|
Ibm® Sterling Connect: Direct
|
| bet | 5/5 | | Sana | 22.03.2020 | | Hajmi | 67,98 Kb. | | #8507 |
High Impact: Y
Reported Severity: 2
4.6.0.5_iFix007: RTC453745 / APAR IT07026 / CVE-2014-3065
Description of Issue: There is a vulnerability in IBM Runtime Environment Java Technology Edition, Version 7 that is used by IBM Sterling Connect:Direct for Microsoft Windows. The issue was disclosed as part of the IBM Java SDK updates in October 2014.
Description of Fix: Updated the IBM Runtime Environment Java and moved its location to a new ibm_jre folder due to changes in the installer.
Fix Availability Date: 19 March 2015
High Impact: Y
Reported Severity: 2
4.6.0.5_iFix008: RTC457187 / APAR IT07984
Description of Issue: Concurrent Session High Water Mark
Description of Fix: The Concurrent Sessions High Water Mark count is the maximum number of sessions running concurrently. This is information only and requires no action. It is logged each day at midnight local time and at system shutdown in the SCNT record in statistics. A new LCNT001I message was introduced to provide visibility to the user: Concurrent Sessions High Water Mark count of &MAX occurred at &TIME.
Fix Availability Date: 26 March 2015
High Impact: N
Reported Severity: 5
4.6.0.5_iFix009: RTC462331 / APAR IT08247 / CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293
Description of Issue: Several vulnerabilities were reported in OpenSSL which makes OpenSSL vulnerable. Sterling Connect:Direct for Microsoft Windows uses OpenSSL and therefore is also vulnerable.
Description of Fix: Updated OpenSSL to version 1.0.1m.
Fix Availability Date: 13 April 2015
High Impact: Y
Reported Severity: 2
4.6.0.5_iFix010: RTC462325 / APAR IT08243 / CVE-2015-2808, CVE-2011-3389
Description of Issue: CBC ciphers are vulnerable to CVE-2011-3389 (BEAST Attack). Previous recommendation to mitigate CVE-2011-3389 was to not use CBC ciphers. RC4 ciphers are vulnerable to CVE-2015-2808 (Bar Mitzvah Attack). Current recommendation to mitigate CVE-2015-2808 is to discontinue use of RC4 ciphers. However, the remaining available ciphers are generally CBC ciphers.
Description of Fix: Fixed code to mitigate CVE-2011-3389 (BEAST Attack).
Recommendation: Sterling Connect:Direct for Microsoft Windows by default disables the RC4 stream cipher. If you enabled the RC4 stream cipher you are exposed to the RC4 “Bar Mitzvah” Attack for SSL/TLS. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.
Fix Availability Date: 14 April 2015
High Impact: Y
Reported Severity: 2
4.6.0.5_iFix011: RTC468875 / APAR IT09460
Description of Issue: Sterling Control Center and the Application Interface for Java (AIJ) fail to update Secure+ configurations after applying 4.6.0.5_iFix007.
Description of Fix: Updated the path to the JRE in the CMGR to point to the new JRE installation directory.
Fix Availability Date: 15 June 2015
High Impact: N
Reported Severity: 2
4.6.0.5_iFix012: RTC469607 / APAR IT09707
Description of Issue: lcu.bat stopped working after applying 4.6.0.5_iFix007 or later. The fix install log shows that the CD_CustomizeLCUScripts action had not been triggered:
Skipping action: CD_CustomizeLCUScripts (condition is false)
Description of Fix: Updated the condition for triggering CustomizeLCUScripts.
Workaround: Edit the lcu.bat file and update the line setting the jreDir variable:
set jreDir=%cdInstallDir%\ibm_jre\jre
Fix Availability Date: 25 June 2015
High Impact: N
Reported Severity: 3
4.6.0.5_iFix013: RTC467270 / APAR IT09724
Description of Issue: Secure+ transfers failing when Windows is sending and the negotiated buffer size (RU Size) is less than 16384 bytes.
Description of Fix: Updated the buffer size calculation.
Fix Availability Date: 26 July 2015
High Impact: N
Reported Severity: 2
4.6.0.5_iFix014: RTC472434 / APAR IT10446
Description of Issue: Process goes immediately from TIMR RE to HOLD HS on a TCP/IP timeout (LIPT011I, OS error 10060) and does not retry.
