IBM Support

Available patches for IBM Cloud Pak for Data

Preventive Service Planning


Abstract

This document lists the available patches for the IBM Cloud Pak for Data control plane.

Content

Use the following links to jump to the list of patches for each version of Cloud Pak for Data:

Cloud Pak for Data 3.5 patches
Ensure that you apply patches for the version of Cloud Pak for Data that is running on your environment:
 
3.5.2 patches
The patches in this section apply only if you have installed the 3.5.2 version of the Cloud Pak for Data control plane.
cpd-3.5.2-lite-patch-3
Patch name cpd-3.5.2-lite-patch-3
Released on 25 March 2021
Service assembly lite
Applies to service version 3.5.2
Applies to platform version Cloud Pak for Data 3.5
Patch type
Cumulative.
This patch includes fixes from previous patches.
Description
In addition to the fixes that were introduced in previous patches, this patch includes fixes for the following issues:
 
  • Issue: When you apply cpd-3.5.2-lite-patch-2 in a namespace where the IBM Cloud Pak for Data common core services are installed, the zen-watchdog service enters a crashloopbackoff state and does not restart

    Resolution:
    The service no longer enters the crashloopbackoff state.
     
  • Issue: If you are on the Services > Instances page and you click Manage access on a service instance, you are taken to the home page rather than the Access management page.

    Resolution: You are taken to the Access management page for the service instance.
     
  • Issue: In some situations, when you open the instance details for a service instance, the page is either partially displayed or you see the following error:

    Error Internal Server Error

    Resolution: The instance details are displayed.
     
  • Issue: When you use the Volumes API to add a file (PUT /v1/volumes/files/{file_path}), the API returns a success message but the file isn't available yet. It takes another 15 - 40 seconds for the file to be available.

    Resolution: The success message isn't returned until the file is available.

     
  • Issue: When you use the Volumes API to add a file (PUT /v1/volumes/files/{file_path}) and the command includes the extract=true parameter, existing files with the same name are not overwritten and are corrupted. 

    Resolution: The Existing files are overwritten by the updated files.
     
  • Issue: Users are able to access the file index for a Cloud Pak for Data deployment.

    Resolution: If a user tries to access the file index, they see the following error:

    403 Forbidden

     
This patch includes fixes for the following security issues:
  • The following security issue is fixed by removing the swagger-ui-bundle package:
    • CVE-2019-17495
Instructions
  1. Run the following command to delete your existing cronjobs:
     
    oc delete cronjobs \
    watchdog-alert-monitoring-cronjob \
    watchdog-alert-monitoring-purge-cronjob \
    zen-watchdog-cronjob \
    diagnostics-cronjob
  2. Apply the patch. For details, see Applying patches.
     
  3. If you use the Volumes API and encountered the file corruption issue, stop and restart the affected file servers on the volumes for the fix to take effect.
     
  4. Applying this patch automatically disables the LDAP synchronization job to resolve the performance issue described in cpd-3.5.2-lite-patch-1. If you need to re-enable the LDAP synchronization job after you apply this patch, run the following command from the oc command-line interface:
     
    oc patch cj usermgmt-ldap-sync-cron-job --patch '{"spec": {"suspend": false}}'
cpd-3.5.2-lite-patch-2
Patch name cpd-3.5.2-lite-patch-2
Released on 08 March 2021
Service assembly lite
Applies to service version 3.5.2
Applies to platform version Cloud Pak for Data 3.5
Patch type Cumulative
Description
This patch includes fixes for the following issues:
  • Issue: If you try create a project with a name that is already in use, the creation fails and the error message doesn't provide sufficient information.

    Resolution: When you create a project, you are prevented from using a name that you have already used. In addition, the system checks other users' projects to determine whether the name is already in use. If the name is already in use, the system returns the following error:
     
    The project {your-project-name} cannot be created. A project with the same name already exists.
  • Issue: On the Projects page, a maximum of 100 data quality projects are displayed.

    Resolution: The system now returns all of the data quality projects.
     
  • Issue: If you use an Oracle LDAP server, the pagination on LDAP search results does not work well if the result set from the LDAP server is less than the requested page size. 

