Fixed reported problems

Review the list of fixed problems to see whether your reported problem was fixed in the release or within a fix pack.

There are two fix pack versions available, 3.2.1.x fix packs and 3.2.2.x fix packs.

The 3.2.1.x fix packs are intended for environments that include Kubernetes version 1.13.12.
The 3.2.2.x fix packs include fixes to upgrade the supported version of Kubernetes. The fixes that are included within these 3.2.2.x fix packs include all fixes that are included within the equivalent 3.2.1.x fix pack, except for Kubernetes specific fixes.

If you apply a 3.2.2.x fix pack, do not apply an equivalent 3.2.1.x fix pack.

The latest 3.2.1.x fix pack is 3.2.1.2203. The latest 3.2.2.x fix pack is 3.2.2.2203 and upgrades Kubernetes to version 1.19.3.

The changes for fixed problems are included within the following fix packs and releases:

IBM Cloud Private 3.2.2.2203 fix pack
IBM Cloud Private 3.2.2.2105 fix pack
IBM Cloud Private 3.2.2.2012 fix pack
IBM Cloud Private 3.2.2.2008 fix pack
IBM Cloud Private 3.2.2.2006 fix pack
IBM Cloud Private 3.2.1.2203 fix pack
IBM Cloud Private 3.2.1.2105 fix pack
IBM Cloud Private 3.2.1.2012 fix pack
IBM Cloud Private 3.2.1.2008 fix pack
IBM Cloud Private 3.2.1.2006 fix pack
IBM Cloud Private 3.2.1.2003 fix pack
IBM Cloud Private 3.2.1.2001 fix pack
IBM Cloud Private 3.2.1.1911 fix pack
IBM Cloud Private 3.2.1.1910 fix pack
IBM Cloud Private 3.2.1

For more information about how to apply fixes to your cluster, see Applying fix packs to your cluster.

Note: If you do want to apply, or upgrade to, a 3.2.2.x fix pack, you must first install or upgrade to the 3.2.1.2003 or newer 3.2.1.x fix pack. After you apply the 3.2.1.2003 or newer 3.2.1.x fix pack version, you can repeat the same steps and apply the 3.2.2.2006 or 3.2.2.2008 fix pack to upgrade Kubernetes to version 1.16.7. To download and upgrade to the 3.2.2.2203 fix pack from the 3.2.2.2008 or 3.2.2.2006 fix pack, you need to follow the procedure for upgrading to IBM Cloud Private 3.2.1, but use the package and commands to upgrade to 3.2.2.2203. For more information, see Upgrading.

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2203 fix pack

The fixes included within this 3.2.2.2203 fix pack includes all fixes that are included within the 3.2.2.2203 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2203 fix pack. The 3.2.2.2203 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2203 fix pack to upgrade the supported Kubernetes version, do not apply the 3.2.2.2203 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2203 fix pack instead of this 3.2.2.2203 fix pack.

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.2.2203

Table: Fixed problems in fix pack 3.2.2.2203
Category	Description
Installer	This fix pack includes the following fixes: - Uplift Python version to Python 3 - Remove nfnetlink library check in cluster nodes - Update base images and Go versions to address security-related vulnerabilities
Audit Logging	This fix pack includes the following fixes: - Update base image and Go versions to address security-related vulnerabilities
Catalog UI	This fix pack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities - Bug fix for a rare bug where green loading icon spins endlessly and helm releases does not show properly due to request queue problems
Certificate Management	This fix pack includes the following fix: - Update Go version (1.17.5) to resolve security-related vulnerabilities
GlusterFS	This fix pack includes the following fixes: - Update curl version to address security-related vulnerabilities - Update OpenSSH to address security-related vulnerabilities
Helm API	This fixpack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities - Update Rudder image Go version from 1.14.14 to 1.17.7 for security-related vulnerabilities
Helm Repo	This fixpack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities
Image Manager and ICP Registry	This fix pack includes the following fixes: - Update Go version to address security-related vulnerabilities - Update OpenSSL to address security-related vulnerabilities
Ingress	This fix pack includes the following fixes: - Update nginx base image, uplift openSSL version, update Go version
Istio	This fix pack includes the following fixes: - Update Go version to address security-related vulnerabilities - Update version of sudo used to address security-related vulnerabilities
Kubernetes	This fix pack includes the following fixes: - Update Go version to 1.17.8 to address security-related vulnerabilities - Apply changes from community to address CVE-2021-25737 and CVE-2021-25741 - Fix the slow master switchover in Etcd VIP manager in HA environment by immediately broadcasting it to all the nodes, hence reducing the time for ARP cache update.
Kube-dns	This fix pack includes the following fixes: - Update CoreDNS image from 1.7.0 to 1.9.1 to resolve Go related security vulnerabilities Community changelog: https://github.com/coredns/coredns/blob/master/notes/coredns-1.9.1.md
Logging	This fix pack includes the following fixes: - Update elasticstack (elasticsearch, filebeat, logstash, and kibana) from version 6.8.14 to 6.8.23 in order to address the log4j security-related vulnerabilities - Update pki-init's OpenSSL version to address security-related vulnerabilities - Update Elasticsearch's version of curl to address security-related vulnerabilities
MinIO	This fix pack includes the following fixes: - Update Go version from 1.15 to 1.17.8 to address security-related vulnerabilities - Update MinIO version from RELEASE.2019-04-09T01-22-30Z to RELEASE.2022-01-08T03-11-54Z - Update MinIO client version from RELEASE.2019-04-03T17-59-57Z to RELEASE.2022-01-07T06-01-38Z - Update MinIO client Go version from 1.12 to 1.17.8 to address security-related vulnerabilities
Metering	This fix pack includes the following fixes: - Update the Node.js and base image versions to address security-related vulnerabilities - Fix to allow the data manager purger to process data in chunks rather than on a single cursor
Metrics Server	This fix pack includes the following fixes: - Update metrics server from v0.3.4 to v0.6.0 to resolve Go related security vulnerabilites - Community changelog version v0.3.z to v0.4.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.4.0 - Community changelog version v0.4.5 to v0.5.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.0 - Community changelog version v0.5.0 to v0.6.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.0
Monitoring	This fix pack includes the following fixes: - Update base image and Go versions to address security-related vulnerabilities
Mutation Advisor	This fix pack includes the following fixes: - Update elasticstack (elasticsearch, filebeat, logstash, and kibana) from version 6.8.14 to 6.8.23 in order to address the log4j security-related vulnerabilities - Update pki-init's OpenSSL version to address security-related vulnerabilities - Update Elasticsearch's version of curl to address security-related vulnerabilities
Platform API	This fix pack includes the following fix: - Update Go version (1.17.5) to resolve a security-related vulnerabilities
Platform UI	This fix pack includes the following fixes: - Update the Node.js and base image versions to address security-related vulnerabilities
Security IAM	This fix pack includes the following fixes: - Update base image, Go versions, liberty versions, and node versions to address security-related vulnerabilities

Table: Fixed security vulnerabilities in fix pack 3.2.2.2203
CVE-ID	Description
CVE-2018-16843	Description: nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive memory consumption.
CVE-2018-16844	Description: nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive CPU consumption.
CVE-2018-16845	Description: nginx is vulnerable to a denial of service, caused by an error when compiled with the ngx_http_mp4_module. By persuading a victim to open a specially-crafted mp4 file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or obtain sensitive information from worker process memory
CVE-2019-20372	NGINX could allow a remote attacker to obtain sensitive information, caused by a flaw in certain error_page configurations. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system
CVE-2019-7401	Description: NGINX Unit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the router process. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the router process to crash.
CVE-2020-28491	Description: FasterXML jackson-dataformats-binary is vulnerable to a denial of service, caused by an unchecked allocation of byte buffer flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a java.lang.OutOfMemoryError exception resulting in a denial of service condition.
CVE-2020-8231	curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set.
CVE-2020-8284	curl: FTP PASV command response can cause curl to connect to arbitrary host.
CVE-2020-8285	curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used.
CVE-2020-8286	cURL libcurl could allow a remote attacker to bypass security restrictions, caused by improper OCSP response verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to breach a TLS server.
CVE-2021-20329	MongoDB Go Driver could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation of cstrings when marshalling Go objects into BSON. By sending a specially-crafted Go object with specific string, an attacker could exploit this vulnerability to inject additional fields into marshalled documents.
CVE-2021-20492	IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
CVE-2021-22139	Elastic Kibana is vulnerable to a denial of service, caused by a lack of timeout or a limit on the request size in the webhook actions. By sending a large number of requests, a remote attacker could exploit this vulnerability to exhaust the connection pool, leading to a denial of service.
CVE-2021-22569	Google Protocol Buffer (protobuf-java) is vulnerable to a denial of service, caused by an issue with allow interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open a specially-crafted content, a remote attacker could exploit this vulnerability to cause a timeout in ProtobufFuzzer function, and results in a denial of service condition.
CVE-2021-22876	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain user credentials, and use this information to launch further attacks against the affected system.
CVE-2021-22898	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sending a specially-crafted request using a clear-text network protocol, an attacker could exploit this vulnerability to obtain sensitive internal information to the server, and use this information to launch further attacks against the affected system.
CVE-2021-22918	Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv__idna_toascii() function.
CVE-2021-22924	curl: Bad connection reuse due to flawed path name checks.
CVE-2021-22925	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain TELNET stack contents, and use this information to launch further attacks against the affected system.
CVE-2021-22926	Curl libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the CURLOPT_SSLCERT option mixup with TLS library Secure Transport. By creating a specially-crafted file name with the same name as the app wants to use by name, an attacker could exploit this vulnerability to trick the application to use the file based cert instead of the one referred to by name, and allow libcurl to send the wrong client certificate in the TLS connection handshake.
CVE-2021-22930	Node.js could allow a remote attacker to bypass security restrictions, caused by a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior.
CVE-2021-22945	cURL libcurl is vulnerable to a denial of service, caused by a use-after-free and double free flaw when sending data to an MQTT server. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-22946	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a required TLS bypassed issue. By sniffing the network, an attacker could exploit this vulnerability to obtain sensitive data in clear text over the network, and use this information to launch further attacks against the affected system.
CVE-2021-22947	cURL libcurl is vulnerable to a man-in-the-middle attack, caused by a flaw when connecting to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVE-2021-22959	Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers.
CVE-2021-22960	Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests.
CVE-2021-23362	Node.js hosted-git-info module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the fromUrl function in index.js. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-2369	An unspecified vulnerability in Oracle Java SE related to the Library component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVE-2021-2388	An unspecified vulnerability in Oracle Java SE related to the Hotspot component could allow an unauthenticated attacker to take control of the system.
CVE-2021-2432	An unspecified vulnerability in Oracle Java SE related to the JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-25737	Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a host network hijacking flaw due to holes in EndpointSlice validation. By redirecting pod traffic to private networks on a Node, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2021-25740	Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a confused deputy attack. By sending a specially-crafted request to create or edit Endpoints or EndpointSlices in the Kubernetes API, an attacker could exploit this vulnerability to obtain backend IPs information, and use this information to launch further attacks against the affected system.
CVE-2021-25741	Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange flaw in kubelet. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a container with subpath volume mounts to access files and directories outside of the volume.
CVE-2021-25742	Description: Kubernetes NGINX Ingress Controller could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the custom snippets feature. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain all secrets in the cluster, and use this information to launch further attacks against the affected system.
CVE-2021-25743	Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by improper filtering of ANSI escape characters in kubectl. By sending a specially-crafted input, an attacker could exploit this vulnerability to hide all the events, changing the title of the terminal window, and spoof the data.
CVE-2021-29842	IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.
CVE-2021-29921	Python is vulnerable to server-side request forgery, caused by improper input validation of octal strings in the stdlib ipaddress. By submitting a specially-crafted IP address to a web application, an attacker could exploit this vulnerability to conduct SSRF or local file include attacks.
CVE-2021-29923	Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR
CVE-2021-31525	net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations
CVE-2021-32690	Helm could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied input by the index.yaml file. By gaining access to the chart archives, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2021-33194	Golang Go is vulnerable to a denial of service, caused by an infinite loop in golang.org/x/net/html. By sending a specially-crafted ParseFragment input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-33195	Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system
CVE-2021-33196	Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By persuading a victim to open a specially-crafted archive file, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition
CVE-2021-33197	Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop arbitrary headers, including those set by the ReverseProxy.Director.
CVE-2021-33198	Golang Go is vulnerable to a denial of service, caused by a flaw in the SetString and UnmarshalText methods of math/big.Rat. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition.
CVE-2021-34558	Description: The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic
CVE-2021-35517	Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' tar package.
CVE-2021-35556	An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35559	An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35560	An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow an unauthenticated attacker to take control of the system.
CVE-2021-35564	An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Keytool component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVE-2021-35565	An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35578	An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35586	An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the ImageIO component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35588	An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-3601	OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA cert. An attacker could exploit this vulnerability for MITM to any connection from the victim machine.
CVE-2021-36090	Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' zip package.
CVE-2021-36158	xrdp package for Alpine Linux is vulnerable to a man-in-the-middle attack, caused by improper generation of RSA certificates and private keys in the RDP sessions. An attacker could exploit this vulnerability to track users.
CVE-2021-36221	Golang Go is vulnerable to a denial of service, caused by a race condition upon an ErrAbortHandler abort. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a net/http/httputil ReverseProxy panic.
CVE-2021-3712	Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when processing ASN.1 strings. By sending specially crafted data, an attacker could exploit this vulnerability to read contents of memory on the system or perform a denial of service attack.
CVE-2021-37136	Netty netty-codec is vulnerable to a denial of service, caused by not allow size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-37137	Netty netty-codec is vulnerable to a denial of service, caused by not restrict the chunk length in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause excessive memory usage, and results in a denial of service condition.
CVE-2021-3733	Python is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the AbstractBasicAuthHandler class in urllib. By persuading a victim to visit a specially-crafted web site, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-37701	The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
CVE-2021-37712	Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVE-2021-37713	Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target. An attacker could exploit this vulnerability to create or overwrite arbitrary files and execute arbitrary code on the system.
CVE-2021-39031	IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875.
CVE-2021-39134	Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack, caused by the failure of multiple dependencies to coexist within the same level in the node_modules hierarchy. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to create and overwrite arbitrary files on the system with elevated privileges.
CVE-2021-39135	Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack. By replacing the node_modules folder of the root project or any of its dependencies with a symbolic link, an attacker could exploit this vulnerability to write package dependencies to any arbitrary location on the file system.
CVE-2021-41035	Eclipse Openj9 could allow a remote attacker to gain elevated privileges on the system, caused by not throwing IllegalAccessError for MethodHandles that invoke inaccessible interface methods. By persuading a victim to execute a specially-crafted program under a security manager, an attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code on the system.
CVE-2021-41092	Docker CLI could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when running "docker login my-private-registry.example.com" command with a misconfigured configuration file. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
CVE-2021-41771	Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the ImportedSymbols function in debug/macho. By using specially-crafted binaries, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition.
CVE-2021-41772	Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the Reader.Open function. By using a specially-crafted ZIP archive containing an invalid name or an empty filename field, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition.
CVE-2021-43797	Netty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding request header names. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVE-2021-44532	Node.js could allow a remote attacker to bypass security restrictions, caused by a string injection vulnerability when name constraints were used within a certificate chain. An attacker could exploit this vulnerability to bypass the name constraints.
CVE-2021-44533	Node.js could allow a remote attacker to bypass security restrictions, caused by the incorrect handling of multi-value Relative Distinguished Names.
CVE-2021-44716	Description: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-44717	Description: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
CVE-2022-21824	Node.js could provide weaker than expected security, caused by an error related to the formatting logic of the console.table() function. An attacker could exploit this vulnerability using console.table properties to allow an empty string to be assigned to numerical keys of the object prototype.
CVE-2022-22704	zabbix-agent2 package for Alpine Linux could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a design flaw in systemd. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root.
CVE-2022-23772	Golang Go is vulnerable to a denial of service, caused by a buffer overflow in the Rat.SetString function in math/big. By sending a specially-crafted request, an attacker could exploit this vulnerability to consume large amount of RAM and cause the application to crash.
CVE-2022-23773	An unspecified error with not treating branches with semantic-version names as releases in cmd/go in Golang Go has an unknown impact and attack vector.
CVE-2022-23806	Golang Go is vulnerable to a denial of service, caused by a flaw with IsOnCurve function returns true for invalid field elements. By sending a specially-crafted request, an attacker could exploit this vulnerability to causes a panic in ScalarMult, and results in a denial of condition.

