IBM Support

IBM Cloud Pak System Version 2.3.0.1

Download


Release Date

27 September 2019

Abstract

This document lists the fixes contained in IBM Cloud Pak System Version 2.3.0.1.

Download Description

To download the interim fix, go to the IBM Cloud Pak System Version 2.3.0.1 product page on IBM Fix Central.

Version 2.3.0.1 includes fixes for these security vulnerabilities:

CVEID: CVE-2017-0144
DESCRIPTION: Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of requests by the SMBv1 service. By sending specially-crafted packets, an attacker could exploit this vulnerability to execute arbitrary code on the affected system.
CVSS Base Score: 9.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/122516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


CVEID: CVE-2018-12126
DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that stores buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/160990 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-12127
DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that fills buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/160991 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

 

CVEID: CVE-2018-12130
DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling (MDS) vulnerability that fills buffers on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/160992 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

 

CVEID: CVE-2019-0220
DESCRIPTION: Apache HTTP Server could provide weaker than expected security, caused by URL normalization inconsistencies. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/158948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

 

CVEID: CVE-2019-2602
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/159698 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

CVEID: CVE-2019-2684
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded RMI component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/159776 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

 

CVEID: CVE-2019-2762
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163826 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

 

CVEID: CVE-2019-2766
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163829 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

 

CVEID: CVE-2019-2769
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

 

CVEID: CVE-2019-2786
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base Score: 3.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163849 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N)

 

CVEID: CVE-2019-2816
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

 

CVEID: CVE-2019-4096
DESCRIPTION: IBM Cloud Pak System uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/158018 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

 

CVEID: CVE-2019-4240
DESCRIPTION: IBM Cloud Pak System could allow an authenticated user with local access to bypass security due to the lack of input validation and obtain administrator access.
CVSS Base Score: 7.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/159466 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4464
DESCRIPTION: IBM Platform System Manager in Cloud Pak System can allow a local user to obtain sensitive information due to System Manager web UI response showing security credentials data.
CVSS Base Score: 6.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163773 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

 

CVEID: CVE-2019-4466
DESCRIPTION: IBM Platform System Manager in Cloud Pak System could allow a local user to obtain highly sensitive informatino stored in JS files.
CVSS Base Score: 6.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163775 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

 

CVEID: CVE-2019-4473
DESCRIPTION: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 8.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

CVEID: CVE-2019-7317
DESCRIPTION: Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in the png_image_free function in the libpng library. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/161346 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

 

CVEID: CVE-2019-11091
DESCRIPTION: Intel Microprocessor could allow a local authenticated attacker to obtain sensitive information, caused by a Microarchitectural Data Sampling Uncacheable Memory (MDSUM) vulnerability that allows uncacheable memory on some microprocessors utilizing speculative execution. An attacker could exploit this vulnerability using a side-channel attack to obtain data that is being processed in the CPU by other apps. Note: This is called the Zombieload attack.
CVSS Base Score: 3.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/160993 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

 

CVEID: CVE-2019-11771
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/163989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

CVEID: CVE-2019-11772
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds write in the String.getBytes method. An attacker could exploit this vulnerability to corrupt memory and write to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163990 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11775
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by an error where the loop versioner fails to privatize a value that is pulled out of the loop by versioning. An attacker could exploit this vulnerability to corrupt memory and trigger an out-of-array-bounds and perform invalid actions.
CVSS Base Score: 8.4

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/164479 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

The above CVE list does not include records for Db2 or WebSphere Application Server (WAS). For this information, see https://www-01.ibm.com/support/docview.wss?uid=swg21647054

The following tables contain the Authorized Program Analysis Reports (APARs) and other fixes that are included in this release. If an integrated pattern or component is not listed, there were no fixes for that pattern or component in this version. The upgrade recommendation is to move directly to V2.3.0.1.