    Resolution: The system no longer specified a page size for LDAP search results.
     
  • Issue: The cronjobs that support platform management and monitoring do not run as expected after upgrades or cluster downtime.

    Resolution: The cronjobs can successfully run after upgrades or cluster downtime.
     
  • Issue: The database where platform monitoring data is stored is overloaded and causes performance issues.

    Resolution: Monitoring data is collected less frequently. The database also has additional indices to improve performance.
     
  • Issue: The Platform management page does not show the count of pending or critical environment runtimes.

    Resolution: The Platform management page now shows this data.
This patch includes fixes for the following security issues:
  • The following issues are fixed by upgrading the embedded openSSL package to Version 1.1.1j :
    • CVE-2021-23841
    • CVE-2021-23840
    • CVE-2021-23839
    • CVE-2020-8287
    • CVE-2020-8265
    • CVE-2020-1971
       
  • The following issues are fixed by upgrading npm package manager software to Version 6.14.10:
    • CVE-2020-8277
       
  • The following security issues are fixed by updating Golang to Version 1.15.6:
    • CVE-2021-3115
    • CVE-2020-28367
    • CVE-2020-28366
    • CVE-2020-28362
       
  • The following security issue is fixed by upgrading the immer package to Version 8.0.1:
    • CVE-2020-28477
       
  • Removed the swagger-codegen-cli.jar file to get rid of the jackson-databind package, which was causing  multiple security vulnerabilities in the zen-data-sorcerer pod.
Instructions
  1. Run the following command to delete your existing cronjobs:
     
    oc delete cronjobs \
    watchdog-alert-monitoring-cronjob \
    watchdog-alert-monitoring-purge-cronjob \
    zen-watchdog-cronjob \
    diagnostics-cronjob
  2. Apply the patch. For details, see Applying patches.
     
  3. Applying this patch automatically disables the LDAP synchronization job to resolve the performance issue described in cpd-3.5.2-lite-patch-1. If you need to re-enable the LDAP synchronization job after you apply this patch, run the following command from the oc command-line interface:
     
    oc patch cj usermgmt-ldap-sync-cron-job --patch '{"spec": {"suspend": false}}'
cpd-3.5.2-lite-patch-1
Patch name cpd-3.5.2-lite-patch-1
Released on 1 February 2021
Service assembly lite
Applies to service version 3.5.2
Applies to platform version Cloud Pak for Data 3.5
Patch type Cumulative
Description
This patch includes a fix for the following issue:
  • Issue: Several PEM and KEY files, which are used for testing, are flagged during security scans. The scans indicate that the files are sensitive data. (The files are innocuous and do not cause any security issues in production environments.)

    Resolution: The PEM and KEY files have been removed from the software.
  • Issue: The LDAP synchronization job syncs all users from LDAP groups when the job runs. However, this behavior causes too much overhead for Cloud Pak for Data instances that have large LDAP groups.

