IBM Support

IBM Cloud Pak System Version 2.3.6

Download


Abstract

This document lists the fixes contained in IBM Cloud Pak® System Version 2.3.6.

Download Description

To download Version 2.3.6, go to the IBM Cloud Pak System product page on IBM Fix Central.

Security vulnerabilities

IBM Cloud Pak System Version 2.3.6 includes fixes for these security vulnerabilities:

Relevant vulnerabilities

Summary

Security Bulletin URL

CVE-2024-45296
 CVE-2024-39249
 CVE-2020-11023
 CVE-2019-11358
 CVE-2020-11022
  CVE-2024-5569		Multiple vulnerabilities in IBM Storage Scalehttps://www.ibm.com/support/pages/node/7237138

CVE-2020-5258
CVE-2025-2895

CVE-2023-38006

IBM Cloud Pak System PrototypePollution  dojo deepCopy, HtML Injection, cross site scripting 

https://www.ibm.com/support/pages/node/7237164

CVE-2024-39573

Potential SSRF in mod_rewrite in Apache HTTP Server 

https://www.ibm.com/support/pages/node/7237420

 CVE-2024-38473

Apache HTTP Server proxy - Improper Encoding or Escaping of Output (CWE:116)

https://www.ibm.com/support/pages/node/7237420

CVE-2023-38709Apache HTTP Server  HTTP response splitting attackshttps://www.ibm.com/support/pages/node/7237420
CVE-2024-38476Apache HTTP Server information disclosure, SSRF or local script executionhttps://www.ibm.com/support/pages/node/7237420
CVE-2024-21538Cross-spawn-Regular Expression Denial of Service (ReDoS)https://www.ibm.com/support/pages/node/7237418
CVE-2024-45590Nodejs body-parsing denial of servicehttps://www.ibm.com/support/pages/node/7237418
CVE-2025-30223Beego Cross-site Scripringhttps://www.ibm.com/support/pages/node/7237418
CVE-2025-32997
CVE-2025-32996		Improper Check for Unusual or Exceptional Conditions (CVE-754) 
Always-Incorrect Control Flow Implementation (CWE-670)		https://www.ibm.com/support/pages/node/7237418
CVE-2024-21536 http-proxy-mddleware Denial of Servicehttps://www.ibm.com/support/pages/node/7237418
CVE-2024-21536Axios Nodejs Cross-site Scripting (XSS)https://www.ibm.com/support/pages/node/7237418
CVE-2025-27152Axios Server-Side Request Forgery (SSRF)https://www.ibm.com/support/pages/node/7237418
CVE-2024-55885beego Use of a Broken or Risky Cryptographic Algorithm (CWE-327)https://www.ibm.com/support/pages/node/7237418
CVE-2024-45296path-to-regexp denial of servicehttps://www.ibm.com/support/pages/node/7237418
CVE-2025-22869SSH servers that implement file transfer protocols   Denial-of-service (DoS) https://www.ibm.com/support/pages/node/7237418
CVE-2024-52798path-to-regexp  backtracking  (ReDos)https://www.ibm.com/support/pages/node/7237418
CVE-2024-45337 x/crypto/ssh go   authorization bypasshttps://www.ibm.com/support/pages/node/7237418
CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 TOCTOU (Time-of-Check Time-of-Use) ,  arbitrary write, information disclosure in VMWare ESXihttps://www.ibm.com/support/pages/node/7185269


CVE-2025-48734


 

Apache Commons BeanUtils Improper Access Control https://www.ibm.com/support/pages/node/7240238

CVE-2025-41225

VMWare vCenter authenticated command-execution https://www.ibm.com/support/pages/node/7240236

CVE-2025-3357        
CVE-2025-30065
CVE-2024-7254
CVE-2024-49350

IBM Tivoli Monitoring code execution and DB2 vulnerabilities https://www.ibm.com/support/pages/node/7240254
CVE-2024-24786Denial of service in protobuf for Gohttps://www.ibm.com/support/pages/node/7245075
CVE-2024-12801

CVE-2024-12798		Due to use of QOS.CH logback IBM Cloud Pak System is affected by server-side request forgery and arbitrary code executionhttps://www.ibm.com/support/pages/node/7246870

 

 

For more information about IBM Product Security articles, see these links:

IBM Cloud Pak System problem fixes

The following table contains the problem fixes that are included in this release.

Optional: If an integrated pattern or component is not listed, there were no fixes for that pattern or component in this version. The upgrade recommendation is to move directly to 2.3.6.

IBM Cloud Pak System APARs
DocumentDescription
DT422421Clients are not able to create two block storage volumes with exactly the same name from the Cloud > Volumes menu.
DT395685Client is facing issues in uploading logs file that are huge in size(>2GB) from Cloud Pak System application to Ecurep.
DT423200On a Cloud Pak System W4600 MT 9568, when a Small Form-factor Pluggable (SFP) transceiver on the Storage Area Network (SAN) switch has RX or TX power values below -7, which is an optimal value for a working SFP, no visible event or alert appears on the Cloud Pak System Events indicating the port failure.
DT398520

The Cloud Pak System V2.3.4.0 Deployments fail after Cloud Pak System firmware is upgraded to

V2.3.4.0json": {

"errorMessage":

"CWZKS0413E: Failed to send wait for SH distribution command

CWZKS7602E: No data available from: ___.Status code: 404.",

"errorStatusCode": 500,

DT423098On a Cloud Pak System W4600 MT 9568, when a port on the Top of Rack (TOR) Ethernet switch MT 9568 is down, no event or alert indicating the port failure appears on the Cloud Pak System Events.
DT423082
On a Cloud Pak System W4600 MT 9568, when a Platform System Manager (PSM)  failover occurs, some compute nodes may briefly appear in an unlicensed state. If a housekeeping job monitoring the system health is triggered before the compute node status is updated, it may mistakenly attempt to reinitialize the nodes, affecting the workloads hosted on those compute nodes.
DT422447
 
Clients reported an issue, due to Cloud Pak System gpfs wrappers the end user was not able collect the gpfs snap logs of all nodes in one command. there was an issue in scp the logs files.


 

 

 

DT392284Backup on the rack failed by blocking charge-back job
DT433222Instance Console Banner and Footer value should be displayed
DT434636Cleanup of ImageIndexExtension and ScriptPkgIndexExtension
DT439109Unable to deploy custom script packages with scriptkey *password* since last Python3 firmware update
 DT435862

Deployment of the "Default DB2 OLTP Pattern for Linux" with an additional OLTP script package fails when using the same user across different databases, resulting in the error:

TypeError: cannot use a string pattern on a bytes-like object

Custom script packages containing the scriptkey "password" in the cbscript.json file are failing due to scrambled password values.

 DT438841Var/log directory full. This was found while troubleshooting service 60 issue. /var/logs is at 100%.
 DT421923Serivce55 was stuck_online on the rack causing an outage.
 
 

Off
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFQSV","label":"IBM Cloud Pak System Software"},"ARM Category":[{"code":"a8m0z000000cwm2AAA","label":"Product Components"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.3.6"}]

Problems (APARS) fixed
DT422421; DT395685; DT423200; DT398520; DT423098; DT423082; DT422447; DT392284; DT433222; DT434636; DT439109; DT435862; DT438841; DT421923

Document Information

Modified date:
10 November 2025

UID

ibm17229885

Page Feedback