The 3.2.2.2203 fix pack is cumulative and includes all fixes that were included in previous 3.2.2.x fix packs for IBM Cloud Private 3.2.2.

Updated images in 3.2.2.2203

Table: Updated images in fix pack 3.2.2.2203
Image	Previous version	New version
alertmanager	v0.15.0-f5	v0.15.0-f6
collectd-exporter	v0.4.0-f5	v0.4.0-f6
configmap-reload	v0.2.2-f5	v0.2.2-f6
curl	4.2.0-build.9	4.2.0-build.10
dashboard-controller	v1.1.0-f3	v1.1.0-f4
grafana	5.2.0-f4	5.2.0-f5
kube-proxy	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-apiserver	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-controller-manager	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-scheduler	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kubelet	v1.19.3-ee-1	v1.19.3-ee
iam-policy-decision	3.2.1.2012	3.2.1.2105
ibmcloud-image-enforcement	0.2.2.2012	0.2.2.2105
icp-catalog-ui	3.2.1.2012	3.2.1.2105
icp-cert-manager-acmesolver:	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-cainjector:	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-controller	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-webhook	0.7.0.1-f2012	0.7.0.1-f2105
icp-elasticsearch-oss	6.8.10-build.4	6.8.14-build.1
icp-filebeat-oss	6.8.10-build.4	6.8.14-build.1
icp-helm-api	3.2.1.2012	3.2.1.2105
icp-helm-repo	3.2.1.2012	3.2.1.2105
icp-image-manager	2.2.6.2001	2.2.6-2105
icp-inception	3.2.2.2012-ee=3.2.2.2012-ee	3.2.2.2105
icp-initcontainer	1.0-icp-build-2012	1.0-icp-build-2105
icp-kibana-oss	6.8.10-build.4	6.8.14-build.1
icp-logstash-oss	6.8.10-build.4	6.8.14-build.1
icp-management-ingress	2.4.0.1910	2.4.0.2105
icp-mongodb-exporter	3.4.0.2008	3.4.0.2105
icp-mongodb-install	3.4.0.2008	3.4.0.2105
icp-mongodb	4.0.20.2012	4.0.24.2105
icp-platform-auth	3.2.1.2012	3.2.1.2105
icp-platform-header	3.2.1.2012	3.2.1.2105
icp-platform-ui	3.2.1.2012	3.2.1.2105
indices-cleaner	1.3.0-build.2	1.3.0-build.4
kube-state-metrics	v1.9.4-build.6	v1.9.4-build.10
metering-data-manager	3.2.2.2012	3.2.2.2105
metering-mcmui	3.2.2.2012	3.2.2.2105
metering-ui	3.2.2.2012	3.2.2.2105
nginx-ingress-controller	0.23.7	0.23.2105
node-exporter	v0.16.0-f6	v0.16.0-f7
nvidia-device-plugin	1.4	1.4.2105
prometheus	v2.8.0-f3	v2.8.0-f4
prometheus-config-reloader	v0.31-f1	v0.31-f2
prometheus-operator	v0.31-f1	v0.31-f2
prometheus-operator-controller	v1.0.0-f2	v1.0.0-f3

Updated charts in 3.2.2.2203

Table: Updated charts in fix pack 3.2.2.2203
Chart	Previous (3.2.1.2105) version	New version
auth-idp	3.3.2105	3.3.2203
auth-pap	3.3.2012	3.3.2203
auth-pdp	3.3.2105	3.3.2203
helm-api	3.3.2105	3.3.2203
helm-repo	3.3.2105	3.3.2203
ibm-cert-manager	3.4.2105	3.4.2203
ibm-cert-manager-webhook	3.4.2105	3.4.2203
ibm-custom-metrics-adapter	3.4.2012	3.4.2105
ibm-icplogging	3.3.2	3.3.6
ibm-icpmonitoring	1.6.22105	1.6.22203
ibm-istio	1.2.10	1.2.11
ibmcloud-image-enforcement	3.4.2012	3.4.2105
icp-catalog-chart	3.3.2105	3.3.2203
icp-management-ingress	3.4.2105	3.4.2203
icp-mongodb	3.5.2105	3.5.2203
icp-nginx-ingress	3.4.2105	3.4.2203
image-manager	3.4.2105	3.4.2203
knative	3.4.2105	3.4.2203
metering	3.4.2105	3.4.2203
mgmt-repo	3.3.2105	3.3.2203
mutation-advisor	3.4.2105	3.4.2203
nvidia-device-plugin	3.4.2012	3.4.2105
platform-ui	3.4.2105	3.4.2203
security-onboarding	3.3.2105	3.3.2203

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2105 fix pack

The fixes included within this 3.2.2.2105 fix pack includes all fixes that are included within the 3.2.2.2105 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2105 fix pack. The 3.2.2.2105 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2105 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.2.2105 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2105 fix pack instead of this 3.2.2.2105 fix pack.

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.2.2105

Table: Fixed problems in fix pack 3.2.2.2105
Issue	Category	Description
45590	Healthcheck	Fixes a login issue in the management console or cloudctl.
43801 44227 >41478 44913	Identity and Access Management (IAM)	This fix pack includes the following fixes: - Fixes a login issue in the management console or cloudctl. - Fixes a cluster login issue where the user is not authorized to update a release in development and production environments. - Resolves MongoDB connection timeout issues with auth-pdp in IBM Cloud Private Version 3.2.2 clusters. - Fixes an issue with one of the `auth-idp` pod `platform-auth-service` containers, where the certificates are not imported properly to Liberty during pod startup.
44673	Installer	This fix resolves an issue that caused missing node labels after adding new cluster nodes.
38688	Logging	Fixes an issue related to logging on Kibana UI where no logs shows up and returns a 'No matching indices found: No indices match pattern "logstash-*"' and 'Discover: Could not locate that index-pattern-field (id: @timestamp)' error.
45520	Metering	Fixes an issue related to Metering Pod heap limit allocation that caused a JavaScript heap out of memory error.
46474	MongoDB	Fixes an issue where mongodump binary cannot connect to MongoDB.
46560 46571	Platform UI	This fix pack includes the following fixes: - Fixes an issue that caused a node to display as able to be scheduled when it is not. - Fixes scaling workload issues in the UI.

Table: Fixed security vulnerabilities in fix pack 3.2.2.2105
Issue	CVE-ID	Description
34823 34860	CVE-2019-1551	OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By performing a man-in-the-middle attack, a remote attacker could exploit this vulnerability to obtain sensitive information.
44229 44243 44356 44515 45537	CVE-2020-1971	OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME, an attacker could exploit this vulnerability to cause the application to crash.
41419 41807	CVE-2020-1968	OpenSSL could allow a remote attacker to obtain sensitive information, caused by a Raccoon attack in the TLS specification. By computing the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite, an attacker could exploit this vulnerability to eavesdrop on all encrypted communications sent over that TLS connection.
44504 44552	CVE-2020-2773	An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
46131 46243	CVE-2020-5258	Dojo dojo could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object.
40047 40238	CVE-2020-7016	Elastic Kibana is vulnerable to a denial of service, caused by a vulnerability in Timelion. By persuading a victim to visit a specially crafted URL, a remote attacker could exploit this vulnerability to consume all available CPU resources.
40047 40238	CVE-2020-7017	Elastic Kibana is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by region map visualization. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
40502 41427	CVE-2020-7018	Elastic Enterprise Search could allow a remote authenticated attacker to obtain sensitive information, caused by a credential exposure flaw in the App Search interface. By sending a request with a specially crafted role, a remote attacker could exploit this vulnerability to view the administrator API credentials.
40502 41427	CVE-2020-7019	Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by a field disclosure flaw when running a scrolling search. By running the same query, an attacker could exploit this vulnerability to obtain sensitive information.
42340 42925	CVE-2020-7020	Elastic Enterprise Search could allow a remote authenticated attacker to obtain sensitive information, caused by not properly preserving security permissions in search queries. By sending a search request, a remote attacker could exploit this vulnerability to disclose the existence of documents.
46403 46517	CVE-2020-7924	MongoDB Database Tools could allow a remote attacker to bypass security restrictions, caused by a flaw in the usage of specific command line parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass certificate validation.
44229 44243 44356 44515 45537	CVE-2020-8265	Node.js is vulnerable to a denial of service, caused by a use-after-free in TLSWrap within the TLS implementation. By writing to a TLS enabled socket, an attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
44229 44243 44356 44515 45537	CVE-2020-8287	Node.js is vulnerable to HTTP request smuggling. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
43172 43605	CVE-2020-8554	Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when using LoadBalancer or ExternalIPs. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to patch the status of a LoadBalancer service.
44013 44534	CVE-2020-8567	Kubernetes Secrets Store CSI Driver for Vault Plugin, Azure Plugin, and GCP Plugin could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted SecretProviderClass objects containing "dot dot" sequences (/../) to write arbitrary files on the system.
44013 44534	CVE-2020-8568	Kubernetes Secrets Store CSI Driver could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted request containing "dot dot" sequences (/../) to write content to the host filesystem and sync file contents to Kubernetes Secrets.
44013 44534	CVE-2020-8569	Kubernetes CSI snapshot-controller is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when processing a VolumeSnapshot custom resource. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause the application to crash.
40043 40086	CVE-2020-14039	Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system.
44042 44182	CVE-2020-14781	An unspecified vulnerability in Java SE, Java SE Embedded related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
40043 40086 40275 44431	CVE-2020-15586	Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
41425 41808	CVE-2020-24750	FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
43171 43301	CVE-2020-25649	FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.
42922 42966 44431	CVE-2020-28362	Golang Go is vulnerable to a denial of service, caused by improper input validation by the math/big.Int methods. By sending a specially-crafted inputs, a remote attacker could exploit this vulnerability to cause the application to crash.
42922 42966 44431	CVE-2020-28366	Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a code injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system.
42922 42966 44431	CVE-2020-28367	Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by an argument injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system.
44661 44663 44836 45346 45369	CVE-2020-28500	Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
43626 43808	CVE-2020-28851	Golang Go is vulnerable to a denial of service, caused by improper input validation while parsing the -u- extension in language.ParseAcceptLanguage. By sending a specially-crafted HTTP Accept-Language header, a remote attacker could exploit this vulnerability to cause an index out of range panic.
43626 43808	CVE-2020-28852	Golang Go is vulnerable to a denial of service, caused by improper input validation while processing a BCP 47 tag in language.ParseAcceptLanguage. By sending a specially-crafted HTTP Accept-Language header, a remote attacker could exploit this vulnerability to cause a slice bounds out of range panic.
44183 44234 44279 44357 44431	CVE-2021-3114	An unspecified error with the P224() Curve implementation can generate incorrect outputs in Golang Go has an unknown impact and attack vector.
44183 44234 44279 44357 44431	CVE-2021-3115	Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a command injection flaw when using the go get command to fetch modules that make use of cgo. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
43714 43939 43807 44330 44431	CVE-2021-3121	An unspecified error with the lack of certain index validation, also known as the "skippy peanut butter" issue in GoGo Protobuf has an unknown impact and attack vector.
45535 45543 45970 46130	CVE-2021-3449	OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash.
45535 45543 45970 46130	CVE-2021-3450	OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose.
44660 44834	CVE-2021-7021	Elasticsearch could allow a local authenticated attacker to obtain sensitive information, caused by an error when audit logging and the emit_request_body option is enabled. By opening the audit log, a local authenticated attacker could obtain password hashes or authentication tokens and use this information to launch further attacks against the affected system.
46682 46906	CVE-2021-20228	Ansible Engine could allow a local authenticated attacker to obtain sensitive information, caused by sensitive info is not masked or not protected by the no_log feature by default. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
46403 46517	CVE-2021-20334	MongoDB Compass for Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper access control. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary with the privileges of the user.
44470 44475	CVE-2021-21303	Helm could allow a local authenticated attacker to bypass security restrictions, caused by the failure to sanitized multiple fields in various .yaml files. By sending a specially-crafted request, an attacker could exploit this vulnerability to send deceptive, obscure or alter information to a terminal screen.
44860 45539	CVE-2021-22883	Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an 'unknownProtocol', an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory.
44860 45200 45539	CVE-2021-22884	Node.js is vulnerable to a denial of service, caused by an error when the whitelist includes "localhost6". By controlling the victim's DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the DNS rebinding protection mechanism using the "localhost6" domain and cause a denial of service.
44611 44662 44752 45349 45370 46572	CVE-2021-23337	All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
44613 44667 44668	CVE-2021-23839	OpenSSL could provide weaker than expected security, caused by incorrect SSLv2 rollback protection that allows for the inversion of the logic during a padding check. If the server is configured for SSLv2 support at compile time, configured for SSLv2 support at runtime or configured for SSLv2 ciphersuites, it will accept a connection if a version rollback attack has occurred and erroneously reject a connection if a normal SSLv2 connection attempt is made.
44613 44667 44668 44860 45200 45539	CVE-2021-23840	OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash.
44613 44667 44668	CVE-2021-23841	OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the X509_issuer_and_serial_hash() function. By parsing the issuer field, an attacker could exploit this vulnerability to cause the application to crash.
46176 46516	CVE-2021-25735	Kubernetes kube-apiserver could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when performing note updates. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass a Validating Admission Webhook.
46011 46129	CVE-2021-26296	Apache MyFaces is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
45159 45216 45335	CVE-2021-27918	Golang Go is vulnerable to a denial of service, caused by an infinite loop flaw when using xml.NewTokenDecoder with a custom TokenReader. By persuading a victim to open a specially-crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
45159 45216 46335	CVE-2021-27919	Golang Go is vulnerable to a denial of service, caused by a flaw in the Reader.Open API when use a ZIP archive containing files start with `../`. By persuading a victim to open a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition.
44953 44966	CVE-2021-28041	OpenSSH ssh-agent could allow a remote attacker to bypass security restrictions, caused by a double free flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to arbitrary hosts.

The 3.2.2.2105 fix pack is cumulative and includes all fixes that were included in previous 3.2.2.x fix packs for IBM Cloud Private 3.2.2.

Updated images in 3.2.2.2105

Table: Updated images in fix pack 3.2.2.2105
Image	Previous version	New version
alertmanager	v0.15.0-f4	v0.15.0-f5
collectd-exporter	v0.4.0-f4	v0.4.0-f5
configmap-reload	v0.2.2-f4	v0.2.2-f5
curl	4.2.0-build.9	4.2.0-build.10
dashboard-controller	v1.1.0-f1	v1.1.0-f3
grafana	5.2.0-f4	5.2.0-f5
kube-proxy	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-apiserver	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-controller-manager	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-scheduler	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kubelet	v1.19.3-ee-1	v1.19.3-ee
iam-policy-decision	3.2.1.2012	3.2.1.2105
ibmcloud-image-enforcement	0.2.2.2012	0.2.2.2105
icp-catalog-ui	3.2.1.2012	3.2.1.2105
icp-cert-manager-acmesolver:	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-cainjector:	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-controller	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-webhook	0.7.0.1-f2012	0.7.0.1-f2105
icp-elasticsearch-oss	6.8.10-build.4	6.8.14-build.1
icp-filebeat-oss	6.8.10-build.4	6.8.14-build.1
icp-helm-api	3.2.1.2012	3.2.1.2105
icp-helm-repo	3.2.1.2012	3.2.1.2105
icp-image-manager	2.2.6.2001	2.2.6-2105
icp-inception	3.2.2.2012-ee=3.2.2.2012-ee	3.2.2.2105
icp-initcontainer	1.0-icp-build-2012	1.0-icp-build-2105
icp-kibana-oss	6.8.10-build.4	6.8.14-build.1
icp-logstash-oss	6.8.10-build.4	6.8.14-build.1
icp-management-ingress	2.4.0.1910	2.4.0.2105
icp-mongodb-exporter	3.4.0.2008	3.4.0.2105
icp-mongodb-install	3.4.0.2008	3.4.0.2105
icp-mongodb	4.0.20.2012	4.0.24.2105
icp-platform-auth	3.2.1.2012	3.2.1.2105
icp-platform-header	3.2.1.2012	3.2.1.2105
icp-platform-ui	3.2.1.2012	3.2.1.2105
indices-cleaner	1.3.0-build.2	1.3.0-build.4
kube-state-metrics	v1.9.4-build.	v1.9.4-build.6
metering-data-manager	3.2.2.2012	3.2.2.2105
metering-mcmui	3.2.2.2012	3.2.2.2105
metering-ui	3.2.2.2012	3.2.2.2105
nginx-ingress-controller	0.23.7	0.23.2105
node-exporter	v0.16.0-f4	v0.16.0-f6
nvidia-device-plugin	1.4	1.4.2105
prometheus	v2.8.0-f1	v2.8.0-f3
prometheus-config-reloader	v0.31	v0.31-f1
prometheus-operator	v0.31	v0.31-f1
prometheus-operator-controller	v1.0.0	v1.0.0-f2

