Fixed reported problems
Review the list of fixed problems to see whether your reported problem was fixed in the release or within a fix pack.
There are two fix pack versions available, 3.2.1.x fix packs and 3.2.2.x fix packs.
- The 3.2.1.x fix packs are intended for environments that include Kubernetes version 1.13.12.
- The 3.2.2.x fix packs include fixes to upgrade the supported version of Kubernetes. The fixes that are included within these 3.2.2.x fix packs include all fixes that are included within the equivalent 3.2.1.x fix pack, except for Kubernetes specific fixes.
If you apply a 3.2.2.x fix pack, do not apply an equivalent 3.2.1.x fix pack.
The latest 3.2.1.x fix pack is 3.2.1.2203. The latest 3.2.2.x fix pack is 3.2.2.2203 and upgrades Kubernetes to version 1.19.3.
The changes for fixed problems are included within the following fix packs and releases:
- IBM Cloud Private 3.2.2.2203 fix pack
- IBM Cloud Private 3.2.2.2105 fix pack
- IBM Cloud Private 3.2.2.2012 fix pack
- IBM Cloud Private 3.2.2.2008 fix pack
- IBM Cloud Private 3.2.2.2006 fix pack
- IBM Cloud Private 3.2.1.2203 fix pack
- IBM Cloud Private 3.2.1.2105 fix pack
- IBM Cloud Private 3.2.1.2012 fix pack
- IBM Cloud Private 3.2.1.2008 fix pack
- IBM Cloud Private 3.2.1.2006 fix pack
- IBM Cloud Private 3.2.1.2003 fix pack
- IBM Cloud Private 3.2.1.2001 fix pack
- IBM Cloud Private 3.2.1.1911 fix pack
- IBM Cloud Private 3.2.1.1910 fix pack
- IBM Cloud Private 3.2.1
For more information about how to apply fixes to your cluster, see Applying fix packs to your cluster.
Note: If you do want to apply, or upgrade to, a 3.2.2.x fix pack, you must first install or upgrade to the 3.2.1.2003 or newer 3.2.1.x fix pack. After you apply the 3.2.1.2003 or newer 3.2.1.x fix pack version, you can repeat the same steps and apply the 3.2.2.2006 or 3.2.2.2008 fix pack to upgrade Kubernetes to version 1.16.7. To download and upgrade to the 3.2.2.2203 fix pack from the 3.2.2.2008 or 3.2.2.2006 fix pack, you need to follow the procedure for upgrading to IBM Cloud Private 3.2.1, but use the package and commands to upgrade to 3.2.2.2203. For more information, see Upgrading.
Reported problems that are fixed in the IBM Cloud Private 3.2.2.2203 fix pack
The fixes included within this 3.2.2.2203 fix pack includes all fixes that are included within the 3.2.2.2203 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2203 fix pack. The 3.2.2.2203 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2203 fix pack to upgrade the supported Kubernetes version, do not apply the 3.2.2.2203 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2203 fix pack instead of this 3.2.2.2203 fix pack.
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.2.2203
Category | Description |
---|---|
Installer | This fix pack includes the following fixes: - Uplift Python version to Python 3 - Remove nfnetlink library check in cluster nodes - Update base images and Go versions to address security-related vulnerabilities |
Audit Logging | This fix pack includes the following fixes: - Update base image and Go versions to address security-related vulnerabilities |
Catalog UI | This fix pack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities - Bug fix for a rare bug where green loading icon spins endlessly and helm releases does not show properly due to request queue problems |
Certificate Management | This fix pack includes the following fix: - Update Go version (1.17.5) to resolve security-related vulnerabilities |
GlusterFS | This fix pack includes the following fixes: - Update curl version to address security-related vulnerabilities - Update OpenSSH to address security-related vulnerabilities |
Helm API | This fixpack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities - Update Rudder image Go version from 1.14.14 to 1.17.7 for security-related vulnerabilities |
Helm Repo | This fixpack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities |
Image Manager and ICP Registry | This fix pack includes the following fixes: - Update Go version to address security-related vulnerabilities - Update OpenSSL to address security-related vulnerabilities |
Ingress | This fix pack includes the following fixes: - Update nginx base image, uplift openSSL version, update Go version |
Istio | This fix pack includes the following fixes: - Update Go version to address security-related vulnerabilities - Update version of sudo used to address security-related vulnerabilities |
Kubernetes | This fix pack includes the following fixes: - Update Go version to 1.17.8 to address security-related vulnerabilities - Apply changes from community to address CVE-2021-25737 and CVE-2021-25741 - Fix the slow master switchover in Etcd VIP manager in HA environment by immediately broadcasting it to all the nodes, hence reducing the time for ARP cache update. |
Kube-dns | This fix pack includes the following fixes: - Update CoreDNS image from 1.7.0 to 1.9.1 to resolve Go related security vulnerabilities Community changelog: https://github.com/coredns/coredns/blob/master/notes/coredns-1.9.1.md |
Logging | This fix pack includes the following fixes: - Update elasticstack (elasticsearch, filebeat, logstash, and kibana) from version 6.8.14 to 6.8.23 in order to address the log4j security-related vulnerabilities - Update pki-init's OpenSSL version to address security-related vulnerabilities - Update Elasticsearch's version of curl to address security-related vulnerabilities |
MinIO | This fix pack includes the following fixes: - Update Go version from 1.15 to 1.17.8 to address security-related vulnerabilities - Update MinIO version from RELEASE.2019-04-09T01-22-30Z to RELEASE.2022-01-08T03-11-54Z - Update MinIO client version from RELEASE.2019-04-03T17-59-57Z to RELEASE.2022-01-07T06-01-38Z - Update MinIO client Go version from 1.12 to 1.17.8 to address security-related vulnerabilities |