    Resolution: When you install this patch, the LDAP synchronization job is disabled. Instead, the platform syncs each user's data when the user logs in to Cloud Pak for Data:
    • The first time that a user logs in to Cloud Pak for Data, the platform creates a user profile and assigns the user to the correct user groups based on their LDAP group membership.
    • If the user has logged in before, the platform updates the user group membership based on their LDAP group membership.
If you need to re-enable the LDAP synchronization job after you apply this patch, run the following command from the oc command-line interface:
oc patch cj usermgmt-ldap-sync-cron-job --patch '{"spec": {"suspend": false}}'
To disable the LDAP synchronization job, run the following command from the oc command-line interface:
oc patch cj usermgmt-ldap-sync-cron-job --patch '{"spec": {"suspend": true}}'
Instructions See Applying patches.
3.5.1 patches
The patches in this section apply only if you have installed the 3.5.1 version of the Cloud Pak for Data control plane.
cpd-3.5.1-lite-patch-2
Patch name cpd-3.5.1-lite-patch-2
Released on 22 Jan 2021
Service assembly lite
Assembly version 3.5.1
Applies to platform version Cloud Pak for Data 3.5
Patch type Cumulative
Description
This patch includes a fix for the following issue:
  • Issue: The LDAP synchronization job syncs all users from LDAP groups when the job runs. However, this behavior causes too much overhead for Cloud Pak for Data instances that have large LDAP groups.
  • Resolution: When you install this patch, the LDAP synchronization job is disabled. Instead, the platform syncs each user's data when the user logs in to Cloud Pak for Data:
    • The first time that a user logs in to Cloud Pak for Data, the platform creates a user profile and assigns the user to the correct user groups based on their LDAP group membership.
    • If the user has logged in before, the platform updates the user group membership based on their LDAP group membership.
If you need to re-enable the LDAP synchronization job after you apply this patch, run the following command from the oc command-line interface:
oc patch cj usermgmt-ldap-sync-cron-job --patch '{"spec": {"suspend": false}}'
To disable the LDAP synchronization job, run the following command from the oc command-line interface:
oc patch cj usermgmt-ldap-sync-cron-job --patch '{"spec": {"suspend": true}}'
Instructions See Applying patches.
cpd-3.5.1-lite-patch-1
Patch name cpd-3.5.1-lite-patch-1
Released on 8 January 2021
Service assembly lite
Assembly version 3.5.1
Applies to platform version Cloud Pak for Data 3.5
Patch type Cumulative
Description
This patch includes fixes for the following issues:
 
  • Issue: The LDAP synchronization job failed when a user's name, email, or ID included an apostrophe.

    Resolution: The LDAP synchronization jobs can handle names, emails, and IDs with apostrophes. 
     
  • Issue: (For clusters with Watson Knowledge Catalog installed.) If a user is assigned roles and permissions through a group, Watson Knowledge Catalog could not retrieve the roles and permissions from the group because the roles and groups were not specified in the default user profile data.

    Resolution: The roles and permissions from the group are included in the default user profile data.
Instructions See Applying patches.
Cloud Pak for Data 3.0.1 patches
cpd-3.0.1-lite-patch-7
Patch name cpd-3.0.1-lite-patch-7
Released on 03 February 2021
Service assembly lite
Assembly version 3.0.1
Applies to platform version Cloud Pak for Data 3.0.1
Patch type Cumulative
Description
This patch includes the following new features:
  • Access vCPU and memory use through APIs
    With this patch, you can use the Usage API to view the vCPU and memory data.

    To access the Usage API, use the following URL:
    <Cloud_Pak_for_Data_route>/zen-watchdog/v2/resources/usage?from=<time_since>&to=<time_to>

    To use the Usage API to download a CSV that contains the data, use the following URL:
    <Cloud_Pak_for_Data_route>/zen-watchdog/v2/resources/usage/download?from=<time_since>&to=<time_to>

    Use the ISO 8601 (YYYY-MM-DDThh:mm:ssZ) format for the query parameters. For example:
    2021-01-11T13:50:00Z
This patch includes fixes for the following issues:
 
  • Issue: When you add multiple users to a service instance at the same time, you encounter an error.

    Resolution: You can add multiple users to the instance without an error.
This patch includes fixes for the following security issues:
 
  • A Cross Site Request Forgery vulnerability was fixed by adding the samesite: lax tag to Cloud Pak for Data cookies.
     
  • The following issues are fixed by upgrading the embedded openSSL package to Version 1.1.1i :
    • CVE-2020-1971
    • CVE-2020-1968
       
  • The following issues are fixed by upgrading the npm package manager software to Version 6.14.8:
    • CVE-2020-8252
    • CVE-2020-8251
    • CVE-2020-8237
    • CVE-2020-8201
    • CVE-2020-8158
       
  • The following security issue is fixed by upgrading Python to Version 3.8.5:
    • CVE-2020-15801
       
  • The following security issue is fixed by rebuilding the affected images so that they can include the fix made in Red Hat Enterprise Linux 8:
    • CVE-2020-1751
Instructions See Applying patches.
cpd-3.0.1-lite-patch-6
Patch name cpd-3.0.1-lite-patch-6
Released on 10 September 2020
Service assembly lite
Assembly version 3.0.1
Applies to platform version Cloud Pak for Data 3.0.1
Patch type
Cumulative.
Description
This patch includes fixes for the following issues:
 
  • Some images in the lite assembly have files with SGID permissions in the scripts directory. This enables the owner of the file to run the file with either their own permissions or the group's permissions, even if the owner is not a member of the group.