IBM Cloud Pak System APARs

APAR APAR description
IT23333 Compute node log collection set incomplete in IBM Cloud Pak System.
IT23361 IM fix is uninstalled because the UI does not show it as installed.
IT23472 CWZIP8810W The canister X in enclosure Y on storage node <id> has changed to the degraded state.
IT24294 Log collection for storage nodes is incomplete.
IT24393 Comprehensive solution for Pattern Editor to show multiple repeated versions for addons.
IT24541 Native VLAN changed in the GUI unexpectedly.
IT24625 Missing Pattern Instance navigator view in IBM Cloud Pak System's build in TEPS.
IT24694 Make Cloud Pak System more tolerant of rapid VM state transitions.
IT24774 CMM-77777701: Node message: System board, (Host Power) power off.
IT24908 iFixes are not listed as installed.
IT24934 Unable to set vCPU with any integer value between 1 to 32 for vSys.next pattern deployments.
IT25123 When trying to collect storage logs, the status shows 'Unavailable'.
IT25356 Volume details are missing from IBM Cloud Pak System console.
IT25425 Call home from an event does not create a problem and a call home in not generated.
IT26079 Error ID = 20002: A Managed Disk group is offline on Storage Node.
IT26240 Procedure to track backup operation for system backup1 has failed.
IT26346 CWZIP8760E CWZIP9768E CWZIP1225E for block VMFS volumes in Cloud Pak System.
IT26250 Incomplete reporting on Volume Report.
IT26731 IBM Cloud Pak System CWZIP1123 switch interface is down.
IT26833 The replication IPs of Management Port and Replication Port are in the Unavailable state.
IT27189 Access VM information requires "View users" role.
IT27446 Block Storage icon hangs after refresh.
IT27512 Deployment fails with IIB V10.0.0.13 and DB2 V11.1 on single VM.
IT27722 Call Home PMR in not generated for Faulty Power Supply.
IT27785 WebSphere Fix pack V8.5.5.13 runs into an error.
IT27811 CWZIP1889W and "CWZIP6035E  for compute node SN#J11VCNL Events did not call home.
IT27826 CWZIP9548E Return from IWD on backup with status java.lang.Exception: IPAS Job 2 of 3 failed with reason: Blocking job wait threshold exceeded waiting on create.
IT28027 ITM cannot monitor all servers if the host names are duplicate.
IT28049 VMs deployed through software do not have a proper setup for snapshot management.
IT28260 Service49 and Service78 failed offline.
IT28299 Locked plugin in a pattern does not seem to work.
IT28416 Automatic reverse of GPFS server instance ends in binaries /usr/lpp/mmfs/ removed.
IT28497 Compute node is in quiesced state with error - CWZIP1200E Unable to communicate with the virtual management software using IP address.
IT28524 Heath check needs to show the list of APARs applied on IBM Cloud Pak System.
IT28572 Error seen during deployment CWZKS0151E: GET failed for the URL.
IT28673 REST API call to get VLAN list.
IT28679 Not able to create External Application Access.
IT28821 Unable to create External Application Access Settings.
IT28854 Service60 is down again on one IBM Cloud Pak System.
IT28980 CWZIP1185E A Java system dump was generated for process: ipas.async.
IT29029 I/O statistics are wrong on workload environment.
IT29071 Timezone is not set and still in UTC, in remote VM by multi-rack deployment.
IT29108 VMware tool time sync is still enabled in VMs deployed by virtual images where it is disabled.
IT29251 Strong passwords for internal user IDs on IBM Cloud Pak System.
IT29315 Browser hangs while adding new multi rack environment profiles to existing shared service instances.
IT29542 Migrating from Linux Satellite 5 to 6 Satellite 5 gets connection every minute and per VM.
IT29550 CWZIP1110 Failure writing to the internal management database.
IT29817 Satellite Server 6.4 fails during deployment.
IT29825 Request-URI is too large after selecting deployments in chargeback.
IT29828 CWZIP3529E - Fix pervasive problems with Call Home.
IT29866 Updating a running VSys instance results in error.
IT30027 Ability to add description while creating IPgroups through the CLI.

Off
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFQSV","label":"IBM Cloud Pak System Software"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"2.3.0.1","Edition":"All editions","Line of Business":{"code":"LOB15","label":"Integration"}}]

Problems (APARS) fixed
IT23333; IT23361; IT23472; IT24294; IT24393; IT24541; IT24625; IT24694; IT24774; IT24908; IT24934; IT25123; IT25356; IT25425; IT26079; IT26240; IT26346; IT26250; IT26731; IT26833; IT27189; IT27446; IT27512; IT27722; IT27785; IT27811; IT27826; IT28027; IT28049; IT28260; IT28299; IT28416; IT28497; IT28524; IT28572; IT28673; IT28679; IT28821; IT28854; IT28980; IT29029; IT29071; IT29108; IT29251; IT29315; IT29542; IT29550; IT29817; IT29825; IT29828; IT29866; IT30027

Document Information

Modified date:
06 May 2020

UID

ibm10887621