Metering | This fix pack includes the following fixes: - Update the Node.js and base image versions to address security-related vulnerabilities - Fix to allow the data manager purger to process data in chunks rather than on a single cursor |
Metrics Server | This fix pack includes the following fixes: - Update metrics server from v0.3.4 to v0.6.0 to resolve Go related security vulnerabilites - Community changelog version v0.3.z to v0.4.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.4.0 - Community changelog version v0.4.5 to v0.5.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.0 - Community changelog version v0.5.0 to v0.6.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.0 |
Monitoring | This fix pack includes the following fixes: - Update base image and Go versions to address security-related vulnerabilities |
Mutation Advisor | This fix pack includes the following fixes: - Update elasticstack (elasticsearch, filebeat, logstash, and kibana) from version 6.8.14 to 6.8.23 in order to address the log4j security-related vulnerabilities - Update pki-init's OpenSSL version to address security-related vulnerabilities - Update Elasticsearch's version of curl to address security-related vulnerabilities |
Platform API | This fix pack includes the following fix: - Update Go version (1.17.5) to resolve a security-related vulnerabilities |
Platform UI | This fix pack includes the following fixes: - Update the Node.js and base image versions to address security-related vulnerabilities |
Security IAM | This fix pack includes the following fixes: - Update base image, Go versions, liberty versions, and node versions to address security-related vulnerabilities |
Fixed security-related vulnerabilities in 3.2.2.2203
CVE-ID | Description |
---|---|
CVE-2018-16843 | Description: nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive memory consumption. |
CVE-2018-16844 | Description: nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive CPU consumption. |
CVE-2018-16845 | Description: nginx is vulnerable to a denial of service, caused by an error when compiled with the ngx_http_mp4_module. By persuading a victim to open a specially-crafted mp4 file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or obtain sensitive information from worker process memory |
CVE-2019-20372 | NGINX could allow a remote attacker to obtain sensitive information, caused by a flaw in certain error_page configurations. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system |
CVE-2019-7401 | Description: NGINX Unit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the router process. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the router process to crash. |
CVE-2020-28491 | Description: FasterXML jackson-dataformats-binary is vulnerable to a denial of service, caused by an unchecked allocation of byte buffer flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a java.lang.OutOfMemoryError exception resulting in a denial of service condition. |
CVE-2020-8231 | curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set. |
CVE-2020-8284 | curl: FTP PASV command response can cause curl to connect to arbitrary host. |
CVE-2020-8285 | curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used. |
CVE-2020-8286 | cURL libcurl could allow a remote attacker to bypass security restrictions, caused by improper OCSP response verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to breach a TLS server. |
CVE-2021-20329 | MongoDB Go Driver could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation of cstrings when marshalling Go objects into BSON. By sending a specially-crafted Go object with specific string, an attacker could exploit this vulnerability to inject additional fields into marshalled documents. |
CVE-2021-20492 | IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793. |
CVE-2021-22139 | Elastic Kibana is vulnerable to a denial of service, caused by a lack of timeout or a limit on the request size in the webhook actions. By sending a large number of requests, a remote attacker could exploit this vulnerability to exhaust the connection pool, leading to a denial of service. |
CVE-2021-22569 | Google Protocol Buffer (protobuf-java) is vulnerable to a denial of service, caused by an issue with allow interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open a specially-crafted content, a remote attacker could exploit this vulnerability to cause a timeout in ProtobufFuzzer function, and results in a denial of service condition. |
CVE-2021-22876 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain user credentials, and use this information to launch further attacks against the affected system. |
CVE-2021-22898 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sending a specially-crafted request using a clear-text network protocol, an attacker could exploit this vulnerability to obtain sensitive internal information to the server, and use this information to launch further attacks against the affected system. |
CVE-2021-22918 | Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv__idna_toascii() function. |
CVE-2021-22924 | curl: Bad connection reuse due to flawed path name checks. |
CVE-2021-22925 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain TELNET stack contents, and use this information to launch further attacks against the affected system. |
CVE-2021-22926 | Curl libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the CURLOPT_SSLCERT option mixup with TLS library Secure Transport. By creating a specially-crafted file name with the same name as the app wants to use by name, an attacker could exploit this vulnerability to trick the application to use the file based cert instead of the one referred to by name, and allow libcurl to send the wrong client certificate in the TLS connection handshake. |