    With this fix, the SGID permissions are removed from the files in the scripts directory.
This patch includes fixes for the following security issues:
 
  • CVE-2020-15586
  • CVE-2020-14039
  • CVE-2020-16845

All of the security issues are resolved by upgrading the Go open source package to Version 1.14.7
Instructions
cpd-3.0.1-lite-patch-5
Patch name cpd-3.0.1-lite-patch-5
Released on 20 August 2020
Service assembly lite
Assembly version 3.0.1
Applies to platform version Cloud Pak for Data 3.0.1
Patch type
Cumulative.
Description
This patch includes fixes for the following issues:
 
  • The zen-data-sorcerer pod restarts frequently when you are running a large workload and have 30 or more concurrent users.

    With this fix, the JDBC driver timeout was set to 10 seconds and the number of server threads was increased to 2. However, you might need to adjust the JDBC_TIMEOUT environment variable on the zen-data-sorcerer pod in the following situations:
    • If you notice that the zen-data-sorcerer pod continues to restart frequently after you apply the patch, you can decrease the driver timeout.
    • If you notice that connections are terminated too quickly, you can increase the driver timeout.
  • The names of predefined roles are displayed inconsistently when users change the language on their web browser.

    With this fix, the predefined roles are always displayed in English. Custom roles are not impacted. 
     
  • Users with only the Manage users permission were able to grant themselves and other users additional administrative privileges. 

    With this fix, users with only the Manage users permission or only the Configure authentication permission can no longer create, edit, or delete users or roles with granular administrative permissions in the Cloud Pak for Data administration category. Only a user with Administer platform permission can manage administrative roles and users.
     
  • (For clusters with service instances provisioned.) An administrator with only the Monitor platform permission cannot see all of the service instances on the platform.

    With this fix, an administrator with only the Monitor platform permission can see all of the service instances on the platform.
     
  • (For clusters with Watson Knowledge Catalog installed.) Administrators saw duplicate entries for Watson Knowledge Catalog when using the Gather diagnostics feature.

    With this fix, administrators only see one instance of Watson Knowledge Catalog.
     
  • (For clusters that upgraded to Data Virtualization 1.4.1.) After you upgrade to Data Virtualization 1.4.1, you cannot create custom JDBC connections. If you try to use a custom connection type to create a connection, you see the following error:

    Unable to retrieve Data Virtualization service ID.

    With this fix, you can use custom connection types with Data Virtualization 1.4.1.
     
  • (For Cloud Pak for Data System environments.) Users that were created in the Cloud Pak for Data System console cannot be deleted from the Cloud Pak for Data Manage users page even if they are deleted from the Cloud Pak for Data System console.

    With this fix, users who are created in the Cloud Pak for Data System console can be deleted from the Cloud Pak for Data Manage users page if the following conditions are met:
    • The use record is first deleted from the Cloud Pak for Data System console.
    • The user to be deleted has logged into the Cloud Pak for Data client.
       
  • (For Cloud Pak for Data System environments.) Cloud Pak for Data  administrators cannot assign or edit roles for users created in the Cloud Pak for Data System console.

    With this fix, the Cloud Pak for Data administrator can manage the permissions for Cloud Pak for Data System users after the users log in to the Cloud Pak for Data client.
This patch includes fixes for the following security issues:
 
  • CVE-2020-8172
  • CVE-2020-8174
  • CVE-2020-8203
  • CVE-2020-11080
  • CVE-2020-15095

All of the security issues are resolved by upgrading the npm package manager software to Version 6.14.6.
Instructions
cpd-3.0.1-lite-patch-4
Patch name cpd-3.0.1-lite-patch-4
Released on 12 August 2020
Service assembly lite
Assembly version 3.0.1
Applies to platform version Cloud Pak for Data 3.0.1
Patch type
Cumulative.
Description
This patch includes fixes for the following issues:
  • Users who are administrators of a service instance but are not Cloud Pak for Data administrators cannot delete the instance from the My instances page.