Updated charts in 3.2.2.2105

Table: Updated charts in fix pack 3.2.2.2105
Chart	Previous (3.2.1.2008) version	New version
auth-idp	3.3.2012	3.3.2105
auth-pap	3.3.2012	3.3.2012
auth-pdp	3.3.2012	3.3.2105
helm-api	3.3.2012	3.3.2105
helm-repo	3.3.2012	3.3.2105
ibm-cert-manager	3.3.2012	3.4.2105
ibm-cert-manager-webhook	3.3.2012	3.4.2105
ibm-custom-metrics-adapter	3.4.2012	3.4.2105
ibm-icplogging	3.3.1	3.3.2
ibm-icpmonitoring	1.6.22012	1.6.22105
ibm-istio	1.2.9	1.2.10
ibmcloud-image-enforcement	3.4.2012	3.4.2105
icp-catalog-chart	3.3.2012	3.3.2105
icp-management-ingress	3.4.2012	3.4.2105
icp-mongodb	3.5.2012	3.5.2105
icp-nginx-ingress	3.4.2012	3.4.2105
image-manager	3.4.2012	3.4.2105
knative	3.4.2012	3.4.2105
metering	3.4.2012	3.4.2105
mgmt-repo	3.3.2012	3.3.2105
mutation-advisor	3.4.2012	3.4.2105
nvidia-device-plugin	3.4.2012	3.4.2105
platform-ui	3.4.2012	3.4.2105
security-onboarding	3.3.2012	3.3.2105

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2012 fix pack

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.2.2012

Table: Fixed problems in fix pack 3.2.2.2012
Issue	Category	Description
42922	Certificate management	This fix updates Go to resolve a security-related vulnerability (CVE-2020-28362).
40202 41428	Kubernetes	This fix pack includes the following fixes: - This fix updates the image enforcement policy to add the QPS option for the kube-client that is initialized in the admission controller. - Kubernetes is upgraded to version 1.19.3. - etcd is upgraded to version 3.4.13. - kube-dns is upgraded to version 1.7.0.
41777	Kubelet	A Go language issue that caused `use of closed network connection` kubelet errors and caused pods to remain in a terminating status is resolved.
41644 41614	Metering	This fix updates the Node.js and base image versions to address security-related vulnerabilities.
39471 40347 40043 41424 41614 42039 43273 43274 43276 43278	Identity and Access Management (IAM)	This fix pack includes the following fixes: - An issue is resolved that affected the auth-pdp connection to mongodb when the mongodb pod restarts. - An issue is resolved that affected platform-identity-manager for handling invalid roles attribute name in team payload. - The performance of the users getTeams API is improved. - The version of Go is upgraded to version 1.14.12 to address security-related vulnerabilities. - WebSphere Liberty is upgraded to version 20.0.0.10 to address security-related vulnerabilities. - Java is upgraded to version 1.8.0_271 to address security-related vulnerabilities. - The Python cryptography package is upgraded to version 3.3.1 to address security-related vulnerabilities.

Table: Fixed security vulnerabilities in fix pack 3.2.2.2012
Issue	CVE-ID	Description
34823	CVE-2019-1551	OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By performing a man-in-the-middle attack, a remote attacker could exploit this vulnerability to obtain sensitive information.
38874 42039	CVE-2020-8203	Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system.
40561	CVE-2020-7923	MongoDB is vulnerable to a denial of service, caused by a flaw in geoNear invariant. By sending specially crafted queries, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
41426	CVE-2020-15187	Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with containing duplicates of the same entry in the plugin.yaml file. By sending a specially-crafted input, an attacker could exploit this vulnerability to modify a plugin's install hooks to perform a local execution attack.
41426	CVE-2020-15186	Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the plugin names. By sending a specially-crafted input, an attacker could exploit this vulnerability to duplicate the name of another plugin or spoofing the output to helm --help.
41426	CVE-2020-15185	Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with allowing duplicates of the same chart entry in the repository index file. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject a bad chart into a repository.
41426	CVE-2020-15184	Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the alias field on a Chart.yaml. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject unwanted information into a chart.
41614	CVE-2020-8252	Node.js is vulnerable to a buffer overflow, caused by improper bounds checking by the libuv's fs.realpath.native.
40043	CVE-2020-15586	Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
40043	CVE-2020-14039	Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system.
40347 42039	CVE-2020-16845	Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary.
41424 42039	CVE-2020-4590	IBM WebSphere Application Server Liberty running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client.
43169	CVE-2020-25659	python-cryptography could allow a remote attacker to obtain sensitive information, caused by a Bleichenbacher timing attack.
39032	CVE-2020-8169	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to correctly URL encode the credential data when set using an curl_easy_setopt option. The host name and partial password is leaked in cleartext over DNS on HTTP redirect. An attacker could exploit this vulnerability to obtain sensitive information.
39032	CVE-2020-8177	cURL could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (--remote-header-name) and -I (--include) in the same command line. An attacker could exploit this vulnerability to overwrite a local file.
42920	CVE-2020-14792	An unspecified vulnerability in related to the component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
42920	CVE-2020-14797	An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
42920	CVE-2020-14781	An unspecified vulnerability in Java SE, Java SE Embedded related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
42920	CVE-2020-14779	An unspecified vulnerability in Java SE, Java SE Embedded related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
42920	CVE-2020-14798	An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
42920	CVE-2020-14796	An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
42921	CVE-2020-14782	An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.

The 3.2.2.2012 fix pack is cumulative and includes all fixes that were included in previous 3.2.2.x fix packs and previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1 up to the 3.2.1.2003 fix pack.

Updated images in 3.2.2.2012

Table: Updated images in fix pack 3.2.2.2012
Image	Previous version	New version
audit-policy-controller	3.2.1.1910	3.2.1.2012=3.2.1.2012
coredns	1.6.2	1.7.0
etcd	3.2.24.2	3.4.13
hyperkube		v1.16.13-ee
iam-policy-administration	3.2.1.2008	3.2.1.2012
iam-policy-controller	3.2.1.2001	3.2.1.2012
iam-policy-decision	3.2.1.2006	3.2.1.2012
ibmcloud-image-enforcement	0.2.2.2001	0.2.2.2012
icp-catalog-ui	3.2.1.2006	3.2.1.2012
icp-cert-manager-acmesolver	0.7.0.1-f2001	0.7.0.1-f2012
icp-cert-manager-cainjector	0.7.0.1-f2001	0.7.0.1-f2012
icp-cert-manager-controller	0.7.0.1-f2001	0.7.0.1-f2012
icp-cert-manager-webhook	0.7.0.1-f2001	0.7.0.1-f2012
icp-helm-api	3.2.1.2006	3.2.1.2012
icp-helm-repo	3.2.1.2006	3.2.1.2012
icp-helm-rudder	3.2.1.2006	3.2.1.2012
icp-iam-onboarding	3.2.1.2006	3.2.1.2012
icp-identity-manager	3.2.1.2008	3.2.1.2012
icp-identity-provider	3.2.1.2008	3.2.1.2012
icp-inception	3.2.2.2008-ee	3.2.2.2012-ee
icp-initcontainer	1.0.0-build.6	1.0-icp-build-2012
icp-mongodb	4.0.16.2008	4.0.20.2012
icp-oidcclient-watcher	3.2.1.2001	3.2.1.2012
icp-platform-api	3.2.2.2008	3.2.2.2012
icp-platform-auth	3.2.1.2008	3.2.1.2012
icp-platform-header	3.2.1.2006	3.2.1.2012
icp-platform-ui	3.2.1.2006	3.2.1.2012
icp-secret-watcher	3.2.1.2001	3.2.1.2012
icp-web-terminal	3.2.1.2003	3.2.2.2012
kubectl	v1.16.7.1	v1.19.3
kube-proxy		v1.19.3-ee-1
kube-apiserver		v1.19.3-ee-1
kube-controller-manager		v1.19.3-ee-1
kube-scheduler		v1.19.3-ee-1
kubelet		v1.19.3-ee-1
mcm-kui-proxy	3.2.1.1911	3.2.2.2012
metering-data-manager	3.2.2.2008	3.2.2.2012
metering-mcmui	3.2.2.2008	3.2.2.2012
metering-ui	3.2.2.2008	3.2.2.2012
pause	3.1	3.3
tiller	v2.12.3-icp-3.2.1.1911	v2.16.12-icp-3.2.1.2012

Note: Images that include the suffix -oss (icp-elasticsearch-oss, icp-filebeat-oss, icp-kibana-oss, icp-logstash-oss) are newer versions of images that did not include the suffix. For example, icp-elasticsearch-oss is the replacement for the icp-elasticsearch image, which is now deprecated.

Updated charts in 3.2.2.2012

Table: Updated charts in fix pack 3.2.2.2012
Chart	Previous (3.2.2.2008) version	New version
audit-logging	3.3.1910	3.4.2012
auth-idp	3.3.2008	3.3.2012
auth-pap	3.3.2008	3.3.2012
auth-pdp	3.3.2008	3.3.2012
calico	3.8.9	3.3.2012
helm-api	3.3.2006	3.3.2012
helm-repo	3.3.2006	3.3.2012
iam-policy-controller	3.3.2001	3.3.2012
ibm-cert-manager	3.3.2001	3.4.2012
ibm-cert-manager-webhook	3.3.2001	3.4.2012
ibm-custom-metrics-adapter	3.4.2008	3.4.2012
ibm-icplogging	3.2.1	3.3.1
ibm-icpmonitoring	1.6.22008	1.6.22012
ibm-istio	1.2.7	1.2.9
ibm-mcm-kui	3.3.1911	3.3.2012
ibm-mcm-prod	3.4.2008	3.4.2012
ibm-minio-objectstore	2.4.2003	2.4.2012
ibm-search-prod	3.4.2008	3.4.2012
ibmcloud-image-enforcement	3.3.2001	3.4.2012
icp-catalog-chart	3.3.2006	3.3.2012
icp-management-ingress	3.3.1910	3.4.2012
icp-mongodb	3.5.2008	3.5.2012
icp-nginx-ingress	3.4.2008	3.4.2012
image-manager	3.3.2001	3.4.2012
knative	3.4.2008	3.4.2012
kube-dns	3.4.2006	3.4.2012
metering	3.4.2008	3.4.2012
metrics-server	3.4.2006	3.4.2012
mgmt-repo	3.3.2006	3.3.2012
mutation-advisor	3.3.2008	3.4.2012
node-problem-detector-draino	0.5	3.4.2012
nsx-t-container-plugin	3.3.2008	3.3.2012
nvidia-device-plugin	3.3.0	3.4.2012
oidcclient-watcher	3.3.2001	3.3.2012
platform-ui	3.4.2008	3.4.2012
platform-api	3.4.2008	3.4.2012
secret-watcher	3.3.2001	3.3.2012
security-onboarding	3.3.2008	3.3.2012
service-catalog	3.4.2008	3.4.2012
system-healthcheck-service	3.3.1911	3.3.2012
vulnerability-advisor	3.3.2008	3.4.2012
web-terminal	3.3.2003	3.3.2012

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2008 fix pack

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.2.2008

Table: Fixed problems in fix pack 3.2.2.2008
Issue	Category	Description
39229	Calico	Calico is upgraded to version 3.8.9 to address a security vulnerability.
40048	Kubernetes	This fix updates Kubernetes to version 1.16.7.1 to remove the curl tool within Kubectl and address security vulnerabilities.
31863 34244 35166 35312 35476 37301 37619 38548 39076 39222 40036	Logging	This fix pack includes the following fixes: - Elastic Stack components (Logstash, Filebeat, Elasticsearch, Kibana) are upgraded from version 6.6.1 to version 6.8.10 to address security vulnerabilities. - The logstash-input-beats plug-in is upgraded to version 6.0.11.
38874	Metering	This fix updates Lodash version to version 4.17.19 to address security vulnerabilities.
40270	Platform-API	This fix updates platform-api to fix crashes with "fatal error: concurrent map read and map write".
39586	Service-Catalog	This fix update the Elasticsearch version to version 6.8.10 to be consistent with logging.
35851 40048 40091	Security - Identity and Access Management (IAM)	This fix pack includes the following fixes: - An issue is addressed that prevented the namespace from being deleted when the service catalog is enabled. This issue occurs because the service catalog API resource does not implement the protocol buffer (protobuf) marshalling interface and cannot be encoded to a protobuf message. - Roles are updated to support configuring networking ingresses and networking policies. - This fix pack also includes fixes to resolve security-related vulnerabilities.

Table: Fixed security vulnerabilities in fix pack 3.2.2.2008
Issue	CVE-ID	Description
31863	CVE-2019-1547	OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation.
31863	CVE-2019-1549	OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information.
35166 35312	CVE-2019-1551	OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
31863	CVE-2019-1563	OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information.
35476	CVE-2020-7238	Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
34244	CVE-2019-7620	Elastic Logstash is vulnerable to a denial of service, caused by a flaw in the Beats input plugin. By sending a specially-crafted network packet, a remote attacker could exploit this vulnerability to cause the application to stop responding. Upgrade to the latest version of Logstash (6.8.4, 7.4.1 or later), available from the Elastic Web site.
37619	CVE-2019-11612	The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
35851	CVE-2019-15604	Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort.
35851	CVE-2019-15605	Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
35851	CVE-2019-15606	Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons.
38548	CVE-2020-7012	Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the Upgrade Assistant. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system.
38548	CVE-2020-7013	Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in TSVB . By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system.
38548	CVE-2020-7015	Elastic Kibana is vulnerable to cross-site scripting, caused by improper validation of user-supplied input in TSVB visualization. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
39076	CVE-2020-7614	Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by a race condition in the response headers. By sending specially-crafted requests, an attacker could exploit this vulnerability to obtain sensitive information of another user from the response header.
37996	CVE-2020-7921	MongoDB Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper serialization of internal state in the authorization subsystem. An attacker could exploit this vulnerability to bypass IP whitelisting protection.
39032	CVE-2020-8169	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to correctly URL encode the credential data when set using an curl_easy_setopt option. The host name and partial password is leaked in cleartext over DNS on HTTP redirect. An attacker could exploit this vulnerability to obtain sensitive information.
39032 39067	CVE-2020-8177	curl could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (--remote-header-name) and -I (--include) in the same command line. An attacker could exploit this vulnerability to overwrite a local file.
38874	CVE-2020-8203	Fixed for the Metering component only. Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system.
40048	CVE-2020-8553	Kubernetes ingress-nginx could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the annotation nginx.ingress.kubernetes.io/auth-type: basic is used. By sending a specially crafted request, an attacker could exploit this vulnerability to create a new Ingress definition and replace the password file.
39624	CVE-2020-8557	Kubernetes kubelet is vulnerable to a denial of service, caused by an issue with not including the /etc/hostsfile file by the kubelet eviction manager when calculating ephemeral storage usage. By writing a large amount of data to the /etc/hostsfile, a local authenticated attacker could exploit this vulnerability to fill the storage space of the node and cause the node to fail.
39624	CVE-2020-8559	Kubernetes kube-apiserver could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when multiple clusters share the same certificate authority trusted by the client. By intercepting certain requests and sending a redirect response, an attacker could exploit this vulnerability to compromise other nodes.
38544	CVE-2020-13401	Docker Docker CE is vulnerable to a man-in-the-middle attack, caused by improper validation of router advertisements. By sending rogue router advertisements, an attacker could exploit this vulnerability using man-in-the-middle techniques to gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
39229	CVE-2020-13597	Clusters using Calico (version 3.14.0 and earlier), Calico Enterprise (version 2.8.2 and earlier), can be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege can reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default. This vulnerability allows an attacker to redirect full or partial network traffic from the node to the compromised pod.
39222	CVE-2020-14422	Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

The 3.2.2.2008 fix pack is cumulative and includes all fixes that were included in the 3.2.2.2006 fix pack and the previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1 up to the 3.2.1.2003 fix pack.