CVE-2021-22930 | Node.js could allow a remote attacker to bypass security restrictions, caused by a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior. |
CVE-2021-22945 | cURL libcurl is vulnerable to a denial of service, caused by a use-after-free and double free flaw when sending data to an MQTT server. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-22946 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a required TLS bypassed issue. By sniffing the network, an attacker could exploit this vulnerability to obtain sensitive data in clear text over the network, and use this information to launch further attacks against the affected system. |
CVE-2021-22947 | cURL libcurl is vulnerable to a man-in-the-middle attack, caused by a flaw when connecting to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. |
CVE-2021-22959 | Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers. |
CVE-2021-22960 | Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests. |
CVE-2021-23362 | Node.js hosted-git-info module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the fromUrl function in index.js. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-2369 | An unspecified vulnerability in Oracle Java SE related to the Library component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
CVE-2021-2388 | An unspecified vulnerability in Oracle Java SE related to the Hotspot component could allow an unauthenticated attacker to take control of the system. |
CVE-2021-2432 | An unspecified vulnerability in Oracle Java SE related to the JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-25737 | Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a host network hijacking flaw due to holes in EndpointSlice validation. By redirecting pod traffic to private networks on a Node, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. |
CVE-2021-25740 | Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a confused deputy attack. By sending a specially-crafted request to create or edit Endpoints or EndpointSlices in the Kubernetes API, an attacker could exploit this vulnerability to obtain backend IPs information, and use this information to launch further attacks against the affected system. |
CVE-2021-25741 | Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange flaw in kubelet. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a container with subpath volume mounts to access files and directories outside of the volume. |
CVE-2021-25742 | Description: Kubernetes NGINX Ingress Controller could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the custom snippets feature. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain all secrets in the cluster, and use this information to launch further attacks against the affected system. |
CVE-2021-25743 | Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by improper filtering of ANSI escape characters in kubectl. By sending a specially-crafted input, an attacker could exploit this vulnerability to hide all the events, changing the title of the terminal window, and spoof the data. |
CVE-2021-29842 | IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202. |
CVE-2021-29921 | Python is vulnerable to server-side request forgery, caused by improper input validation of octal strings in the stdlib ipaddress. By submitting a specially-crafted IP address to a web application, an attacker could exploit this vulnerability to conduct SSRF or local file include attacks. |
CVE-2021-29923 | Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR |
CVE-2021-31525 | net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations |
CVE-2021-32690 | Helm could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied input by the index.yaml file. By gaining access to the chart archives, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. |
CVE-2021-33194 | Golang Go is vulnerable to a denial of service, caused by an infinite loop in golang.org/x/net/html. By sending a specially-crafted ParseFragment input, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-33195 | Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system |
CVE-2021-33196 | Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By persuading a victim to open a specially-crafted archive file, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition |
CVE-2021-33197 | Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop arbitrary headers, including those set by the ReverseProxy.Director. |
CVE-2021-33198 | Golang Go is vulnerable to a denial of service, caused by a flaw in the SetString and UnmarshalText methods of math/big.Rat. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition. |
CVE-2021-34558 | Description: The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic |
CVE-2021-35517 | Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' tar package. |
CVE-2021-35556 | An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35559 | An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35560 | An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow an unauthenticated attacker to take control of the system. |
CVE-2021-35564 | An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Keytool component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
CVE-2021-35565 | An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35578 | An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35586 | An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the ImageIO component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35588 | An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-3601 | OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA cert. An attacker could exploit this vulnerability for MITM to any connection from the victim machine. |