    Only Cloud Pak for Data administrators could delete service instances.
Instructions
cpd-3.0.1-lite-patch-3
Patch name cpd-3.0.1-lite-patch-3
Released on 31 July 2020
Service assembly lite
Assembly version 3.0.1
Applies to platform version Cloud Pak for Data 3.0.1
Patch type
Cumulative.
Description
This patch includes the following fixes:
  • Include support for BASIC AUTH input for the preauth/validateAuth API call.
The patch is needed only on IBM Cloud Pak for Data System environments. This issue does not apply to standard IBM Cloud Pak for Data environments.
Instructions
cpd-3.0.1-lite-patch-2
Patch name cpd-3.0.1-lite-patch-2
Released on 17 July 2020
Service assembly lite
Assembly version 3.0.1
Applies to platform version Cloud Pak for Data 3.0.1
Patch type
Cumulative.
Description
This patch includes the following fixes:
  • The APIs do not return the bearer token in the response in some environments
Instructions
cpd-3.0.1-lite-patch-1
Patch name cpd-3.0.1-lite-patch-1
Released on 17 July 2020
Service assembly lite
Assembly version 3.0.1
Applies to platform version Cloud Pak for Data 3.0.1
Patch type
Cumulative.
Description
This patch includes the following fixes:
  • The admin user cannot edit connections that were created by other users
  • Members of the Administrator role cannot edit connections created by other administrators.
Instructions
Cloud Pak for Data 2.5.0 patches
cpd-2.5.0.0-lite-patch-6
Patch name cpd-2.5.0.0-lite-patch-6
Released on 09 November 2020
Service assembly lite
Assembly version v2.5.0.0
Applies to platform version Cloud Pak for Data 2.5.0.0
Patch type
Cumulative.
Description
This patch includes fixes for the following issues:
 
  • The Manage platform page showed potentially incorrect pod resource use information if the requests or limits defined for the pod included fractional values. With this fix, the page should now show consistent aggregate pod resource usage.
     
  • The Gather diagnostics page limited the number of lines in pod log files in the output. With this fix, all of the content in in the pod logs is included in the output.
     
  • Users without administrative permissions could access the diagnostic APIs. With this fix, the platform checks that the user has the appropriate permissions to access the diagnostic APIs.
This patch includes fixes for the following security issues:
 
  • The following issues are fixed by upgrading the embedded Node.js package to version 14.9.0 and the vargs-parser package to version 15.0.2:
    • CVE-2020-15095
    • CVE-2020-11080
    • CVE-2020-8174
    • CVE-2020-8172
    • CVE-2020-7608
    • CVE-2020-7607
    • CVE-2020-7606
    • CVE-2020-7605
    • CVE-2020-7604
    • CVE-2020-7603
    • CVE-2020-7602
    • CVE-2020-7601
    • CVE-2019-15606
    • CVE-2019-15605
    • CVE-2019-15604
       
  • The following issues are fixed by upgrading the embedded Go package version to 1.15.2:
    • CVE-2020-24553
    • CVE-2020-16845
    • CVE-2020-15586
    • CVE-2020-14039
       
  • The following issues are fixed by upgrading the embedded Python version to 3.8.5:
    • CVE-2020-15801
    • CVE-2019-20907
       
  • The following issues are fixed by upgrading the embedded openSSLVersion package version to 1.1.1g:
    • CVE-2020-1968
Instructions
cpd-2.5.0.0-lite-patch-5
Patch name cpd-2.5.0.0-lite-patch-5
Released on 17 July 2020
Service assembly lite
Assembly version v2.5.0.0
Applies to platform version Cloud Pak for Data 2.5.0.0
Patch type
Cumulative.
Description
This patch includes the following fixes:
  • Update the get service instance v3 APIs to allow authorized users (who are not instance owners) access:
    • The list of service instances
    • Service instance details
Instructions

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSHGYS","label":"IBM Cloud Pak for Data"},"Component":"Control plane","Platform":[{"code":"PF040","label":"RedHat OpenShift"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
26 March 2021

UID

ibm16327429