Download
Abstract
This document lists the fixes contained in IBM PureApplication System 2.2.2.2.
Download Description
To download the interim fix, go to the PureApplication System product page on Fix Central.
Version 2.2.2.2 includes fixes for these security vulnerabilities:
CVEID: CVE-2016-6302
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to consider the HMAC size during validation of the ticket length by the tlsdecrypt_ticket function A remote attacker could exploit this vulnerability using a ticket that is too short to cause a denial of service.
CVEID: CVE-2016-6304
DESCRIPTION: OpenSSL is vulnerable to a denial of service. By repeatedly requesting renegotiation, a remote authenticated attacker could send an overly large OCSP Status Request extension to consume all available memory resources.
CVEID: CVE-2016-2177
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the incorrect use of pointer arithmetic for heap-buffer boundary checks. By leveraging unexpected malloc behavior, a remote attacker could exploit this vulnerability to trigger an integer overflow and cause the application to crash.
CVEID: CVE-2016-2178
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DSA implementation that allows the following of a non-constant time codepath for certain operations. An attacker could exploit this vulnerability using a cache-timing attack to recover the private DSA key.
CVEID: CVE-2016-3485
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact.
CVEID: CVE-2016-5573
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Hotspot component has high confidentiality impact, high integrity impact, and high availability impact.
CVEID: CVE-2016-5542
DESCRIPTION: An unspecified vulnerability related to the Libraries component has no confidentiality impact, low integrity impact, and no availability impact.
CVEID: CVE-2016-5597
DESCRIPTION: An unspecified vulnerability related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVEID: CVE-2016-5387
DESCRIPTION: Apache HTTP Server could allow a remote attacker to redirect HTTP traffic of CGI application, caused by the failure to protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable. By using a specially-crafted Proxy header in a HTTP request, an attacker could exploit this vulnerability to redirect outbound HTTP traffic to arbitrary proxy server. This is also known as the "HTTPOXY" vulnerability.
See the following known limitations:
A warning event is generated when a user attempts to create a collection set on the system.
| Problem: | A warning event is generated creating a collection set. The problem is due to an issue parsing the hostname of an LDAP server described in the "LDAP provider URL". |
| Resolution: | Change the LDAP hostname to the IP address or the fully qualified hostname. |
The following table contains the Authorized Program Analysis Reports (APARs) included in this release.
If an integrated pattern or component is not listed, there were no fixes for that pattern or component in this version.
APAR | Abstract |
| PureApplication System: Backup job fails to run due to a long-running internal job | |
| PureApplication System: Remove the root directory "/" from the list of mount points prohibited when using disk add-ons | |
| PureApplication System: A non-admin user is not able to run script packages from the console on virtual system patterns | |
| PureApplication System: Pure.cli command line interface does not raise an exception when pattern loading fails | |
| PureApplication System: The Pure command line interface library is missing the property "CREATE_TIME" | |
| PureApplication Service: The "Help" link to the Knowledge Center does not work | |
| PureApplication System: Changing virtual machine memory does not survive a store / restore operation | |
| PureApplication System: Links in Operations panel do not work for a user without an Administrator role assigned | |
| PureApplication System: A significant amount of time is spent performing SSL handshakes between internal components |
IBM OS Pattern Kit APARs
APAR | Abstract |
| IBM OS Pattern Kit: Running the AE-Installer-Linux.sh on a RHEL 7.1 virtual machine stops with an "Unexpected end of file" error |
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24043028