CVE-2021-36090 | Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' zip package. |
CVE-2021-36158 | xrdp package for Alpine Linux is vulnerable to a man-in-the-middle attack, caused by improper generation of RSA certificates and private keys in the RDP sessions. An attacker could exploit this vulnerability to track users. |
CVE-2021-36221 | Golang Go is vulnerable to a denial of service, caused by a race condition upon an ErrAbortHandler abort. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a net/http/httputil ReverseProxy panic. |
CVE-2021-3712 | Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when processing ASN.1 strings. By sending specially crafted data, an attacker could exploit this vulnerability to read contents of memory on the system or perform a denial of service attack. |
CVE-2021-37136 | Netty netty-codec is vulnerable to a denial of service, caused by not allow size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-37137 | Netty netty-codec is vulnerable to a denial of service, caused by not restrict the chunk length in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause excessive memory usage, and results in a denial of service condition. |
CVE-2021-3733 | Python is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the AbstractBasicAuthHandler class in urllib. By persuading a victim to visit a specially-crafted web site, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-37701 | The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. |
CVE-2021-37712 | Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system. |
CVE-2021-37713 | Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target. An attacker could exploit this vulnerability to create or overwrite arbitrary files and execute arbitrary code on the system. |
CVE-2021-39031 | IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875. |
CVE-2021-39134 | Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack, caused by the failure of multiple dependencies to coexist within the same level in the node_modules hierarchy. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to create and overwrite arbitrary files on the system with elevated privileges. |
CVE-2021-39135 | Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack. By replacing the node_modules folder of the root project or any of its dependencies with a symbolic link, an attacker could exploit this vulnerability to write package dependencies to any arbitrary location on the file system. |
CVE-2021-41035 | Eclipse Openj9 could allow a remote attacker to gain elevated privileges on the system, caused by not throwing IllegalAccessError for MethodHandles that invoke inaccessible interface methods. By persuading a victim to execute a specially-crafted program under a security manager, an attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code on the system. |
CVE-2021-41092 | Docker CLI could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when running "docker login my-private-registry.example.com" command with a misconfigured configuration file. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system. |
CVE-2021-41771 | Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the ImportedSymbols function in debug/macho. By using specially-crafted binaries, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition. |
CVE-2021-41772 | Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the Reader.Open function. By using a specially-crafted ZIP archive containing an invalid name or an empty filename field, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition. |
CVE-2021-43797 | Netty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding request header names. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
CVE-2021-44532 | Node.js could allow a remote attacker to bypass security restrictions, caused by a string injection vulnerability when name constraints were used within a certificate chain. An attacker could exploit this vulnerability to bypass the name constraints. |
CVE-2021-44533 | Node.js could allow a remote attacker to bypass security restrictions, caused by the incorrect handling of multi-value Relative Distinguished Names. |
CVE-2021-44716 | Description: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. |
CVE-2021-44717 | Description: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. |
CVE-2022-21824 | Node.js could provide weaker than expected security, caused by an error related to the formatting logic of the console.table() function. An attacker could exploit this vulnerability using console.table properties to allow an empty string to be assigned to numerical keys of the object prototype. |
CVE-2022-22704 | zabbix-agent2 package for Alpine Linux could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a design flaw in systemd. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root. |
CVE-2022-23772 | Golang Go is vulnerable to a denial of service, caused by a buffer overflow in the Rat.SetString function in math/big. By sending a specially-crafted request, an attacker could exploit this vulnerability to consume large amount of RAM and cause the application to crash. |
CVE-2022-23773 | An unspecified error with not treating branches with semantic-version names as releases in cmd/go in Golang Go has an unknown impact and attack vector. |
CVE-2022-23806 | Golang Go is vulnerable to a denial of service, caused by a flaw with IsOnCurve function returns true for invalid field elements. By sending a specially-crafted request, an attacker could exploit this vulnerability to causes a panic in ScalarMult, and results in a denial of condition. |
The 3.2.2.2203 fix pack is cumulative and includes all fixes that were included in previous 3.2.2.x fix packs for IBM Cloud Private 3.2.2.