Updated images in 3.2.2.2008

Table: Updated images in fix pack 3.2.2.2008
Image	Previous version	New version
calico-cni	v3.5.2.1	v3.8.9
calico-ctl	v3.5.2.1	v3.8.9
calico-kube-controllers	v3.5.2.1	v3.8.9
calico-node	v3.5.2.1	v3.8.9
curl	4.2.0-f4	4.2.0-build.6
default-http-backend	1.5.2	1.5.5
hyperkube	v1.16.7-ee.2006	v1.16.13-ee
iam-policy-administration	3.2.1.2006	3.2.1.2008
icp-elasticsearch-oss	icp-elasticsearch-6.6.1	6.8.10-build.1
icp-filebeat-oss	icp-filebeat-6.6.1	6.8.10-build.1
icp-identity-manager	3.2.1.2006	3.2.1.2008
icp-identity-provider	3.2.1.2006	3.2.1.2008
icp-initcontainer	1.0.0-f4	1.0.0-build.6
icp-kibana-oss	icp-kibana-6.6.1	6.8.10-build.1
icp-logstash-oss	icp-logstash-6.6.1	6.8.10-build.1
icp-mongodb	4.0.12-build.3	4.0.16.2008
icp-mongodb-exporter	3.4.0	3.4.0.2008
icp-mongodb-install	3.4.0	3.4.0.2008
icp-multicluster-endpoint-operator	3.2.2.2006	3.2.2.2008
icp-platform-api	3.2.2.2006	3.2.2.2008
icp-platform-auth	3.2.1.2008	3.2.1.2008
indices-cleaner	1.2.0	1.3.0-build.1
kubectl	v1.16.7	v1.16.7.1
logging-pki-init	2.3.0	2.3.0-build.3
metering-data-manager	3.2.2.2006	3.2.2.2008
metering-mcmui	3.2.2.2006	3.2.2.2008
metering-ui	3.2.2.2006	3.2.2.2006
nginx-ingress-controller	0.23.1.1911	0.23.7
search-collector	3.2.1.2001	3.2.2.2008
service-catalog-service-catalog	v0.1.40-icp	v0.1.40-icp.2008

Updated charts in 3.2.2.2008

Table: Updated charts in fix pack 3.2.2.2008
Chart	Previous (3.2.2.2006) version	New version
auth-idp	3.3.2006	3.3.2008
auth-pap	3.3.2006	3.3.2008
auth-pdp	3.3.2006	3.3.2008
calico	3.3.0	3.8.9
ibm-calico-route-reflector	3.3.0	3.8.9
ibm-custom-metrics-adapter	3.3.2003	3.4.2008
ibm-mcm-prod	3.3.2006	3.4.2008
ibm-icplogging	2.4.1910	3.2.1
ibm-icpmonitoring	1.6.2006	1.6.22008
ibm-istio	1.2.6.	1.2.7
ibm-search-prod	3.3.2006	3.4.2008
icp-mongodb	3.5.2006	3.5.2008
icp-nginx-ingress	3.3.1911	3.4.2008
knative	3.3.2006	3.4.2008
metering	3.4.2006	3.4.2008
mutation-advisor	3.3.2003	3.3.2008
nsx-t-container-plugin.	3.3.0.	3.3.2008.
platform-api	3.4.2006	3.4.2008
security-onboarding.	3.3.2006	3.3.2008
service-catalog.	3.3.0.	3.4.2008
vulnerability-advisor.	3.3.2006	3.3.2008

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2006 fix pack

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.2.2006

Table: Fixed problems in fix pack 3.2.2.2006
Issue	Category	Description
35851 36565	Catalog-UI	This fix updates Node.js to resolve security-related vulnerabilities.
38062 38683	GlusterFS	This fix pack includes the following fixes: - The icp-storage-util image is updated to version 3.2.1.2006 to upgrade OpenSSL to 1.1.1g. - The Storage GlusterFS Health page from Grafana is updated to address an issue that prevented data from displaying.
36566	Helm API & Helm Repo	This fix updates the Node.js version to resolve security-related vulnerabilities.
35721 35935 38934	Identity and Access Management (IAM)	This fix pack includes the following fixes: - An issue with the GET userinfo API in platform-identity-provider is resolved. This issue caused intermittent failures with Helm upgrade and delete commands. - The LDAP recursiveSearch config variable is now configurable. The value can change between true and false as required when the LDAP user login process is running too slow due to nested user groups. - WebSphere Liberty is upgraded to version 20.0.0.5. - The IBM JDK is upgraded to version 1.8.0_sr6fp10. - Fixes to resolve security-related vulnerabilities.
36413 37151	Kuberntes core	This fix pack includes the following fixes: - Kubernetes is upgraded to version 1.16.7. - The Metrics server is updated to version 0.3.4. - The core DNS is upgraded to version 1.6.2.
38934	Policy Decision Point (PDP)	This fix improves the performance of the PDP service and resolves an issue that caused a container restart due to memory leak error.
35928 38647	Metering	This fix updates the Node.js version address security-related vulnerabilities.
35928 38647	Multicluster-Endpoint	This fix updates the metering image version to version 3.2.2.2006.
38684	Network policy	This fix modifies the network policy to ensure that the Kubernetes API server can reach the platform-identity-manager. This modification is needed for installing Knative.
32149 32151 34916 35454 35527 35721 35877 35879 35935 36030 36233 36587 36817 37648 37844 37846 37944	Security - Identity and Access Management (IAM)	This fix pack includes the following fixes: - An issue that caused a CrashLoopBackOff error for the auth-pap pod is resolved. - WebSphere Liberty is upgraded to version 20.0.0.5. - The IBM JDK is upgraded to version 1.8.0_sr6fp10. - Fixes to resolve security-related vulnerabilities.

Table: Fixed security vulnerabilities in fix pack 3.2.2.2006
Issue	CVE-ID	Description
38572 38573	CVE-2018-1002102	Kubernetes API server could allow a remote authenticated attacker to conduct phishing attacks, caused by an improper validation of URL redirection. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
34823 34859	CVE-2019-1551	OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
31863 32149	CVE-2019-1547	OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the co-factor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation.
31863 32149	CVE-2019-1549	OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information.
31863 32149	CVE-2019-1563	OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information.
31866 32151	CVE-2019-5481	cURL libcurl is vulnerable to a denial of service, caused by a double free flaw during kerberos FTP data transfer. By sending a specially-crafted size of data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
31866	CVE-2019-5482	cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet function. By sending specially-crafted request containing an OACK without the BLKSIZE option, a remote attacker could overflow a buffer and execute arbitrary code on the system.
32678 23646	CVE-2019-9947	Python is vulnerable to HTTP header injection, caused by improper validation of input in urllib and urllib2. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
32678 23646	CVE-2019-9948	Python could allow a remote attacker to bypass security restrictions, caused by improper input validation by the urllib. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass the blacklist file: URIs protection mechanisms.
35851 35877 35928 35952 35953 36565 36566 37944	CVE-2019-15604	Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort.
35851 35877 35928 35952 35953 36565 36566 37944	CVE-2019-15605	Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
35851 35877 35928 35952 35953 36565 36566 37944	CVE-2019-15606	Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons.
32777 32933	CVE-2019-16935	Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
36569 36587	CVE-2019-17573	Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
37835 37846	CVE-2020-2754	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2755	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2756	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2757	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2781	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2800	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
37835 37846	CVE-2020-2803	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
37835 37846	CVE-2020-2805	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
37835 37846	CVE-2020-2830	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
36802 36817	CVE-2020-4303	IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
36802 36817	CVE-2020-4304	IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
37620 37648	CVE-2020-4329	IBM WebSphere Application Server could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks.
37833 37844	CVE-2020-4421	IBM WebSphere Application Liberty could allow an authenticated user using openidconnect to spoof another users identify.
38545 38647 38649 38650	CVE-2020-8172	Node.js could allow a remote attacker to bypass security restrictions. The 'session' event could be emitted before the 'secureConnect' event and possibly allow for the reuse of the TLS session. An attacker could exploit this vulnerability to bypass host certificate verification and gain access to the system.
38545 38647 38649 38650	CVE-2020-8174	Node.js is vulnerable to a buffer overflow, caused by multiple memory corruptions in the napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() functions. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
38545 38647 38649 38650	CVE-2020-10531	International Components for Unicode (ICU) for C/C++ is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
38545 38647 38649 38650	CVE-2020-11080	Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTINGS frames, an attacker could exploit this vulnerability to consume all available CPU resources.
36896 36961	CVE-2020-11254	Kubernetes is vulnerable to a denial of service, caused by a flaw in kube-apiserver. By sending a specially-crafted request using YAML payloads, a remote authenticated attacker could exploit this vulnerability to consume excessive CPU cycles.

Updated images in 3.2.2.2006

Table: Updated images in fix pack 3.2.2.2006
Image	Previous version	New version
coredns	1.2.6.1	1.6.2
hyperkube	v1.13.12-ee.2003	v1.16.7-ee.2006
iam-policy-decision	3.2.1.2001	3.2.1.2006
iam-policy-administration	3.2.1.2003	3.2.1.2006
icp-iam-onboarding	3.2.1	3.2.1.2006
icp-catalog-ui	3.2.1.2001	3.2.1.2006
icp-helm-api	3.2.1.2001	3.2.1.2006
icp-helm-repo	3.2.1.1911	3.2.1.2006
icp-identity-manager	3.2.1.2003	3.2.1.2006
icp-identity-provider	3.2.1.2003	3.2.1.2006
icp-mongodb	4.0.12	4.0.12-build.3
icp-mongodb-exporter	3.2.1	3.4.0
icp-mongodb-install	3.2.1	3.4.0
icp-multicluster-endpoint-operator	3.2.1.2001	3.2.2.2006
icp-platform-api	3.2.1.2003	3.2.2.2006
icp-platform-auth	3.2.1.2003	3.2.1.2006
icp-platform-header	3.2.1.2003	3.2.1.2006
icp-platform-ui	3.2.1.2003	3.2.1.2006
icp-storage-util	3.2.1.1911	3.2.1.2006
kubectl	v1.13.11.1911	v1.16.7
metering-data-manager	3.2.1.2001	3.2.2.2006
metering-mcmui	3.2.1.1911	3.2.2.2006
metering-ui	3.2.1.1911	3.2.2.2006
metrics-server	v0.3.1.2003	v0.3.4

Updated charts in 3.2.2.2006

Table: Updated charts in fix pack 3.2.2.2006
Chart	Previous (3.2.1.2003) version	New version
auth-idp	3.3.2003	3.3.2006
auth-pap	3.3.2003	3.3.2006
auth-pdp	3.3.2003	3.3.2006
helm-api	3.3.2001	3.3.2006
helm-repo	3.3.1911	3.3.2006
ibm-glusterfs	1.5.2001	1.5.2006
ibm-icpmonitoring	1.6.1910	1.6.2006
ibm-istio	1.2.4	1.2.6
ibm-mcm-prod	3.3.2001	3.3.2006
ibm-search-prod	3.3.2001	3.3.2006
icp-catalog-chart	3.3.2001	3.3.2006
icp-mongodb	3.3.0	3.5.2006
icp-platform-netpols	3.3.0	3.3.2006
knative	3.3.1911	3.3.2006
kube-dns	3.3.2001	3.4.2006
metering	3.3.2001	3.4.2006
metrics-server	3.3.2003	3.4.2006
mgmt-repo	3.3.1911	3.3.2006
platform-api	3.3.2003	3.4.2006
platform-ui	3.3.2003	3.4.2006
security-onboarding	3.3.2003	3.3.2006

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2203 fix pack

The fixes included within this 3.2.1.2203 fix pack includes all fixes that are included within the 3.2.1.2203 fix pack that do not apply to the updated version of Kubernetes of the 3.2.1.2203 fix pack. The 3.2.2.2105 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.1.2203 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2203 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.1.2203 fix pack instead of this 3.2.1.2203 fix pack.

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.1.2203

Table: Fixed problems in fix pack 3.2.1.2203
Category	Description
Installer	This fix pack includes the following fixes: - Uplift Python version to Python 3 - Remove nfnetlink library check in cluster nodes - Update base images and Go versions to address security-related vulnerabilities
Audit Logging	This fix pack includes the following fixes: - Update base image and Go versions to address security-related vulnerabilities
Catalog UI	This fix pack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities - Bug fix for a rare bug where green loading icon spins endlessly and helm releases does not show properly due to request queue problems
Certificate Management	This fix pack includes the following fix: - Update Go version (1.17.5) to resolve security-related vulnerabilities
GlusterFS	This fix pack includes the following fixes: - Update curl version to address security-related vulnerabilities - Update OpenSSH to address security-related vulnerabilities
Helm API	This fixpack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities - Update Rudder image Go version from 1.14.14 to 1.17.7 for security-related vulnerabilities
Helm Repo	This fixpack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities
Image Manager and ICP Registry	This fix pack includes the following fixes: - Update Go version to address security-related vulnerabilities - Update OpenSSL to address security-related vulnerabilities
Ingress	This fix pack includes the following fixes: - Update nginx base image, uplift openSSL version, update Go version
Istio	This fix pack includes the following fixes: - Update Go version to address security-related vulnerabilities - Update version of sudo used to address security-related vulnerabilities
Kubernetes	This fix pack includes the following fixes: - Fix the slow master switchover in Etcd VIP manager in HA environment by immediately broadcasting it to all the nodes, hence reducing the time for ARP cache update.
Kube-dns	This fix pack includes the following fixes: - Update CoreDNS image from 1.7.0 to 1.9.1 to resolve Go related security vulnerabilities - Community changelog: https://github.com/coredns/coredns/blob/master/notes/coredns-1.9.1.md
Logging	This fix pack includes the following fixes: - Update elasticstack (elasticsearch, filebeat, logstash, and kibana) from version 6.8.14 to 6.8.23 in order to address the log4j security-related vulnerabilities - Update pki-init's OpenSSL version to address security-related vulnerabilities - Update Elasticsearch's version of curl to address security-related vulnerabilities
Metering	This fix pack includes the following fixes: - Update the Node.js and base image versions to address security-related vulnerabilities - Fix to allow the data manager purger to process data in chunks rather than on a single cursor
Metrics Server	This fix pack includes the following fixes: - Update metrics server from v0.3.4 to v0.5.2 to resolve Go related security vulnerabilites - Community changelog version v0.3.z to v0.4.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.4.0 - Community changelog version v0.4.5 to v0.5.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.0
MinIO	This fix pack includes the following fixes: - Update Go verision from 1.15 to 1.17.8 to address security-related vulnerabilities - Update MinIO version from RELEASE.2019-04-09T01-22-30Z to RELEASE.2022-01-08T03-11-54Z - Update MinIO client version from RELEASE.2019-04-03T17-59-57Z to RELEASE.2022-01-07T06-01-38Z - Update MinIO client Go version from 1.12 to 1.17.8 to address security-related vulnerabilities
Monitoring	This fix pack includes the following fixes: - Update base image and Go versions to address security-related vulnerabilities
Mutation Advisor	This fix pack includes the following fixes: - Update elasticstack (elasticsearch, filebeat, logstash, and kibana) from version 6.8.14 to 6.8.23 in order to address the log4j security-related vulnerabilities - Update pki-init's OpenSSL version to address security-related vulnerabilities - Update Elasticsearch's version of curl to address security-related vulnerabilities
Platform API	This fix pack includes the following fix: - Update Go version (1.17.5) to resolve a security-related vulnerabilities
Platform UI	This fix pack includes the following fixes: - Update the Node.js and base image versions to address security-related vulnerabilities
Security IAM	This fix pack includes the following fixes: - Update base image, Go versions, liberty versions, and node versions to address security-related vulnerabilities