Description of Fix: Removed the condition that had triggered HOLD HS, allowing the process to retry as expected.
Fix Availability Date: 31 July 2015
High Impact: N
Reported Severity: 3
4.6.0.5_iFix015: RTC471699 / APAR IT10556
Description of Issue: Connect:Direct API commands over a secure connection fail after upgrading the JRE in Connect:Direct Browser, Sterling Control Center or other application using the Application Interface for Java (AIJ).
Description of Fix: Fixed.
Fix Availability Date: 10 August 2015
High Impact: N
Reported Severity: 2
4.6.0.5_iFix016: RTC476477 / APAR IT11054
Description of Issue: A "Run As" dialog appears during the installation of an iFix or fix pack on an older OS such as Windows XP or Server 2003. The dialog even appears during a silent installation and requires manual user interaction. Picking the wrong choice may result in the installation failing.
Note that support for Windows XP and Server 2003 has ended.
Description of Fix: Added an installer exception for older Windows platforms.
Workaround: When the dialog appears, select "Current user" and disable(!) the checkbox "Run this program with restricted access".
Fix Availability Date: 03 September 2015
High Impact: N
Reported Severity: 4
4.6.0.5_iFix017: RTC475574 / APAR IT11079
Description of Issue: High CPU utilization for CDNT.exe when using secure API connections, like from IBM Control Center or Connect:Direct Browser UI.
Description of Fix: Improved the Secure API receive functions to better detect closed connections. This prevents endless looping in the code added in 4.6.0.5_iFix015.
Fix Availability Date: 04 September 2015
High Impact: Y
Reported Severity: 2
4.6.0.5_iFix018: RTC460012 / APAR IT11122
Description of Issue: When a process fails with an exception response, like LSMG622I and SCPA024I, it was moved to the HOLD queue but with a wrong status of HS. As a side effect of this status, the process will get restarted at the next node startup.
Description of Fix: Updated exception handling to correctly move the process to HOLD HE.
Fix Availability Date: 09 September 2015
High Impact: N
Reported Severity: 2
4.6.0.5_iFix019: RTC477370 / APAR IT11470
Description of Issue: Add the ability to create a configuration report from the CLI.
Description of Fix: Updated the CLI (Direct.exe) and its internal help command to support the new parameter 'cdconfig' on the traceon command. The configuration report will be written to a file named cdconfig.txt created in the same folder as the specified trace file. For example, enter the following command line in the CLI to create a configuration report in C:\Temp\cdconfig.txt:
traceon file=C:\Temp\dummy.cdt config;
Fix Availability Date: 28 September 2015
High Impact: N
Reported Severity: 5
4.6.0.5_iFix020: RTC479415 / APAR IT11985
Description of Issue: File Allocation Retry has been configured, for example to let the process retry when a remote GDG dataset is in use (retry.msgids=SDEGDGRI). Occasionally a remote node returned the retry-able msgid with a Completion Code of 16 (fatal error) instead of CC=8. In these cases the process got stuck in TIMR RE with Hold=Y and did not retry.
Description of Fix: Ensured that the hold status is set to N when a process is scheduled for a retry. This allows File Allocation Retry even for fatal error conditions.
Fix Availability Date: 03 November 2015
High Impact: N
Reported Severity: 2
4.6.0.5_iFix021: RTC485782 / APAR IT12806 / CVE-2015-3194, CVE-2015-3195
Description of Issue: Several vulnerabilities were reported in OpenSSL which makes OpenSSL vulnerable. Sterling Connect:Direct for Microsoft Windows uses OpenSSL and therefore is also vulnerable.
Description of Fix: Updated OpenSSL.
Fix Availability Date: 15 December 2015
High Impact: Y
Reported Severity: 2
4.6.0.5_iFix022: RTC487432 / APAR IT12990
Description of Issue: When parsing or validating a process, the parser silently truncates file names in COPY and SUBMIT statements when they are too long. It does not show any errors, allowing the process to be submitted with wrong file names.
Description of Fix: Process validation will fail and the parser returns an error as expected.
Fix Availability Date: 13 January 2016
High Impact: N
Reported Severity: 2
|
| |