Updated images in 3.2.2.2203
Image | Previous version | New version |
---|---|---|
alertmanager | v0.15.0-f5 | v0.15.0-f6 |
collectd-exporter | v0.4.0-f5 | v0.4.0-f6 |
configmap-reload | v0.2.2-f5 | v0.2.2-f6 |
curl | 4.2.0-build.9 | 4.2.0-build.10 |
dashboard-controller | v1.1.0-f3 | v1.1.0-f4 |
grafana | 5.2.0-f4 | 5.2.0-f5 |
kube-proxy | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-apiserver | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-controller-manager | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-scheduler | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kubelet | v1.19.3-ee-1 | v1.19.3-ee |
iam-policy-decision | 3.2.1.2012 | 3.2.1.2105 |
ibmcloud-image-enforcement | 0.2.2.2012 | 0.2.2.2105 |
icp-catalog-ui | 3.2.1.2012 | 3.2.1.2105 |
icp-cert-manager-acmesolver: | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-cainjector: | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-controller | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-webhook | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-elasticsearch-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-filebeat-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-helm-api | 3.2.1.2012 | 3.2.1.2105 |
icp-helm-repo | 3.2.1.2012 | 3.2.1.2105 |
icp-image-manager | 2.2.6.2001 | 2.2.6-2105 |
icp-inception | 3.2.2.2012-ee=3.2.2.2012-ee | 3.2.2.2105 |
icp-initcontainer | 1.0-icp-build-2012 | 1.0-icp-build-2105 |
icp-kibana-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-logstash-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-management-ingress | 2.4.0.1910 | 2.4.0.2105 |
icp-mongodb-exporter | 3.4.0.2008 | 3.4.0.2105 |
icp-mongodb-install | 3.4.0.2008 | 3.4.0.2105 |
icp-mongodb | 4.0.20.2012 | 4.0.24.2105 |
icp-platform-auth | 3.2.1.2012 | 3.2.1.2105 |
icp-platform-header | 3.2.1.2012 | 3.2.1.2105 |
icp-platform-ui | 3.2.1.2012 | 3.2.1.2105 |
indices-cleaner | 1.3.0-build.2 | 1.3.0-build.4 |
kube-state-metrics | v1.9.4-build.6 | v1.9.4-build.10 |
metering-data-manager | 3.2.2.2012 | 3.2.2.2105 |
metering-mcmui | 3.2.2.2012 | 3.2.2.2105 |
metering-ui | 3.2.2.2012 | 3.2.2.2105 |
nginx-ingress-controller | 0.23.7 | 0.23.2105 |
node-exporter | v0.16.0-f6 | v0.16.0-f7 |
nvidia-device-plugin | 1.4 | 1.4.2105 |
prometheus | v2.8.0-f3 | v2.8.0-f4 |
prometheus-config-reloader | v0.31-f1 | v0.31-f2 |
prometheus-operator | v0.31-f1 | v0.31-f2 |
prometheus-operator-controller | v1.0.0-f2 | v1.0.0-f3 |
Updated charts in 3.2.2.2203
Chart | Previous (3.2.1.2105) version | New version |
---|---|---|
auth-idp | 3.3.2105 | 3.3.2203 |
auth-pap | 3.3.2012 | 3.3.2203 |
auth-pdp | 3.3.2105 | 3.3.2203 |
helm-api | 3.3.2105 | 3.3.2203 |
helm-repo | 3.3.2105 | 3.3.2203 |
ibm-cert-manager | 3.4.2105 | 3.4.2203 |
ibm-cert-manager-webhook | 3.4.2105 | 3.4.2203 |
ibm-custom-metrics-adapter | 3.4.2012 | 3.4.2105 |
ibm-icplogging | 3.3.2 | 3.3.6 |
ibm-icpmonitoring | 1.6.22105 | 1.6.22203 |
ibm-istio | 1.2.10 | 1.2.11 |
ibmcloud-image-enforcement | 3.4.2012 | 3.4.2105 |
icp-catalog-chart | 3.3.2105 | 3.3.2203 |
icp-management-ingress | 3.4.2105 | 3.4.2203 |
icp-mongodb | 3.5.2105 | 3.5.2203 |
icp-nginx-ingress | 3.4.2105 | 3.4.2203 |
image-manager | 3.4.2105 | 3.4.2203 |
knative | 3.4.2105 | 3.4.2203 |
metering | 3.4.2105 | 3.4.2203 |
mgmt-repo | 3.3.2105 | 3.3.2203 |
mutation-advisor | 3.4.2105 | 3.4.2203 |
nvidia-device-plugin | 3.4.2012 | 3.4.2105 |
platform-ui | 3.4.2105 | 3.4.2203 |
security-onboarding | 3.3.2105 | 3.3.2203 |
Reported problems that are fixed in the IBM Cloud Private 3.2.2.2105 fix pack
The fixes included within this 3.2.2.2105 fix pack includes all fixes that are included within the 3.2.2.2105 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2105 fix pack. The 3.2.2.2105 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2105 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.2.2105 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2105 fix pack instead of this 3.2.2.2105 fix pack.