Table: Fixed security vulnerabilities in fix pack 3.2.1.2203
CVE-ID	Description
CVE-2018-16843	Description: nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive memory consumption.
CVE-2018-16844	Description: nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive CPU consumption.
CVE-2018-16845	Description: nginx is vulnerable to a denial of service, caused by an error when compiled with the ngx_http_mp4_module. By persuading a victim to open a specially-crafted mp4 file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or obtain sensitive information from worker process memory
CVE-2019-20372	NGINX could allow a remote attacker to obtain sensitive information, caused by a flaw in certain error_page configurations. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system
CVE-2019-7401	Description: NGINX Unit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the router process. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the router process to crash.
CVE-2020-28491	Description: FasterXML jackson-dataformats-binary is vulnerable to a denial of service, caused by an unchecked allocation of byte buffer flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a java.lang.OutOfMemoryError exception resulting in a denial of service condition.
CVE-2020-8231	curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set.
CVE-2020-8284	curl: FTP PASV command response can cause curl to connect to arbitrary host.
CVE-2020-8285	curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used.
CVE-2020-8286	cURL libcurl could allow a remote attacker to bypass security restrictions, caused by improper OCSP response verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to breach a TLS server.
CVE-2021-20329	MongoDB Go Driver could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation of cstrings when marshalling Go objects into BSON. By sending a specially-crafted Go object with specific string, an attacker could exploit this vulnerability to inject additional fields into marshalled documents.
CVE-2021-20492	IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
CVE-2021-22139	Elastic Kibana is vulnerable to a denial of service, caused by a lack of timeout or a limit on the request size in the webhook actions. By sending a large number of requests, a remote attacker could exploit this vulnerability to exhaust the connection pool, leading to a denial of service.
CVE-2021-22569	Google Protocol Buffer (protobuf-java) is vulnerable to a denial of service, caused by an issue with allow interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open a specially-crafted content, a remote attacker could exploit this vulnerability to cause a timeout in ProtobufFuzzer function, and results in a denial of service condition.
CVE-2021-22876	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain user credentials, and use this information to launch further attacks against the affected system.
CVE-2021-22898	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sending a specially-crafted request using a clear-text network protocol, an attacker could exploit this vulnerability to obtain sensitive internal information to the server, and use this information to launch further attacks against the affected system.
CVE-2021-22918	Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv__idna_toascii() function.
CVE-2021-22924	curl: Bad connection reuse due to flawed path name checks.
CVE-2021-22925	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain TELNET stack contents, and use this information to launch further attacks against the affected system.
CVE-2021-22926	Curl libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the CURLOPT_SSLCERT option mixup with TLS library Secure Transport. By creating a specially-crafted file name with the same name as the app wants to use by name, an attacker could exploit this vulnerability to trick the application to use the file based cert instead of the one referred to by name, and allow libcurl to send the wrong client certificate in the TLS connection handshake.
CVE-2021-22930	Node.js could allow a remote attacker to bypass security restrictions, caused by a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior.
CVE-2021-22945	cURL libcurl is vulnerable to a denial of service, caused by a use-after-free and double free flaw when sending data to an MQTT server. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-22946	cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a required TLS bypassed issue. By sniffing the network, an attacker could exploit this vulnerability to obtain sensitive data in clear text over the network, and use this information to launch further attacks against the affected system.
CVE-2021-22947	cURL libcurl is vulnerable to a man-in-the-middle attack, caused by a flaw when connecting to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVE-2021-22959	Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers.
CVE-2021-22960	Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests.
CVE-2021-23362	Node.js hosted-git-info module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the fromUrl function in index.js. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-2369	An unspecified vulnerability in Oracle Java SE related to the Library component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVE-2021-2388	An unspecified vulnerability in Oracle Java SE related to the Hotspot component could allow an unauthenticated attacker to take control of the system.
CVE-2021-2432	An unspecified vulnerability in Oracle Java SE related to the JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-25737	Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a host network hijacking flaw due to holes in EndpointSlice validation. By redirecting pod traffic to private networks on a Node, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2021-25740	Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a confused deputy attack. By sending a specially-crafted request to create or edit Endpoints or EndpointSlices in the Kubernetes API, an attacker could exploit this vulnerability to obtain backend IPs information, and use this information to launch further attacks against the affected system.
CVE-2021-25741	Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange flaw in kubelet. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a container with subpath volume mounts to access files and directories outside of the volume.
CVE-2021-25742	Description: Kubernetes NGINX Ingress Controller could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the custom snippets feature. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain all secrets in the cluster, and use this information to launch further attacks against the affected system.
CVE-2021-25743	Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by improper filtering of ANSI escape characters in kubectl. By sending a specially-crafted input, an attacker could exploit this vulnerability to hide all the events, changing the title of the terminal window, and spoof the data.
CVE-2021-29842	IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.
CVE-2021-29921	Python is vulnerable to server-side request forgery, caused by improper input validation of octal strings in the stdlib ipaddress. By submitting a specially-crafted IP address to a web application, an attacker could exploit this vulnerability to conduct SSRF or local file include attacks.
CVE-2021-29923	Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR
CVE-2021-31525	net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations
CVE-2021-32690	Helm could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied input by the index.yaml file. By gaining access to the chart archives, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2021-33194	Golang Go is vulnerable to a denial of service, caused by an infinite loop in golang.org/x/net/html. By sending a specially-crafted ParseFragment input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-33195	Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system
CVE-2021-33196	Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By persuading a victim to open a specially-crafted archive file, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition
CVE-2021-33197	Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop arbitrary headers, including those set by the ReverseProxy.Director.
CVE-2021-33198	Golang Go is vulnerable to a denial of service, caused by a flaw in the SetString and UnmarshalText methods of math/big.Rat. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition.
CVE-2021-34558	Description: The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic
CVE-2021-35517	Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' tar package.
CVE-2021-35556	An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35559	An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35560	An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow an unauthenticated attacker to take control of the system.
CVE-2021-35564	An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Keytool component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVE-2021-35565	An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35578	An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35586	An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the ImageIO component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-35588	An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVE-2021-3601	OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA cert. An attacker could exploit this vulnerability for MITM to any connection from the victim machine.
CVE-2021-36090	Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' zip package.
CVE-2021-36158	xrdp package for Alpine Linux is vulnerable to a man-in-the-middle attack, caused by improper generation of RSA certificates and private keys in the RDP sessions. An attacker could exploit this vulnerability to track users.
CVE-2021-36221	Golang Go is vulnerable to a denial of service, caused by a race condition upon an ErrAbortHandler abort. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a net/http/httputil ReverseProxy panic.
CVE-2021-3712	Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when processing ASN.1 strings. By sending specially crafted data, an attacker could exploit this vulnerability to read contents of memory on the system or perform a denial of service attack.
CVE-2021-37136	Netty netty-codec is vulnerable to a denial of service, caused by not allow size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-37137	Netty netty-codec is vulnerable to a denial of service, caused by not restrict the chunk length in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause excessive memory usage, and results in a denial of service condition.
CVE-2021-3733	Python is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the AbstractBasicAuthHandler class in urllib. By persuading a victim to visit a specially-crafted web site, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-37701	The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
CVE-2021-37712	Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVE-2021-37713	Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target. An attacker could exploit this vulnerability to create or overwrite arbitrary files and execute arbitrary code on the system.
CVE-2021-39031	IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875.
CVE-2021-39134	Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack, caused by the failure of multiple dependencies to coexist within the same level in the node_modules hierarchy. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to create and overwrite arbitrary files on the system with elevated privileges.
CVE-2021-39135	Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack. By replacing the node_modules folder of the root project or any of its dependencies with a symbolic link, an attacker could exploit this vulnerability to write package dependencies to any arbitrary location on the file system.
CVE-2021-41035	Eclipse Openj9 could allow a remote attacker to gain elevated privileges on the system, caused by not throwing IllegalAccessError for MethodHandles that invoke inaccessible interface methods. By persuading a victim to execute a specially-crafted program under a security manager, an attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code on the system.
CVE-2021-41092	Docker CLI could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when running "docker login my-private-registry.example.com" command with a misconfigured configuration file. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
CVE-2021-41771	Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the ImportedSymbols function in debug/macho. By using specially-crafted binaries, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition.
CVE-2021-41772	Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the Reader.Open function. By using a specially-crafted ZIP archive containing an invalid name or an empty filename field, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition.
CVE-2021-43797	Netty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding request header names. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVE-2021-44532	Node.js could allow a remote attacker to bypass security restrictions, caused by a string injection vulnerability when name constraints were used within a certificate chain. An attacker could exploit this vulnerability to bypass the name constraints.
CVE-2021-44533	Node.js could allow a remote attacker to bypass security restrictions, caused by the incorrect handling of multi-value Relative Distinguished Names.
CVE-2021-44716	Description: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2021-44717	Description: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
CVE-2022-21824	Node.js could provide weaker than expected security, caused by an error related to the formatting logic of the console.table() function. An attacker could exploit this vulnerability using console.table properties to allow an empty string to be assigned to numerical keys of the object prototype.
CVE-2022-22704	zabbix-agent2 package for Alpine Linux could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a design flaw in systemd. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root.
CVE-2022-23772	Golang Go is vulnerable to a denial of service, caused by a buffer overflow in the Rat.SetString function in math/big. By sending a specially-crafted request, an attacker could exploit this vulnerability to consume large amount of RAM and cause the application to crash.
CVE-2022-23773	An unspecified error with not treating branches with semantic-version names as releases in cmd/go in Golang Go has an unknown impact and attack vector.
CVE-2022-23806	Golang Go is vulnerable to a denial of service, caused by a flaw with IsOnCurve function returns true for invalid field elements. By sending a specially-crafted request, an attacker could exploit this vulnerability to causes a panic in ScalarMult, and results in a denial of condition.

The 3.2.1.2203 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1.

Updated images in 3.2.1.2203

Table: Updated images in fix pack 3.2.1.2203
Image	Previous version	New version
alertmanager	v0.15.0-f5	v0.15.0-f6
collectd-exporter	v0.4.0-f5	v0.4.0-f6
configmap-reload	v0.2.2-f5	v0.2.2-f6
curl	4.2.0-build.9	4.2.0-build.10
dashboard-controller	v1.1.0-f3	v1.1.0-f4
grafana	5.2.0-f5	5.2.0-f6
kube-proxy	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-apiserver	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-controller-manager	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kube-scheduler	v1.19.3-ee-1	v1.19.3_icp-ee-2105
kubelet	v1.19.3-ee-1	v1.19.3-ee
iam-policy-decision	3.2.1.2012	3.2.1.2105
ibmcloud-image-enforcement	0.2.2.2012	0.2.2.2105
icp-catalog-ui	3.2.1.2012	3.2.1.2105
icp-cert-manager-acmesolver:	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-cainjector:	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-controller	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-webhook	0.7.0.1-f2012	0.7.0.1-f2105
icp-elasticsearch-oss	6.8.10-build.4	6.8.14-build.1
icp-filebeat-oss	6.8.10-build.4	6.8.14-build.1
icp-helm-api	3.2.1.2012	3.2.1.2105
icp-helm-repo	3.2.1.2012	3.2.1.2105
icp-image-manager	2.2.6.2001	2.2.6-2105
icp-inception	3.2.2.2012-ee=3.2.2.2012-ee	3.2.2.2105
icp-initcontainer	1.0-icp-build-2012	1.0-icp-build-2105
icp-kibana-oss	6.8.10-build.4	6.8.14-build.1
icp-logstash-oss	6.8.10-build.4	6.8.14-build.1
icp-management-ingress	2.4.0.1910	2.4.0.2105
icp-mongodb-exporter	3.4.0.2008	3.4.0.2105
icp-mongodb-install	3.4.0.2008	3.4.0.2105
icp-mongodb	4.0.20.2012	4.0.24.2105
icp-platform-auth	3.2.1.2012	3.2.1.2105
icp-platform-header	3.2.1.2012	3.2.1.2105
icp-platform-ui	3.2.1.2012	3.2.1.2105
indices-cleaner	1.3.0-build.2	1.3.0-build.4
kube-state-metrics	v1.9.4-build.	v1.9.4-build.6
metering-data-manager	3.2.2.2012	3.2.2.2105
metering-mcmui	3.2.2.2012	3.2.2.2105
metering-ui	3.2.2.2012	3.2.2.2105
nginx-ingress-controller	0.23.7	0.23.2105
node-exporter	v0.16.0-f6	v0.16.0-f7
nvidia-device-plugin	1.4	1.4.2105
prometheus	v2.8.0-f3	v2.8.0-f4
prometheus-config-reloader	v0.31-f1	v0.31-f2
prometheus-operator	v0.31-f1	v0.31-f2
prometheus-operator-controller	v1.0.0-f2	v1.0.0-f3

Updated charts in 3.2.1.2203

Table: Updated charts in fix pack 3.2.1.2203
Chart	Previous (3.2.1.2105) version	New version
auth-idp	3.3.2105	3.3.2203
auth-pap	3.3.2012	3.3.2203
auth-pdp	3.3.2105	3.3.2203
helm-api	3.3.2105	3.3.2203
helm-repo	3.3.2105	3.3.2203
ibm-cert-manager	3.4.2105	3.3.2203
ibm-cert-manager-webhook	3.4.2105	3.3.2203
ibm-custom-metrics-adapter	3.4.2012	3.4.2105
ibm-icplogging	3.3.2	3.3.6
ibm-icpmonitoring	1.6.22105	1.6.12203
ibm-istio	1.2.10	1.2.42203
ibmcloud-image-enforcement	3.4.2105	3.3.2105
icp-catalog-chart	3.3.2105	3.3.2203
icp-management-ingress	3.4.2105	3.3.2203
icp-mongodb	3.5.2105	3.3.2203
icp-nginx-ingress	3.4.2105	3.3.2203
image-manager	3.4.2105	3.3.2203
knative	3.4.2105	3.3.2203
metering	3.4.2105	3.3.2203
mgmt-repo	3.3.2105	3.3.2203
mutation-advisor	3.4.2105	3.3.2203
nvidia-device-plugin	3.4.2105	3.3.2105
platform-ui	3.4.2105	3.3.2203
security-onboarding	3.3.2105	3.3.2203

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2105 fix pack

The fixes included within this 3.2.1.2105 fix pack includes all fixes that are included within the 3.2.2.2105 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2105 fix pack. The 3.2.1.2105 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2105 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2105 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2105 fix pack instead of this 3.2.1.2105 fix pack.

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.1.2105

Table: Fixed problems in fix pack 3.2.1.2105
Issue	Category	Description
43801 44227 41478 44913	Identity and Access Management (IAM)	This fix pack includes the following fixes: - Fixes a login issue in the management console or cloudctl. - Fixes a cluster login issue where the user is not authorized to update a release in development and production environments. - Resolves MongoDB connection timeout issues with auth-pdp in IBM Cloud Private Version 3.2.2 clusters. - Fixes an issue with one of the `auth-idp` pod `platform-auth-service` containers, where the certificates are not imported properly to Liberty during pod startup.
41790	Metering	Fixes an issue related to Metering Pod heap limit allocation that caused a JavaScript heap out of memory error.
46474	MongoDB	Fixes an issue where mongodump binary cannot connect to MongoDB.
45446 46571	Platform UI	This fix pack includes the following fixes: - Fixes an issue that caused a node to display as able to be scheduled when it is not. - Fixes scaling workload issues in the management console.

