-2018-25032, CVE-2002-0059, CVE-2022-37434, CVE-2023-40692, CVE-2023-40687, CVE-2023-38727, CVE-2023-38003, CVE-2023-1370, CVE-2022-3171, CVE-2022-3509, CVE-2023-43642, CVE-2023-34462, CVE-2023-32731, CVE-2022-3510 | Multiple vulnerabilities in IBM Db2 | https://www.ibm.com/support/pages/node/7169788 |
| CVE-2024-4068 | Node.js braces module denial of service | https://www.ibm.com/support/pages/node/77168667 |
| CVE-2024-1394 | Golang golang-fips/openssl denial of service | https://www.ibm.com/support/pages/node/7172441 |
| CVE-2024-28757 | libexpat information disclosure | https://www.ibm.com/support/pages/node/7171733 |
| CVE-2024-37890 | Node.js ws module denial of service | https://www.ibm.com/support/pages/node/77168667 |
| CVE-2024-24788 | Golang Go denial of service | https://www.ibm.com/support/pages/node/7172441 |
| CVE-2024-4067 | Node.js micromatch module denial of service | https://www.ibm.com/support/pages/node/7168667 |
| CVE-2023-45853, CVE-2023-29267, CVE-2024-25710, CVE-2024-26308, CVE-2023-45178, CVE-2024-28762, CVE-2024-29025, CVE-2024-29131, CVE-2024-29133, CVE-2024-31880, CVE-2024-31881 | Multiple Vulnerabiiities in Db2 - June 2024 | https://www.ibm.com/support/pages/node/7169788 |
| CVE-2023-2650 | OpenSSL denial of service | https://www.ibm.com/support/pages/node/7173083 |
| CVE-2023-0464 | OpenSSL denial of service | https://www.ibm.com/support/pages/node/7173083 |
| CVE-2023-38012 | https://www.ibm.com/support/pages/node/7148474 | |
| CVE-2023-38716 | IBM Cloud Pak System information disclosure and directory traversal | https://www.ibm.com/support/pages/node/7148474 |
| CVE-2023-40372, CVE-2023-38719, CVE-2023-38740, CVE-2023-40374 | Multiple vulnerabilities in Db2 | https://www.ibm.com/support/pages/node/7169788 |
| CVE-2023-47158, CVE-2023-47747, CVE-2023-27859, CVE-2023-47746, CVE-2023-47152, CVE-2023-47141, CVE-2023-50308 | Vulnerabilities in Db2 | https://www.ibm.com/support/pages/node/7169788 |
| CVE-2023-48795 | IBM WebSphere Application Server Liberty information disclosure | https://www.ibm.com/support/pages/node/7171869 |
| CVE-2024-24785 | Golang Go security bypass | https://www.ibm.com/support/pages/node/7171869 |
| CVE-2024-24783 | Golang Go denial of service | https://www.ibm.com/support/pages/node/7171869 |
| CVE-2024-24784 | Golang Go security bypass | https://www.ibm.com/support/pages/node/7171869 |
| CVE-2023-45289 | Golang Go information disclosure | https://www.ibm.com/support/pages/node/7171869 |
| CVE-2023-45290 | Golang Go denial of service | https://www.ibm.com/support/pages/node/7171869 |
| CVE-2024-29041 | Express.js Express open redirect | https://www.ibm.com/support/pages/node/77168667 |
| CVE-2024-29180 | webpack webpack-dev-middleware directory traversal | https://www.ibm.com/support/pages/node/77168667 |
| CVE-2024-28863 | isaacs node-tar denial of service | https://www.ibm.com/support/pages/node/77168667 |
| CVE-2024-21085, CVE-2023-38264 | Oracle Java SE, GraalVM for JDK and GraalVM unspecified; IBM SDK, Java Technology Edition denial of service | https://www.ibm.com/support/pages/node/7173036 |
| CVE-2024-24789 | Golang Go security bypass | https://www.ibm.com/support/pages/node/7172441 |
| CVE-2024-24790 | Golang Go unspecified | https://www.ibm.com/support/pages/node/7172441 |
| CVE-2023-3817 | Go Unspecified | https://www.ibm.com/support/pages/node/7171733 |
| CVE-2023-5678 | OpenSSL denial of service | https://www.ibm.com/support/pages/node/7171733 |
| CVE-2023-3446 | OpenSSL denial of service | https://www.ibm.com/support/pages/node/7171733 |
| CVE-2023-0466, CVE-2023-0465 | OpenSSL security bypass | https://www.ibm.com/support/pages/node/7173083 |
| CVE-2024-27316 | Apache HTTP Server denial of service | https://www.ibm.com/support/pages/node/7173035 |
| CVE-2023-38729, CVE-2012-2677, CVE-2024-25046, CVE-2024-27254, CVE-2023-52296, CVE-2024-22360 | Vulnerabilities in Db2 | https://www.ibm.com/support/pages/node/7169788 |