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.2.2105
Issue | Category | Description |
---|---|---|
45590 | Healthcheck | Fixes a login issue in the management console or cloudctl. |
43801 44227 >41478 44913 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - Fixes a login issue in the management console or cloudctl. - Fixes a cluster login issue where the user is not authorized to update a release in development and production environments. - Resolves MongoDB connection timeout issues with auth-pdp in IBM Cloud Private Version 3.2.2 clusters. - Fixes an issue with one of the auth-idp pod platform-auth-service containers, where the certificates
are not imported properly to Liberty during pod startup. |
44673 | Installer | This fix resolves an issue that caused missing node labels after adding new cluster nodes. |
38688 | Logging | Fixes an issue related to logging on Kibana UI where no logs shows up and returns a 'No matching indices found: No indices match pattern "logstash-*"' and 'Discover: Could not locate that index-pattern-field (id: @timestamp)' error. |
45520 | Metering | Fixes an issue related to Metering Pod heap limit allocation that caused a JavaScript heap out of memory error. |
46474 | MongoDB | Fixes an issue where mongodump binary cannot connect to MongoDB. |
46560 46571 |
Platform UI | This fix pack includes the following fixes: - Fixes an issue that caused a node to display as able to be scheduled when it is not. - Fixes scaling workload issues in the UI. |
Fixed security-related vulnerabilities in 3.2.2.2105
Issue | CVE-ID | Description |
---|---|---|
34823 34860 |
CVE-2019-1551 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By performing a man-in-the-middle attack, a remote attacker could exploit this vulnerability to obtain sensitive information. |
44229 44243 44356 44515 45537 |
CVE-2020-1971 | OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME, an attacker could exploit this vulnerability to cause the application to crash. |
41419 41807 |
CVE-2020-1968 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by a Raccoon attack in the TLS specification. By computing the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite, an attacker could exploit this vulnerability to eavesdrop on all encrypted communications sent over that TLS connection. |
44504 44552 |
CVE-2020-2773 | An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
46131 46243 |
CVE-2020-5258 | Dojo dojo could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object. |
40047 40238 |
CVE-2020-7016 | Elastic Kibana is vulnerable to a denial of service, caused by a vulnerability in Timelion. By persuading a victim to visit a specially crafted URL, a remote attacker could exploit this vulnerability to consume all available CPU resources. |
40047 40238 |
CVE-2020-7017 | Elastic Kibana is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by region map visualization. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
40502 41427 |
CVE-2020-7018 | Elastic Enterprise Search could allow a remote authenticated attacker to obtain sensitive information, caused by a credential exposure flaw in the App Search interface. By sending a request with a specially crafted role, a remote attacker could exploit this vulnerability to view the administrator API credentials. |
40502 41427 |
CVE-2020-7019 | Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by a field disclosure flaw when running a scrolling search. By running the same query, an attacker could exploit this vulnerability to obtain sensitive information. |
42340 42925 |
CVE-2020-7020 | Elastic Enterprise Search could allow a remote authenticated attacker to obtain sensitive information, caused by not properly preserving security permissions in search queries. By sending a search request, a remote attacker could exploit this vulnerability to disclose the existence of documents. |
46403 46517 |
CVE-2020-7924 | MongoDB Database Tools could allow a remote attacker to bypass security restrictions, caused by a flaw in the usage of specific command line parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass certificate validation. |
44229 44243 44356 44515 45537 |
CVE-2020-8265 | Node.js is vulnerable to a denial of service, caused by a use-after-free in TLSWrap within the TLS implementation. By writing to a TLS enabled socket, an attacker could exploit this vulnerability to corrupt memory and cause a denial of service. |
44229 44243 44356 44515 45537 |
CVE-2020-8287 | Node.js is vulnerable to HTTP request smuggling. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
43172 43605 |
CVE-2020-8554 | Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when using LoadBalancer or ExternalIPs. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to patch the status of a LoadBalancer service. |
44013 44534 |