Table: Fixed security vulnerabilities in fix pack 3.2.1.2105
Issue	CVE-ID	Description
44229 44243 44356 44515 45537	CVE-2020-1971	OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME, an attacker could exploit this vulnerability to cause the application to crash.
44552 44504	CVE-2020-2773	An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
46131 46243	CVE-2020-5258	Dojo dojo could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object.
46403 46517	CVE-2020-7924	MongoDB Database Tools could allow a remote attacker to bypass security restrictions, caused by a flaw in the usage of specific command line parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass certificate validation.
44229 44243 44356 44515 45537	CVE-2020-8265	Node.js is vulnerable to a denial of service, caused by a use-after-free in TLSWrap within the TLS implementation. By writing to a TLS enabled socket, an attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
44229 44243 44356 44515 45537	CVE-2020-8287	Node.js is vulnerable to HTTP request smuggling. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
44013 44534	CVE-2020-8567	Kubernetes Secrets Store CSI Driver for Vault Plugin, Azure Plugin, and GCP Plugin could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted SecretProviderClass objects containing "dot dot" sequences (/../) to write arbitrary files on the system.
44013 44534	CVE-2020-8568	Kubernetes Secrets Store CSI Driver could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted request containing "dot dot" sequences (/../) to write content to the host filesystem and sync file contents to Kubernetes Secrets.
44013 44534	CVE-2020-8569	Kubernetes CSI snapshot-controller is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when processing a VolumeSnapshot custom resource. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause the application to crash.
40043 40086	CVE-2020-14039	Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system.
44042 44182	CVE-2020-14781	An unspecified vulnerability in Java SE, Java SE Embedded related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
40043 40086	CVE-2020-15586	Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
40347	CVE-2020-16845	Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
42922 42966 44431	CVE-2020-28362	Golang Go is vulnerable to a denial of service, caused by improper input validation by the math/big.Int methods. By sending a specially-crafted inputs, a remote attacker could exploit this vulnerability to cause the application to crash.
42922 42966 44431	CVE-2020-28366	Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a code injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system.
42922 42966 44431	CVE-2020-28367	Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by an argument injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system.
44661 45346	CVE-2020-28500	Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
43626 43808	CVE-2020-28851	Golang Go is vulnerable to a denial of service, caused by improper input validation while parsing the -u- extension in language.ParseAcceptLanguage. By sending a specially-crafted HTTP Accept-Language header, a remote attacker could exploit this vulnerability to cause an index out of range panic.
43626 43808	CVE-2020-28852	Golang Go is vulnerable to a denial of service, caused by improper input validation while processing a BCP 47 tag in language.ParseAcceptLanguage. By sending a specially-crafted HTTP Accept-Language header, a remote attacker could exploit this vulnerability to cause a slice bounds out of range panic.
44183 44234 44279 44357 44431	CVE-2021-3114	An unspecified error with the P224() Curve implementation can generate incorrect outputs in Golang Go has an unknown impact and attack vector.
44183 44234 44279 44357 44431	CVE-2021-3115	Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a command injection flaw when using the go get command to fetch modules that make use of cgo. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
43714 43939 43807 44330 44431	CVE-2021-3121	An unspecified error with the lack of certain index validation, also known as the "skippy peanut butter" issue in GoGo Protobuf has an unknown impact and attack vector.
45535 45970 46130	CVE-2021-3449	OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash.
45535 45970 46130	CVE-2021-3450	OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose.
46682 46906	CVE-2021-20228	Ansible Engine could allow a local authenticated attacker to obtain sensitive information, caused by sensitive info is not masked or not protected by the no_log feature by default. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
46403 46517	CVE-2021-20334	MongoDB Compass for Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper access control. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary with the privileges of the user.
44470 44475	CVE-2021-21303	Helm could allow a local authenticated attacker to bypass security restrictions, caused by the failure to sanitized multiple fields in various .yaml files. By sending a specially-crafted request, an attacker could exploit this vulnerability to send deceptive, obscure or alter information to a terminal screen.
44860 45539	CVE-2021-22883	Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an 'unknownProtocol', an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory.
44860 45539	CVE-2021-22884	Node.js is vulnerable to a denial of service, caused by an error when the whitelist includes "localhost6". By controlling the victim's DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the DNS rebinding protection mechanism using the "localhost6" domain and cause a denial of service.
44611 45349	CVE-2021-23337	All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
44860 45539	CVE-2021-23840	OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash.
46011 46129	CVE-2021-26296	Apache MyFaces is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
45159 45335	CVE-2021-27918	Golang Go is vulnerable to a denial of service, caused by an infinite loop flaw when using xml.NewTokenDecoder with a custom TokenReader. By persuading a victim to open a specially-crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
45159 45335	CVE-2021-27919	Golang Go is vulnerable to a denial of service, caused by a flaw in the Reader.Open API when use a ZIP archive containing files start with `../`. By persuading a victim to open a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition.

The 3.2.1.2012 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1.

Updated images in 3.2.1.2105

Table: Updated images in fix pack 3.2.1.2105
Image	Previous version	New version
alertmanager	v0.15.0-f4	v0.15.0-f5
collectd-exporter	v0.4.0-f4	v0.4.0-f5
configmap-reload	v0.2.2-f4	v0.2.2-f5
curl	4.2.0-build.9	4.2.0-build.10
dashboard-controller	v1.1.0-f1	v1.1.0-f3
grafana	5.2.0-f4	5.2.0-f5
iam-policy-decision	3.2.1.2012	3.2.1.2105
ibmcloud-image-enforcement	0.2.2.2012	0.2.2.2105
icp-catalog-ui	3.2.1.2012	3.2.1.2105
icp-cert-manager-acmesolver	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-cainjector	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-controller	0.7.0.1-f2012	0.7.0.1-f2105
icp-cert-manager-webhook	0.7.0.1-f2012	0.7.0.1-f2105
icp-elasticsearch-oss	6.8.10-build.4	6.8.14-build.1
icp-filebeat-oss	6.8.10-build.4	6.8.14-build.1
icp-helm-api	3.2.1.2012	3.2.1.2105
icp-helm-repo	3.2.1.2012	3.2.1.2105
icp-image-manager	2.2.6.2001	2.2.6.2105
icp-inception	3.2.1.2012-ee	3.2.1.2105-ee
icp-initcontainer	1.0-icp-build-2012	1.0-icp-build-2105
icp-kibana-oss	6.8.10-build.4	6.8.14-build.1
icp-logstash-oss	6.8.10-build.4	6.8.14-build.1
icp-management-ingress	2.4.0.1910	2.4.0.2105
icp-mongodb-exporter	3.4.0.2008	3.4.0.2105
icp-mongodb-install	3.4.0.2008	3.4.0.2105
icp-mongodb	4.0.20.2012	4.0.24.2105
icp-platform-auth	3.2.1.2012	3.2.1.2105
icp-platform-header	3.2.1.2012	3.2.1.2105
icp-platform-ui	3.2.1.2012	3.2.1.2105
indices-cleaner	1.3.0-build.2	1.3.0-build.4
kube-state-metrics	v1.3.0-f4	v1.3.0-f5
logging-pki-init	2.3.0-build.7	2.3.0-build.8
metering-data-manager	3.2.1.2012	3.2.1.2105
metering-mcmui	3.2.1.2012	3.2.1.2105
metering-ui	3.2.1.2012	3.2.1.2105
nginx-ingress-controller	0.23.7	0.23.2105
node-exporter	v0.16.0-f4	v0.16.0-f6
nvidia-device-plugin	1.4	1.4.2105
prometheus	v2.8.0-f1	v2.8.0-f3
prometheus-config-reloader	v0.31	v0.31-f1
prometheus-operator	v0.31	v0.31-f1
prometheus-operator-controller	v1.0.0	v1.0.0-f2
tiller	v2.16.12-icp-3.2.1.2012	v2.16.12-icp-3.2.1.2105

Updated charts in 3.2.1.2105

Table: Updated charts in fix pack 3.2.1.2105
Chart	Previous (3.2.1.2008) version	New version
auth-idp	3.3.2012	3.3.2105
auth-pdp	3.3.2012	3.3.2105
helm-api	3.3.2012	3.3.2105
helm-repo	3.3.2012	3.3.2105
ibm-cert-manager	3.3.2012	3.3.2105
ibm-cert-manager-webhook	3.3.2012	3.3.2105
ibm-custom-metrics-adapter	3.3.2012	3.3.2105
ibm-icplogging	3.3.1	3.3.2
ibm-icpmonitoring	1.6.12012	1.6.12105
ibm-istio	1.2.4.2012	1.2.4.2105
ibmcloud-image-enforcement	3.3.2012	3.3.2105
icp-catalog-chart	3.3.2012	3.3.2105
icp-management-ingress	3.3.1910	3.3.2105
icp-mongodb	3.3.2012	3.3.2105
icp-nginx-ingress	3.3.2012	3.3.2105
image-manager	3.3.2001	3.3.2105
knative	3.3.2012	3.3.2105
metering	3.3.2012	3.3.2105
mgmt-repo	3.3.2012	3.3.2105
mutation-advisor	3.3.2012	3.3.2105
nvidia-device-plugin	3.3.0	3.3.2105
platform-ui	3.3.2012	3.3.2105
security-onboarding	3.3.2012	3.3.2105

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2012 fix pack

The fixes included within this 3.2.1.2012 fix pack includes all fixes that are included within the 3.2.2.2012 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2012 fix pack. The 3.2.1.2012 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2012 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2012 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2012 fix pack instead of this 3.2.1.2012 fix pack.

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.1.2012

Table: Fixed problems in fix pack 3.2.1.2012
Issue	Category	Description
42961 42922	Certificate management	This fix updates Go to resolve a security-related vulnerability (CVE-2020-28362).
43382	Istio	This fix updates the cert-manager-controller image version to version 0.7.0.1-f2012.
40202	Kubernetes	This fix updates the image enforcement policy to add the QPS option for the kube-client that is initialized in the admission controller.
41644 41614	Metering	This fix updates the Node.js and base image versions to address security-related vulnerabilities.
39471 40347 40043 41424 41614 42039 43273 43274 43276 43278	Identity and Access Management (IAM)	This fix pack includes the following fixes: - An issue is resolved that affected the auth-pdp connection to mongodb when the mongodb pod restarts. - An issue is resolved that affected platform-identity-manager for handling an invalid roles attribute name in team payload. - The users getTeams API performance is improved. - Go is upgraded to version 1.14.12 to address security-related vulnerabilities. - WebSphere Liberty is upgraded to version 20.0.0.10 to address security-related vulnerabilities. - Java is upgraded to version 1.8.0_271 to address security-related vulnerabilities. - The Python cryptography package is upgraded to version 3.3.1 to address security-related vulnerabilities.

Issue	CVE-ID	Description
34823	CVE-2019-1551	OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By performing a man-in-the-middle attack, a remote attacker could exploit this vulnerability to obtain sensitive information.
38874 42039	CVE-2020-8203	Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system.
41426	CVE-2020-15187	Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with containing duplicates of the same entry in the plugin.yaml file. By sending a specially-crafted input, an attacker could exploit this vulnerability to modify a plugin's install hooks to perform a local execution attack.
41426	CVE-2020-15186	Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the plugin names. By sending a specially-crafted input, an attacker could exploit this vulnerability to duplicate the name of another plugin or spoofing the output to helm --help.
41426	CVE-2020-15185	Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with allowing duplicates of the same chart entry in the repository index file. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject a bad chart into a repository.
41426	CVE-2020-15184	Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the alias field on a Chart.yaml. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject unwanted information into a chart.
41614	CVE-2020-8252	Node.js is vulnerable to a buffer overflow, caused by improper bounds checking by the libuv's fs.realpath.native.
40043	CVE-2020-15586	Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.

| 40043 | CVE-2020-14039 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system. | | 40347
42039| CVE-2020-16845 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. | | 41424
42039 | CVE-2020-4590 | IBM WebSphere Application Server Liberty running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. | | 43169 | CVE-2020-25659 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | python-cryptography could allow a remote attacker to obtain sensitive information, caused by a Bleichenbacher timing attack. | | 39032 | CVE-2020-8169 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to correctly URL encode the credential data when set using an curl_easy_setopt option. The host name and partial password is leaked in cleartext over DNS on HTTP redirect. An attacker could exploit this vulnerability to obtain sensitive information. | | 39032 | CVE-2020-8177 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | cURL could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (--remote-header-name) and -I (--include) in the same command line. An attacker could exploit this vulnerability to overwrite a local file. | | 42920 | CVE-2020-14792 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | An unspecified vulnerability in related to the component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. | | 42920 | CVE-2020-14797 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. | | 42920 | CVE-2020-14781 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | An unspecified vulnerability in Java SE, Java SE Embedded related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. | | 42920 | CVE-2020-14779 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | An unspecified vulnerability in Java SE, Java SE Embedded related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. | | 42920 | CVE-2020-14798 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. | | 42920 | CVE-2020-14796 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. | | 42921 | CVE-2020-14782 Opens in a new tab](../images/icons/launch-glyph.svg "Opens in a new tab") | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |

The 3.2.1.2012 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1.

Updated images in 3.2.1.2012

Table: Updated images in fix pack 3.2.1.2012
Image	Previous version	New version
audit-policy-controller	3.2.1.1910	3.2.1.2012
iam-policy-administration	3.2.1.2008	3.2.1.2012
iam-policy-controller	3.2.1.2001	3.2.1.2012
iam-policy-decision	3.2.1.2006	3.2.1.2012
ibmcloud-image-enforcement	0.2.2.2001	0.2.2.2012
icp-catalog-ui	3.2.1.2006	3.2.1.2012
icp-cert-manager-acmesolver	0.7.0.1-f2001	0.7.0.1-f2012
icp-cert-manager-cainjector	0.7.0.1-f2001	0.7.0.1-f2012
icp-cert-manager-controller	0.7.0.1-f2001	0.7.0.1-f2012
icp-cert-manager-webhook	0.7.0.1-f2001	0.7.0.1-f2012
icp-helm-api	3.2.1.2006	3.2.1.2012
icp-helm-repo	3.2.1.2006	3.2.1.2012
icp-helm-rudder	3.2.1.2006	3.2.1.2012
icp-iam-onboarding	3.2.1.2006	3.2.1.2012
icp-identity-manager	3.2.1.2008	3.2.1.2012
icp-identity-provider	3.2.1.2008	3.2.1.2012
icp-inception	3.2.1.2008-ee	3.2.1.2012-ee
icp-mongodb	4.0.16.2008	4.0.20.2012
icp-oidcclient-watcher	3.2.1.2001	3.2.1.2012
icp-platform-api	3.2.1.2008	3.2.1.2012
icp-platform-auth	3.2.1.2008	3.2.1.2012
icp-platform-header	3.2.1.2006	3.2.1.2012
icp-platform-ui	3.2.1.2006	3.2.1.2012
icp-secret-watcher	3.2.1.2001	3.2.1.2012
metering-data-manager	3.2.1.2008	3.2.1.2012
metering-mcmui	3.2.1.2008	3.2.1.2012
metering-ui	3.2.1.2008	3.2.1.2012
tiller	v2.12.3-icp-3.2.1.1911	v2.16.12-icp-3.2.1.2012

Updated charts in 3.2.1.2012

Table: Updated charts in fix pack 3.2.1.2012
Chart	Previous (3.2.1.2008) version	New versio
audit-logging	3.3.1910	3.3.2012
auth-idp	3.3.2008	3.3.2012
auth-pap	3.3.2008	3.3.2012
auth-pdp	3.3.2008	3.3.2012
helm-api	3.3.2006	3.3.2012
helm-repo	3.3.2006	3.3.2012
iam-policy-controller	3.3.2001	3.3.2012
ibm-cert-manager	3.3.2001	3.3.2012
ibm-cert-manager-webhook	3.3.2001	3.3.2012
ibm-istio	1.2.4.2012	1.2.4
ibmcloud-image-enforcement	3.3.2012	3.3.2001
icp-catalog-chart	3.3.2012	3.3.2006
icp-mongodb	3.3.2012	3.3.2008
metering	3.3.2012	3.3.2008
mgmt-repo	3.3.2012	3.3.2006
oidcclient-watcher	3.3.2012	3.3.2001
platform-api	3.3.2012	3.3.2008
platform-ui	3.3.2012	3.3.2008
secret-watcher	3.3.2012	3.3.2001
security-onboarding	3.3.2012	3.3.2008

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2008 fix pack

The fixes included within this 3.2.1.2008 fix pack includes all fixes that are included within the 3.2.2.2008 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2008 fix pack. The 3.2.1.2008 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2008 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2008 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2008 fix pack instead of this 3.2.1.2008 fix pack.

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.1.2008

Table: Fixed problems in fix pack 3.2.1.2008
Issue	Category	Description
39229	Calico	Calico is upgraded to version 3.8.9 to address a security vulnerability.
40048	Kubernetes	This fix updates the Kubernetes ingress-nginx to address a security vulnerability related to ingress-nginx.
31863 34244 35166 35312 35476 37301 37619 38548 39076 39222 40036	Logging	This fix pack includes the following fixes: - Elastic Stack components (Logstash, Filebeat, Elasticsearch, Kibana) are upgraded from version 6.6.1 to version 6.8.10 to address security vulnerabilities. - The logstash-input-beats plug-in is upgraded to version 6.0.11.
38874	Metering	This fix updates Lodash version to version 4.17.19 to address security vulnerabilities.
40270	Platform-API	This fix updates platform-api to fix crashes with "fatal error: concurrent map read and map write".
35815	Security - Identity and Access Management (IAM)	This fix pack includes fixes to resolve security-related vulnerabilities.

Table: Fixed security vulnerabilities in fix pack 3.2.1.2008
Issue	CVE-ID	Description
31863	CVE-2019-1547	OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation.
31863	CVE-2019-1549	OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information.
35166 35312	CVE-2019-1551	OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
31863	CVE-2019-1563	OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information.
35476	CVE-2020-7238	Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
34244	CVE-2019-7620	Elastic Logstash is vulnerable to a denial of service, caused by a flaw in the Beats input plugin. By sending a specially-crafted network packet, a remote attacker could exploit this vulnerability to cause the application to stop responding. Upgrade to the latest version of Logstash (6.8.4, 7.4.1 or later), available from the Elastic Web site.
37619	CVE-2019-11612	The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
35851	CVE-2019-15604	Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort.
35851	CVE-2019-15605	Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
35851	CVE-2019-15606	Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons.
38548	CVE-2020-7012	Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the Upgrade Assistant. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system.
38548	CVE-2020-7013	Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in TSVB . By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system.
38548	CVE-2020-7015	Elastic Kibana is vulnerable to cross-site scripting, caused by improper validation of user-supplied input in TSVB visualization. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
39076	CVE-2020-7614	Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by a race condition in the response headers. By sending specially-crafted requests, an attacker could exploit this vulnerability to obtain sensitive information of another user from the response header.
37996	CVE-2020-7921	MongoDB Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper serialization of internal state in the authorization subsystem. An attacker could exploit this vulnerability to bypass IP whitelisting protection.
38874	CVE-2020-8203	Fixed for the Metering component only. Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system.
40048	CVE-2020-8553	Kubernetes ingress-nginx could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the annotation nginx.ingress.kubernetes.io/auth-type: basic is used. By sending a specially crafted request, an attacker could exploit this vulnerability to create a new Ingress definition and replace the password file.
38544	CVE-2020-13401	Docker Docker CE is vulnerable to a man-in-the-middle attack, caused by improper validation of router advertisements. By sending rogue router advertisements, an attacker could exploit this vulnerability using man-in-the-middle techniques to gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
39229	CVE-2020-13597	Clusters using Calico (version 3.14.0 and earlier), Calico Enterprise (version 2.8.2 and earlier), can be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege can reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default. This vulnerability allows an attacker to redirect full or partial network traffic from the node to the compromised pod.
39222	CVE-2020-14422	Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

The 3.2.1.2008 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1.