| CVE-2024-22274, CVE-2024-22275 | VMWare vCenter Server remote code execution, partial file read vulnerability. | https://www.ibm.com/support/pages/node/7173448 |
| CVE-2024-37086 | VMware ESXi has an out-of-bounds write vulnerability | https://www.ibm.com/support/pages/node/7173469 |
| CVE-2024-22254 | ESXi Out-of-bounds write vulnerability | https://www.ibm.com/support/pages/node/7173469 |
| CVE-2024-22273 | Code Execution Vulnerability in Broadcom VMware ESXi | https://www.ibm.com/support/pages/node/7173469 |
| CVE-2024-37087 | VMware vCenter Server denial-of-service | https://www.ibm.com/support/pages/node/7173448 |
| CVE-2024-38510, CVE-2024-38511,CVE-2024-38508, CVE-2024-38509, CVE-2024-38512 | Lenovo XClarity Controller (XCC) privilege escalation | https://www.ibm.com/support/pages/node/7173742 |
| CVE-2024-29018 | Docker information disclosure | https://www.ibm.com/support/pages/node/7174014 |
| CVE-2024-24557 | Docker weak security | https://www.ibm.com/support/pages/node/7174014 |
| CVE-2023-45288 | Golang Go denial of service | https://www.ibm.com/support/pages/node/7172441 |
| CVE-2024-22329 | IBM WebSphere Application Server Liberty server-side request forgery (SSRF) | https://www.ibm.com/support/pages/node/7174017 |
| CVE-2023-50312 | IBM WebSphere Application Server Liberty information disclosure | https://www.ibm.com/support/pages/node/7174017 |
| CVE-2024-39338 | Axios server-side request forgery | https://www.ibm.com/support/pages/node/7168667 |
For more information about IBM Product Security articles, see these links:
- https://www.ibm.com/support/pages/bulletin/
- https://www.ibm.com/support/pages/ibm-security-vulnerability-management
IBM Cloud Pak System problem fixes
The following table contains the problem fixes that are included in this release.
Optional: If an integrated pattern or component is not listed, there were no fixes for that pattern or component in this version. The upgrade recommendation is to move directly to 2.3.4.1.
| Document | Description |
|---|---|
| DT392212 | Environment Profiles often have deployment IDs of Virtual System Instances which are already been removed from the system. Regular cleanup of the Environment Profile is required. |
| DT392363 | CWZIP6239E: The amount of free space on the file system /data/www/ipas/dumps is critical. Older files get deleted to provide more free space. |
| DT392284 | Backup failed by blocking the chargeback job. |
| DT392440 | The system health report reports Error Message: No such property: rackmtms for class: systemlogs.health.HWInformation10" |
| DT393378 | The Pattern Deployment/Db2 Fix Packs (Virtual Systems) menu item is not visible in the new GEN4 racks. |
| DT396525 | In the external logging message, a hard-coded string %{path} appears instead of the actual log file path, due to which issues in the custom log processing occur. |
| DT393236 | Request for Storage Collection Set returns status incomplete. An error message CWZIP3306W appears in the 'Readme.txt. |
| DT392393 | CWZIP3509E: The Call Home request failed while submitting a request to create a new service ticket for IBM Cloud Pak System. |
| DT392405 | If a read-only user clones the pattern with saved passwords, the passwords become masked passwords(********) in the cloned pattern. |
| DT392181 | The Db2 instance does not start (partially) correctly after a non-graceful reboot. |
| DT391903 | The Delete Operation API was not working from the Command Line interface. |
| DT392398 | The firmware on the drive has a problem calculating the life expectancy of the drive and incorrectly posts this message that the hardware is not broken. |
Off
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFQSV","label":"IBM Cloud Pak System Software"},"ARM Category":[{"code":"a8m0z000000cwm2AAA","label":"Product Components"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.3.4"}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
05 May 2025
UID
ibm17168483