Download
Release Date
27 September 2019
Abstract
This document lists the fixes contained in IBM Cloud Pak System Version 2.3.0.1.
Download Description
To download the interim fix, go to the IBM Cloud Pak System Version 2.3.0.1 product page on IBM Fix Central.
Version 2.3.0.1 includes fixes for these security vulnerabilities:
CVEID: CVE-2017-0144
DESCRIPTION: Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of requests by the SMBv1 service. By sending specially-crafted packets, an attacker could exploit this vulnerability to execute arbitrary code on the affected system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-12126
DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that stores buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/160990 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2018-12127
DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that fills buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/160991 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2018-12130
DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that fills buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/160992 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2019-0220
DESCRIPTION: Apache HTTP Server could provide weaker than expected security, caused by URL normalization inconsistencies. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2019-2602
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159698 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-2684
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded RMI component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159776 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2019-2762
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163826 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2766
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163829 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2769
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2786
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N)
CVEID: CVE-2019-2816
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2019-4096
DESCRIPTION: IBM Cloud Pak System uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158018 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2019-4240
DESCRIPTION: IBM Cloud Pak System could allow an authenticated user with local access to bypass security due to the lack of input validation and obtain administrator access.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159466 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-4464
DESCRIPTION: IBM Platform System Manager in Cloud Pak System can allow a local user to obtain sensitive information due to System Manager web UI response showing security credentials data.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163773 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2019-4466
DESCRIPTION: IBM Platform System Manager in Cloud Pak System could allow a local user to obtain highly sensitive informatino stored in JS files.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163775 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2019-4473
DESCRIPTION: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-7317
DESCRIPTION: Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in the png_image_free function in the libpng library. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/161346 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-11091
DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling Uncacheable Memory (MDSUM) vulnerability that allows uncacheable memory on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 3.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/160993 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
CVEID: CVE-2019-11771
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-11772
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds write in the String.getBytes method. An attacker could exploit this vulnerability to corrupt memory and write to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163990 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-11775
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by an error where the loop versioner fails to privatize a value that is pulled out of the loop by versioning. An attacker could exploit this vulnerability to corrupt memory and trigger an out-of-array-bounds and perform invalid actions.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/164479 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The above CVE list does not include records for Db2 or WebSphere Application Server (WAS). For this information, see https://www-01.ibm.com/support/docview.wss?uid=swg21647054
The following tables contain the Authorized Program Analysis Reports (APARs) and other fixes that are included in this release. If an integrated pattern or component is not listed, there were no fixes for that pattern or component in this version. The upgrade recommendation is to move directly to V2.3.0.1.
IBM Cloud Pak System APARs
| APAR | APAR description | |
| IT23333 | Compute node log collection set incomplete in IBM Cloud Pak System. | |
| IT23361 | IM fix is uninstalled because the UI does not show it as installed. | |
| IT23472 | CWZIP8810W The canister X in enclosure Y on storage node <id> has changed to the degraded state. | |
| IT24294 | Log collection for storage nodes is incomplete. | |
| IT24393 | Comprehensive solution for Pattern Editor to show multiple repeated versions for addons. | |
| IT24541 | Native VLAN changed in the GUI unexpectedly. | |
| IT24625 | Missing Pattern Instance navigator view in IBM Cloud Pak System's build in TEPS. | |
| IT24694 | Make Cloud Pak System more tolerant of rapid VM state transitions. | |
| IT24774 | CMM-77777701: Node message: System board, (Host Power) power off. | |
| IT24908 | iFixes are not listed as installed. | |
| IT24934 | Unable to set vCPU with any integer value between 1 to 32 for vSys.next pattern deployments. | |
| IT25123 | When trying to collect storage logs, the status shows 'Unavailable'. | |
| IT25356 | Volume details are missing from IBM Cloud Pak System console. | |
| IT25425 | Call home from an event does not create a problem and a call home in not generated. | |
| IT26079 | Error ID = 20002: A Managed Disk group is offline on Storage Node. | |
| IT26240 | Procedure to track backup operation for system backup1 has failed. | |
| IT26346 | CWZIP8760E CWZIP9768E CWZIP1225E for block VMFS volumes in Cloud Pak System. | |
| IT26250 | Incomplete reporting on Volume Report. | |
| IT26731 | IBM Cloud Pak System CWZIP1123 switch interface is down. | |
| IT26833 | The replication IPs of Management Port and Replication Port are in the Unavailable state. | |
| IT27189 | Access VM information requires "View users" role. | |
| IT27446 | Block Storage icon hangs after refresh. | |
| IT27512 | Deployment fails with IIB V10.0.0.13 and DB2 V11.1 on single VM. | |
| IT27722 | Call Home PMR in not generated for Faulty Power Supply. | |
| IT27785 | WebSphere Fix pack V8.5.5.13 runs into an error. | |
| IT27811 | CWZIP1889W and "CWZIP6035E for compute node SN#J11VCNL Events did not call home. | |
| IT27826 | CWZIP9548E Return from IWD on backup with status java.lang.Exception: IPAS Job 2 of 3 failed with reason: Blocking job wait threshold exceeded waiting on create. | |
| IT28027 | ITM cannot monitor all servers if the host names are duplicate. | |
| IT28049 | VMs deployed through software do not have a proper setup for snapshot management. | |
| IT28260 | Service49 and Service78 failed offline. | |
| IT28299 | Locked plugin in a pattern does not seem to work. | |
| IT28416 | Automatic reverse of GPFS server instance ends in binaries /usr/lpp/mmfs/ removed. | |
| IT28497 | Compute node is in quiesced state with error - CWZIP1200E Unable to communicate with the virtual management software using IP address. | |
| IT28524 | Heath check needs to show the list of APARs applied on IBM Cloud Pak System. | |
| IT28572 | Error seen during deployment CWZKS0151E: GET failed for the URL. | |
| IT28673 | REST API call to get VLAN list. | |
| IT28679 | Not able to create External Application Access. | |
| IT28821 | Unable to create External Application Access Settings. | |
| IT28854 | Service60 is down again on one IBM Cloud Pak System. | |
| IT28980 | CWZIP1185E A Java system dump was generated for process: ipas.async. | |
| IT29029 | I/O statistics are wrong on workload environment. | |
| IT29071 | Timezone is not set and still in UTC, in remote VM by multi-rack deployment. | |
| IT29108 | VMware tool time sync is still enabled in VMs deployed by virtual images where it is disabled. | |
| IT29251 | Strong passwords for internal user IDs on IBM Cloud Pak System. | |
| IT29315 | Browser hangs while adding new multi rack environment profiles to existing shared service instances. | |
| IT29542 | Migrating from Linux Satellite 5 to 6 Satellite 5 gets connection every minute and per VM. | |
| IT29550 | CWZIP1110 Failure writing to the internal management database. | |
| IT29817 | Satellite Server 6.4 fails during deployment. | |
| IT29825 | Request-URI is too large after selecting deployments in chargeback. | |
| IT29828 | CWZIP3529E - Fix pervasive problems with Call Home. | |
| IT29866 | Updating a running VSys instance results in error. | |
| IT30027 | Ability to add description while creating IPgroups through the CLI. |
Problems (APARS) fixed
Problems (APARS) fixed
Document Information
Modified date:
06 May 2020
UID
ibm10887621