Updated images in 3.2.1.2008

Table: Updated images in fix pack 3.2.1.2008
Image	Previous version	New version
calico-cni	v3.5.2.1	v3.8.9
calico-ctl	v3.5.2.1	v3.8.9
calico-kube-controllers	v3.5.2.1	v3.8.9
calico-node	v3.5.2.1	v3.8.9
curl	4.2.0-f4	4.2.0-build.6
default-http-backend	1.5.2	1.5.5
iam-policy-administration	3.2.1.2006	3.2.1.2008
icp-identity-manager	3.2.1.2006	3.2.1.2008
icp-identity-provider	3.2.1.2006	3.2.1.2008
icp-initcontainer	1.0.0-f4	1.0.0-build.6
icp-mongodb	4.0.12	4.0.16.2008
icp-mongodb-exporter	3.2.1	3.4.0.2008
icp-mongodb-install	3.2.1	3.4.0.2008
icp-platform-api	3.2.1.2006	3.2.1.2008
icp-platform-auth	3.2.1.2008	3.2.1.2008
indices-cleaner	1.2.0	1.3.0-build.1
logging-pki-init	2.3.0	2.3.0-build.3
metering-data-manager	3.2.1.2006	3.2.1.2008
metering-mcmui	3.2.1.2006	3.2.1.2008
metering-ui	3.2.1.2006	3.2.1.2008
nginx-ingress-controller	0.23.1.1911	0.23.7

Updated charts in 3.2.1.2008

Table: Updated charts in fix pack 3.2.1.2008
Chart	Previous version	New version
auth-idp	3.3.2006	3.3.2008
auth-pap	3.3.2006	3.3.2008
auth-pdp	3.3.2006	3.3.2008
calico	3.3.0	3.8.9
ibm-calico-route-reflector	3.3.0	3.8.9
ibm-custom-metrics-adapter	3.3.2003	3.3.2008
ibm-icplogging	2.4.1910	3.2.1
ibm-icpmonitoring	1.6.1910	1.6.12008
icp-mongodb	3.3.0	3.3.2008
icp-nginx-ingress	3.3.1911	3.3.2008
knative	3.3.1911	3.3.2008
metering	3.3.2006	3.3.2008
mutation-advisor	3.3.2003	3.3.2008
platform-api	3.3.2006	3.3.2008

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2006 fix pack

The fixes included within this 3.2.1.2006 fix pack includes all fixes that are included within the 3.2.2.2006 fix pack that do not apply to the updated version of Kubernetes. The 3.2.1.2006 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2006 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2006 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2006 fix pack instead of this 3.2.1.2006 fix pack.

Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:

Fixed problems in 3.2.1.2006

Table: Fixed problems in fix pack 3.2.1.2006
Issue	Category	Description
35851 36565	Catalog-UI	This fix updates Node.js to resolve security-related vulnerabilities.
36566	Helm API & Helm Repo	This fix updates the Node.js version to resolve security-related vulnerabilities.
35721 35935 38934	Identity and Access Management (IAM)	This fix pack includes the following fixes: - An issue with the GET userinfo API in platform-identity-provider is resolved. This issue caused intermittent failures with Helm upgrade and delete commands. - The LDAP recursiveSearch config variable is now configurable. The value can change between true and false as required when the LDAP user login process is running too slow due to nested user groups. - WebSphere Liberty is upgraded to version 20.0.0.5. - The IBM JDK is upgraded to version 1.8.0_sr6fp10. - Fixes to resolve security-related vulnerabilities.
38934	Policy Decision Point (PDP)	This fix improves the performance of the PDP service and resolves an issue that caused a container restart due to memory leak error.
35928 38647	Metering	This fix updates the Node.js version address security-related vulnerabilities.
35928 38647	Multicluster-Endpoint	This fix updates the metering image version to version 3.2.2.2006.
32149 32151 34859 35454 35527 35877 35879 36030 36233 36587 36817 37648 37844 37846 37944	Security - Identity and Access Management (IAM)	This fix pack includes the following fixes: - An issue that caused a CrashLoopBackOff error for the auth-pap pod is resolved. - WebSphere Liberty is upgraded to version 20.0.0.5. - The IBM JDK is upgraded to version 1.8.0_sr6fp10. - Fixes to resolve security-related vulnerabilities.

Table: Fixed security vulnerabilities in fix pack 3.2.1.2006
Issue	CVE-ID	Description
38572 38573	CVE-2018-1002102	Kubernetes API server could allow a remote authenticated attacker to conduct phishing attacks, caused by an improper validation of URL redirection. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
34823 34859	CVE-2019-1551	OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
31863 32149	CVE-2019-1547	OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the co-factor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation.
31863 32149	CVE-2019-1549	OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information.
31863 32149	CVE-2019-1563	OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information.
31866 32151	CVE-2019-5481	cURL libcurl is vulnerable to a denial of service, caused by a double free flaw during kerberos FTP data transfer. By sending a specially-crafted size of data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
31866	CVE-2019-5482	cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet function. By sending specially-crafted request containing an OACK without the BLKSIZE option, a remote attacker could overflow a buffer and execute arbitrary code on the system.
32678 23646	CVE-2019-9947	Python is vulnerable to HTTP header injection, caused by improper validation of input in urllib and urllib2. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
32678 23646	CVE-2019-9948	Python could allow a remote attacker to bypass security restrictions, caused by improper input validation by the urllib. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass the blacklist file: URIs protection mechanisms.
35851 35928 35952 35953 36565 36566	CVE-2019-15604	Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort.
35851 35928 35952 35953 36565 36566	CVE-2019-15605	Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
35851 35928 35952 35953 36565 36566	CVE-2019-15606	Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons.
32777 32933	CVE-2019-16935	Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
36569 36587	CVE-2019-17573	Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
37835 37846	CVE-2020-2754	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2755	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2756	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2757	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2781	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
37835 37846	CVE-2020-2800	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
37835 37846	CVE-2020-2803	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
37835 37846	CVE-2020-2805	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
37835 37846	CVE-2020-2830	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
36802 36817	CVE-2020-4303	IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
36802 36817	CVE-2020-4304	IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
37620 37648	CVE-2020-4329	IBM WebSphere Application Server could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks.
37833 37844	CVE-2020-4421	IBM WebSphere Application Liberty could allow an authenticated user using openidconnect to spoof another users identify.
38545 38647 38649 38650	CVE-2020-8172	Node.js could allow a remote attacker to bypass security restrictions. The 'session' event could be emitted before the 'secureConnect' event and possibly allow for the reuse of the TLS session. An attacker could exploit this vulnerability to bypass host certificate verification and gain access to the system.
38545 38647 38649 38650	CVE-2020-8174	Node.js is vulnerable to a buffer overflow, caused by multiple memory corruptions in the napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() functions. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
38545 38647 38649 38650	CVE-2020-10531	International Components for Unicode (ICU) for C/C++ is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
38545 38647 38649 38650	CVE-2020-11080	Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTINGS frames, an attacker could exploit this vulnerability to consume all available CPU resources.

Updated images in 3.2.1.2006

Table: Updated images in fix pack 3.2.1.2006
Image	Previous version	New version
iam-policy-administration	3.2.1.2003	3.2.1.2006
iam-policy-decision	3.2.1.2001	3.2.1.2006
icp-iam-onboarding	3.2.1	3.2.1.2006
icp-catalog-ui	3.2.1.2001	3.2.1.2006
icp-helm-api	3.2.1.2001	3.2.1.2006
icp-helm-repo	3.2.1.1911	3.2.1.2006
icp-identity-manager	3.2.1.2003	3.2.1.2006
icp-identity-provider	3.2.1.2003	3.2.1.2006
icp-platform-auth	3.2.1.2003	3.2.1.2006
icp-platform-header	3.2.1.2003	3.2.1.2006
icp-platform-ui	3.2.1.2003	3.2.1.2006
metering-data-manager	3.2.1.2001	3.2.1.2006
metering-mcmui	3.2.1.1911	3.2.1.2006
metering-ui	3.2.1.1911	3/2.1.2006

Updated charts in 3.2.1.2006

Table: Updated charts in fix pack 3.2.1.2006
Chart	Previous version	New version
auth-idp	3.3.2003	3.3.2006
auth-pap	3.3.2003	3.3.2006
auth-pdp	3.3.2003	3.3.2006
helm-api	3.3.2001	3.3.2006
helm-repo	3.3.1911	3.3.2006
icp-catalog-chart	3.3.2001	3.3.2006
metering	3.3.2001	3.3.2006
mgmt-repo	3.3.1911	3.3.2006
platform-ui	3.3.2003	3.3.2006
security-onboarding	3.3.2003	3.3.2006

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2003 fix pack

Review the list of fixed problems to see whether your reported problem was fixed in this fix pack:

Fixed problems in 3.2.1.2003

Table: Fixed problems in fix pack 3.2.1.2003
Issue	Category	Description
32959	Custom metrics adapter	This fix updates the Go programming language version to version 1.12.12.
34434	Installer	This fix resolves an issue that caused any customization of OpenID Connect (OIDC) to be overwritten when applying a fix pack.
32959	Metrics server	This fix updates the Go programming language version to version 1.12.17.
32959	MinIO storage	This fix updates the Go programming language version to version 1.12.17.
35939	Mutation Advisor	This fix updates MinIO to version RELEASE.2019-04-09T01-22-30Z.2003, and updates the MinIO client (mc) to version RELEASE.2019-04-03T17-59-57Z.2003.
32705 34691 36538	Platform UI	This fix pack includes the following fixes: - The console Overview page is updated to display all resources and associated values. - The Nodes page and Configmaps page are updated to reduce load times.
1334	Policy Administration Point (PAP)	This fix resolves an issue that caused a CreateContainerError with icp-mongodb pods by reusing a single mongodb connection for policy APIs in the Policy Administration Point (PAP).
35527 35879 36030 36233 36345	Security-IAM	This fix pack includes the following fixes: - WebSphere Application Server Liberty is upgraded to version 20.0.0.2. - The IDTOKEN_LIFETIME parameter format is updated to support minutes and seconds. The IBM SDK, Java Technology Edition Quarterly CPU is updated to the January 2020 version.
35939	Vulnerability Advisor	This fix updates the sas-base and ma-file-annotator image version to version 3.2.0.2003 to remediate a nodejs security vulnerability.

Table: Fixed security vulnerabilities in fix pack 3.2.1.2003
Issue	CVE-ID	Description
36345	CVE-2019-4732	IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618.
34260	CVE-2019-16276	Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
35836 36345	CVE-2020-2583	An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
35836 36345	CVE-2020-2593	An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
35836 36345	CVE-2020-2604	An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to take control of the system.
35836 36345	CVE-2020-2659	An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2001 fix pack

Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.

Fixed problems in 3.2.1.2001

Table: Fixed problems in fix pack 3.2.1.2001
Issue	Category	Description
34557	Catalog-UI	This fix updates the instance details page to correct overlapping text and notifications.
32710 32899 34614	Certificate Management - cert-manager, cert-manager-webhook, cert-manager-cainjector	This fix updates the Go programming language version to version 1.13.2.
34557 34784	Helm-API	This fix resolves an issue that caused the helm-api container to crash when Helm repositories failed to synchronize.
34484	Helm Releases and Search	This fix resolves an issue that caused the Helm release status to incorrectly show "superseded".
902 34916	Helm-CRD-Admission-Controller	This fix resolves an issue that caused the permissions check for the cluster administrator role to fail.
32959	IBM Cloud Private registry	This fix updates icp-registry version 2.6.2.5.2001 to upgrade the Go programming language version to version 1.12.3.
32900	IBM Multicloud Manager	This fix updates the Go programming language version to version 1.12.14 for the `icp-findings-adapter` image.
33042 34916	Identity and Access Management (IAM) - platform-auth-service, platform-oidc ingress	This fix updates HTTP request headers to prevent a CORS vulnerability.
32959	Image enforcement	This fix updates image-enforcement version 0.2.2.2001 to upgrade the Go programming language version to version 1.12.3.
32959	Image manager	This fix updates image-manager version 2.2.6.2001 to upgrade the Go programming language version to version 1.12.3.
34319 34782	Install	This fixpack includes the following fixes: - An issue is resolved that prevented users from running the `addon` command when they set `hostname` as `kubelet_nodename` within the `config.yaml` file. - The install process is updated to complete actions on the MongoDB admin secrets when users upgrade IBM Cloud Private to version 3.2.1.2001 or roll back to 3.1.1.
35287	Istio	This fix updates the cert-manager-controller image version to version 0.7.0.1-f2001.
34461	Metering	This fix resolves an issue that caused the metering reader to crash when the productID annotation for the workload exists but the productName or productVersion annotations are missing.
30907 34660	Multicluster-Endpoint	This fixpack inclues the following fixes: - The CPU consumption of the klusterlet-component-operator is reduced by reducing the frequency of reconciliations with the operator. - The Tiller image is updated to version 3.2.1.1911. - The metering images are updated to version 3.2.1.1911.
30907 34204 34660 34735	Platform-API	This fixpack inclues the following fixes: - The default multicluster-endpoint version is updated to version 3.2.1.2001. - The management console is updated to prevent IP addresses from being disclosed on the Install CLI tools page.
34227	Platform Header	This fix updates the management console to redirect users to the Login page when a session expires.
33797 33912	Platform UI	This fixpack includes the following fixes: - The namespace dropdown for all namespaced resource pages is now searchable. - The namespace dropdown will now default to the first namespace within the list, rather than `All Namespaces`. - Performance improvements have been added to the deployments page to decrease loading times when many namespaces are present. - A `DISABLE_LAUNCH_LINKS` environment variable can now be added to the `platform-ui` daemonset to disable launch links on the overview deployments page to further decrease loading times.
34406	Policy governance, risk and compliance	This fix updates Lodash version to version 4.17.15 to address a denial of service vulnerability.
34307 34916	Security-IAM	This fix pack includes the following fixes: - The Go programming language version is updated to version 1.13.4 - WebSphere Liberty is upgraded to version 19.0.0.12.
28994	Service discovery (kube-dns)	This fix removes hostname rewrite in kube-dns configmap to prevent issues with OpenID Connect (OIDC) onboarding.

Table: Fixed security vulnerabilities in fix pack 3.2.1.2001
Issue	CVE-ID	Description
34916	CVE-2019-4663	IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245.
34391 34406	CVE-2019-10744	Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
32781	CVE-2019-11253	Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.
32710 32900 32959	CVE-2019-16276	Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
34307 34614 34657	CVE-2019-17596	Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
34391 34406	CVE-2019-1010266	lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Reported problems that are fixed in the IBM Cloud Private 3.2.1.1911 fix pack

Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.

Fixed problems in 3.2.1.1911

Table: Fixed problems in fix pack 3.2.1.1911
Issue	Category	Description
33385 33475	Audit logging	This fix updates the audit logging service so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool, such as QRadar and Splunk, on Red Hat OpenShift Container Platform.
32708 33736	Catalog-UI	This fix pack includes the following fixes: - The packaged Lodash is updated from version 4.17.5 to version 4.17.12. - The Catalog is updated to display the service broker service plan picker icon.
33420 34132	etcd	This fix corrects an issue when etcd fails to run as the etcd user with the ID 2375 when that user already exists on hosts.
28870 32707 32838	Helm-Tiller (helm-repo, mgmt-repo, helm-api, and rudder)	This fix pack includes the following fixes: - The Go programming language version is updated to version 1.12.11. - The packaged Lodash is updated from version 4.17.5 to a version that is greater than 4.17.12. - An issue is resolved for the audit service when SELinux enforcement is enabled. The issue caused the audit container to lack the privileges for sending and rotating audit logs. With this fix, the audit sidecar service can run in an environment.
28870 32707 32838	Helm-Tiller (tiller)	This fix updates the Go programming language version to version 1.12.1.
32956 33082	IBM Multicloud Manager	This fix pack includes the following fixes: - The Kubernetes CLI (kubectl) image version is updated to version 1.13.11. - The Go programming language version for the IBM Multicloud Manager API is updated to version 1.12.10.
32688 32875 32940 33363 33389	Identity and Access Management (IAM)	This fix pack includes the following fixes: - Support is added for enabling and disabling SAML without requiring WebSphere Liberty to be restarted. - WebSphere Liberty is upgraded to version 19.0.0.11. - An issue is fixed that caused nil values during authorization to be handled improperly. - An issue is fixed that caused the at_hash field for the identity token that is generated by the platform-identity-provider to not conform to OPENID specifications. - An issued is fixed that caused a problem with configuring a LDAP connection for Redhat LDAP and Oracle LDAP.
33385	Install	This fix removes an obsolete port check for port 8443.
34175	Istio	This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911.
171 32710 32950	Key Management Service (KMS)	This fix updates the Go programming language version to version 1.13.1.
419 32710 32950	Key Management Service (KMS) plug-in	This fix updates the Go programming language version to version 1.13.1.
34186	Knative	This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911.
32862	Kubernetes	This fix resolves an issue for high availability (HA) that caused a pod to still be in the `Running` state even when the Docker service was stopped on the master node. As part of this fix, a readiness probe is added for the kube-dns DaemonSet and additional default toleration.
33422	Metering	This fix updates the packaged Lodash version to a version greater than 4.17.12.
34181	Mutation advisor	The IBM Cloud Private audit service (icp-audit-service) image version is updated to 3.2.1.1911 so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool.
419 32710	Notary service	This fix updates the Go programming language version to version 1.13.1.
33331 33388	Platform-API	This fix pack includes the following fixes: - The packaged Kubernetes CLI (kubectl) is updated from version 1.13.9 to version 1.13.11. - The Swagger UI is updated to version 3.24.0.
32355 32463 32711 32771 33424	Platform UI	This fix pack includes the following fixes: - The kubectl version is updated to version 1.13.11. - The packaged Lodash is updated to version 4.17.12. - The platform UI is updated to not delete service IDs from a team when a new user is added. - The management console is updated to display an error message when an error occurs during the deletion of a service ID that is associated with a team.
34179	Policy administration point	The IBM Cloud Private audit service (icp-audit-service) image version is updated to 3.2.1.1911 so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool.
34185	Search	This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911.
32953	System healthcheck service	This fix updates the Go programming language version to version 1.13.2.
33080	Visual Web Terminal	This fix pack includes the following fixes: - The packaged Kubernetes CLI (kubectl) is updated to version 1.13.11. - A bug is fixed that prevented users from using various Helm commands in Visual Web-terminal.
34176 34183	Vulnerability Advisor	This fix pack includes the following fixes: - The Kubernetes CLI (kubectl) image version is updated to version 1.13.11. - The IBM Cloud Private audit service (icp-audit-service) image version is updated to 3.2.1.1911 so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool.
32904	Web-terminal	This fix removes the `tar` command for security-related reasons.

Table: Fixed security vulnerabilities in fix pack 3.2.1.1911
Issue	CVE-ID	Description
32147 32379	CVE-2019-16843	Fixed for the NGINX ingress component only. nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
32147 32379	CVE-2019-16844	Fixed for the NGINX ingress component only. nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
31863 32147 32379	CVE-2019-1547	Fixed for the NGINX ingress component only. Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
31863 32147 32379	CVE-2019-1549	Fixed for the NGINX ingress component only. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
31863 32147 32379	CVE-2019-1563	Fixed for the NGINX ingress component only. In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
32602 32940	CVE-2019-4304	IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950.
32607 32940	CVE-2019-4305	IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951.
32608 32940	CVE-2019-4441	IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.
32379	CVE-2019-9511	Fixed for the NGINX ingress component only. Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
32979 33389	CVE-2019-9512	Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
32379 32979 33389	CVE-2019-9513	Fixed for the NGINX ingress component and icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
32979 33389	CVE-2019-9514	Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
32979 33389	CVE-2019-9515	Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
32379	CVE-2019-9516	Fixed for the NGINX ingress component only. Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
32979 33389	CVE-2019-9517	Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
32979 33389	CVE-2019-9518	Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
32589 32707 32708 32711 33422 33424 33736	CVE-2019-10744	Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
32771 32839 33080 33082 33331	CVE-2019-11251	Kubernetes could allow a remote attacker to gain unauthorized access to the system, caused by an error in kubectl cp that allows a combination of two symlinks to copy a file outside of its destination directory. An attacker could exploit this vulnerability to write arbitrary files outside of the destination tree.
32710 32838 32950 32952 32953 32956	CVE-2019-16276	Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
32975 33388	CVE-2019-17495	A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that

Reported problems that are fixed in the IBM Cloud Private 3.2.1.1910 fix pack

Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.

Fixed problems in 3.2.1.1910

Table: Fixed problems in fix pack 3.2.1.1910
Issue	Category	Description
32779	Certificate management	The duration for the default Root CA certificate is changed from 3650 days to 824 days to support changes to the trusted certificate requirements for macOS 10.15.
32273	Cluster management	This fix updates the management console to fix a bug on the Clusters page. This bug caused the table on the Nodes tab for a cluster to display the nodes for all imported clusters instead of the nodes for only the selected cluster.
32108	Docker	This fix corrects a Docker installation issue that prevented Docker from installing on Linux x86_64 hosts.
31070 32051 32836 32837	Identity and Access Management (IAM)	This fix pack includes the following fixes: - Support is added for the use of the underscore `_` character in the LDAP server URL for authenticating LDAP. - An issue is fixed that caused the state parameter to be missing from callback URLs during OpenID Connect (OIDC) authentication. - A login issue is fixed that occurred when the team namespace resource is added without the scope field. - The Go programming language version is updated to version 1.12.10 to fix a publicly disclosed vulnerability.
31107 31655 31763	Management console	This fix pack includes the following fixes: - The management console is updated to avoid frequent reloads of the Teams page to request authorization of the user before the user can access the page again. - An error is corrected that caused the Overview page in the management console to have blank or missing resource overview cards when data is missing.
32425	Multicluster management endpoint	This fixpack includes the following fixes: - A bug is fixed that prevented clusters with a user deployed Tiller in the kube-system namespace from being successfully imported. - A bug is fixed that caused an ImagePullBackoff error for the Prometheus pod in the multicluster-endpoint namespace. - A bug is fixed that caused the service account to be continuously appended to the Users section of the privileged SecurityContextConstraint. This behavior caused the privileged SecurityContextConstraint to exceed the ETCD data size limit.
28889	Platform-API	This fixpack includes the following fixes: - The Docker Hub registry is set as the default registry for the Klusterlet self-destruct work. - A background thread runs that waits until resources are available before starting the auto-import process to prevent the process from starting prematurely. - A bug is fixed for the `cloudctl mc cluster import` operation that caused `--kube-host` to be applied incorrectly. - A bug is fixed for the `cloudctl mc cluster delete` operation that caused resources to be deleted in the wrong order, which then required clusters to be manually deleted.

Table: Fixed security vulnerabilities in fix pack 3.2.1.1910
Issue	CVE-ID	Description
32147	CVE-2019-1547	Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases, it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used, then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
32147	CVE-2019-1549	OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
32147	CVE-2019-1563	In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
19587 31145	CVE-2019-9512	Fixed for Heketi only. Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
19587 31145	CVE-2019-9514	Fixed for Heketi only. Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
32681	CVE-2019-9947	Fixed for the icp-storage-util image only. An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
32681	CVE-2019-9948	Fixed for the icp-storage-util image only. urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
31724	CVE-2019-11250	The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.
19587 31145	CVE-2018-14647	Fixed for the icp-storage-util image only. Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.
19587 31145	CVE-2019-14809	Fixed for Heketi only. net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of `google.com`.
32837	CVE-2019-16276	Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

Reported problems that are fixed in IBM Cloud Private 3.2.1

Review the list of fixed problems to see whether your reported problem was fixed in this release.

Table: Fixed problems
Issue	Description
21259	How to deploy a Helm release without manually changing the image repository
21733	Web terminal does not work
25482	IBM Cloud Private - web terminal issue
21187	Installer does not upload the password rule of default admin into ICP API service
23733	Worker nodes still displayed via cloudctl command after removing them
21703	CF 3.1.2 Offline Install Failing: Unable to Find Image cfp-config-manager-3.1.2-024
21044	Client needs a patch or steps to update TLS 1.2 for port 443 (ingress)
19766	Low SSL vulnerabilities still showing after upgrading from 2.1.0.3 to 3.1
23949	The server version - openresty/1.13.6.2 was disclosed in the HTTP server response header.
19088	vulnerability is 42873 - SSL Medium Strength Cipher Suites Supported
17024	Kibana service is in red status: config: Error 503 Service Unavailable
24087	`Internal Server Error` when attempt to view audit log on Kibana using a user who has Auditor role
23975	Auditor user can see application logs in Kibana discover
20773	cluster domain name starting with `svc` is breaking mongodb install
24305	Grafana direct rendering: Error `templating init failed: Unauthorized`
22673	ICP Mongodb in PodInitializing state
20292	Audit Log volume or rate is causing ELK to become unstable - Customer would like ingestion of Audit Logs to be disabled
18073	Installing Core service: Mongodb patch for IBM Cloud Private version 2.1.0.3 clusters breaks helm-api
22130	monitoring-prometheus fails to start with an error - `Opening storage failed lock DB directory: resource temporarily unavailable`
23037	There is not authority control in logging and monitoring when switched to them from ICP console.
18989	cloudctl load chart fails from time to time
19475	EVRY: ICP 311: a user which is restricted to a given namespace cannot run helm
23061	Helm chart/repo resources rights
25319	How to restore local repo
21408	ibm-mariadb-dev helm chart broken for PPC platform on 3.1.1
20582	Issues to apply some ICP 3.1.1 fixes
24890	`skip_pre_check` does not actually skip the cluster_CA_domain check
21841	310->312 Load balancer address should be same as cluster CA domain,
21832	pre-check the cluster status before upgrading
24067	Upgrade to 3.1.2 mandates matching cluster_CA_domain and cluster_lb_address
22726	The istio-proxy container shows `exec format error` on Power system
23507	Compliance UI shows a completely blank window
23266	MCM 3.1.2. MongoDB pod memory consumption
24297	Customer needs to restrict the source IP addresses which can access ICP
22811	CVE-2019-1002100
18941	Detail steps to backup/restore on ICP CNE 3.1.x
23586	Error messages about mariadb occurred repeatedly `Error: 105: Key already exists (/mariadb_lock)`
19029	EVRY:High CPU use on Masters in multi-master ICP 311
21858	ICP 2.1.0.3 - Failed to activate interim fix: icp-2.1.0.3-build502221
23721	ICP 3.1.1 - Garbage collection failing
20719	Need a patch icp-2.1.0.3-build510945 applicable to amd64 platform
23672	Reference authority of Docker image from dashboard
21368	Unisys 2.1.0.3 Deployments Maxing out Workers, Nodes go Unhealthy
14141	Update ICP 2.1.0.3 to include a critical Kubernetes fix available in v1.10.5
25394	/var/lib/calico/nodename should be removed when removing a node
23438	ICP4D: Failed install of ICP for Data v1.2.1 on RHEL7.5 VM (Softlayer).
23645	Cannot add additional resources to team / losing previously added ones too
21856	Container overview page is NOT available in ICP 3.1.2
23772	Deployments - CREATED column is not accurate, or totally wrong
21076	EVRY:ICP 311 selected items are unselected at Edit
21722	Fresh 3.1.1 install - services are assigned master VIP instead of proxy VIP
20586	HA cluster: Inconsistency in the pod status - running or terminating
23253	ICP Web Console Deployments sorting (Created Date) does not work correctly
19933	LDAP password in plain text in browser UI in ICP 2.1.0.2
19562	LDAP User search UI not in sync with backend response
14225	The popup window is too small to show LDAP string while creating a team
23763	Usability issue on creating a team page
20867	Adding LDAPS connection crashes platform-identity-mgmt container
24999	Console Login Failing with 400 Bad Request, MariaDB `ERROR 1210 (HY000) at line 1: WSREP (galera) not started`
21567	ICP 3.1.1 auth-idp pod keeps restarting
21396	In Group a User appears 2 times
11994	Inconsistent/erroneous behavior configuring LDAP for ICP
23530	Issue for fix Denied (LDAP user not recognized as cluster admin)
20463	LDAPS - incorrect user - error code 49
19930	Logging in 10-20 times in a row with cloudctl login successful only 2 or 3 times
21331	Login via bx pr not working consistently from Jenkins pipeline
22261	OICD errors for post-installed products (TA / MC / CAM) when SAML is enabled
21897	OIDC onboarding for workloads
22980	Request fix to change port 8443 / TCP over SSL to TLSv1.2
21555	Unable to log in with LDAP but can add users with no problem
22583	Web interface unresponsive when navigating to a team
24112	MCM 3.1.2. Grafana dashboard does not reflect changes if a component of the Application is moved to other cluster
23954	`New Rule` function in `Manage Whitelist for Mutation Advisor` is vulnerable to stored cross site scripting (XSS) vulnerability.
25439	ICP 3.1.0 - VA Behavior in case of unsupported images
18542	Vulnerability Advisor - IP instead of the cluster name in the console
18940	CAM performance and HA

Fixed reported problems

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2203 fix pack

Fixed problems in 3.2.2.2203

Fixed security-related vulnerabilities in 3.2.2.2203

Updated images in 3.2.2.2203

Updated charts in 3.2.2.2203

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2105 fix pack

Fixed problems in 3.2.2.2105

Fixed security-related vulnerabilities in 3.2.2.2105

Updated images in 3.2.2.2105

Updated charts in 3.2.2.2105

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2012 fix pack

Fixed problems in 3.2.2.2012

Fixed security-related vulnerabilities in 3.2.2.2012

Updated images in 3.2.2.2012

Updated charts in 3.2.2.2012

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2008 fix pack

Fixed problems in 3.2.2.2008

Fixed security-related vulnerabilities in 3.2.2.2008

Updated images in 3.2.2.2008

Updated charts in 3.2.2.2008

Reported problems that are fixed in the IBM Cloud Private 3.2.2.2006 fix pack

Fixed problems in 3.2.2.2006

Fixed security-related vulnerabilities in 3.2.2.2006

Updated images in 3.2.2.2006

Updated charts in 3.2.2.2006

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2203 fix pack

Fixed problems in 3.2.1.2203

Fixed security-related vulnerabilities in 3.2.1.2203

Updated images in 3.2.1.2203

Updated charts in 3.2.1.2203

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2105 fix pack

Fixed problems in 3.2.1.2105

Fixed security-related vulnerabilities in 3.2.1.2105

Updated images in 3.2.1.2105

Updated charts in 3.2.1.2105

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2012 fix pack

Fixed problems in 3.2.1.2012

Fixed security-related vulnerabilities in 3.2.1.2012

Updated images in 3.2.1.2012

Updated charts in 3.2.1.2012

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2008 fix pack

Fixed problems in 3.2.1.2008

Fixed security-related vulnerabilities in 3.2.1.2008

Updated images in 3.2.1.2008

Updated charts in 3.2.1.2008

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2006 fix pack

Fixed problems in 3.2.1.2006

Fixed security-related vulnerabilities in 3.2.1.2006

Updated images in 3.2.1.2006

Updated charts in 3.2.1.2006

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2003 fix pack

Fixed problems in 3.2.1.2003

Fixed security-related vulnerabilities in 3.2.1.2003

Reported problems that are fixed in the IBM Cloud Private 3.2.1.2001 fix pack

Fixed problems in 3.2.1.2001

Fixed security-related vulnerabilities in 3.2.1.2001

Reported problems that are fixed in the IBM Cloud Private 3.2.1.1911 fix pack

Fixed problems in 3.2.1.1911

Fixed security-related vulnerabilities in 3.2.1.1911

Reported problems that are fixed in the IBM Cloud Private 3.2.1.1910 fix pack

Fixed problems in 3.2.1.1910

Fixed security-related vulnerabilities in 3.2.1.1910

Reported problems that are fixed in IBM Cloud Private 3.2.1