CVE-2020-8567 | Kubernetes Secrets Store CSI Driver for Vault Plugin, Azure Plugin, and GCP Plugin could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted SecretProviderClass objects containing "dot dot" sequences (/../) to write arbitrary files on the system. |
44013 44534 |
CVE-2020-8568 | Kubernetes Secrets Store CSI Driver could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted request containing "dot dot" sequences (/../) to write content to the host filesystem and sync file contents to Kubernetes Secrets. |
44013 44534 |
CVE-2020-8569 | Kubernetes CSI snapshot-controller is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when processing a VolumeSnapshot custom resource. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause the application to crash. |
40043 40086 |
CVE-2020-14039 | Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system. |
44042 44182 |
CVE-2020-14781 | An unspecified vulnerability in Java SE, Java SE Embedded related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. |
40043 40086 40275 44431 |
CVE-2020-15586 | Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
41425 41808 |
CVE-2020-24750 | FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
43171 43301 |
CVE-2020-25649 | FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. |
42922 42966 44431 |
CVE-2020-28362 | Golang Go is vulnerable to a denial of service, caused by improper input validation by the math/big.Int methods. By sending a specially-crafted inputs, a remote attacker could exploit this vulnerability to cause the application to crash. |
42922 42966 44431 |
CVE-2020-28366 | Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a code injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
42922 42966 44431 |
CVE-2020-28367 | Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by an argument injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
44661 44663 44836 45346 45369 |
CVE-2020-28500 | Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
43626 43808 |
CVE-2020-28851 | Golang Go is vulnerable to a denial of service, caused by improper input validation while parsing the -u- extension in language.ParseAcceptLanguage. By sending a specially-crafted HTTP Accept-Language header, a remote attacker could exploit this vulnerability to cause an index out of range panic. |
43626 43808 |
CVE-2020-28852 | Golang Go is vulnerable to a denial of service, caused by improper input validation while processing a BCP 47 tag in language.ParseAcceptLanguage. By sending a specially-crafted HTTP Accept-Language header, a remote attacker could exploit this vulnerability to cause a slice bounds out of range panic. |
44183 44234 44279 44357 44431 |
CVE-2021-3114 | An unspecified error with the P224() Curve implementation can generate incorrect outputs in Golang Go has an unknown impact and attack vector. |
44183 44234 44279 44357 44431 |
CVE-2021-3115 | Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a command injection flaw when using the go get command to fetch modules that make use of cgo. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
43714 43939 43807 44330 44431 |
CVE-2021-3121 | An unspecified error with the lack of certain index validation, also known as the "skippy peanut butter" issue in GoGo Protobuf has an unknown impact and attack vector. |
45535 45543 45970 46130 |
CVE-2021-3449 | OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash. |
45535 45543 45970 46130 |
CVE-2021-3450 | OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose. |
44660 44834 |
CVE-2021-7021 | Elasticsearch could allow a local authenticated attacker to obtain sensitive information, caused by an error when audit logging and the emit_request_body option is enabled. By opening the audit log, a local authenticated attacker could obtain password hashes or authentication tokens and use this information to launch further attacks against the affected system. |
46682 46906 |
CVE-2021-20228 | Ansible Engine could allow a local authenticated attacker to obtain sensitive information, caused by sensitive info is not masked or not protected by the no_log feature by default. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. |
46403 46517 |
CVE-2021-20334 | MongoDB Compass for Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper access control. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary with the privileges of the user. |
44470 44475 |
CVE-2021-21303 | Helm could allow a local authenticated attacker to bypass security restrictions, caused by the failure to sanitized multiple fields in various .yaml files. By sending a specially-crafted request, an attacker could exploit this vulnerability to send deceptive, obscure or alter information to a terminal screen. |
44860 45539 |
CVE-2021-22883 | Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an 'unknownProtocol', an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory. |
44860 45200 45539 |
CVE-2021-22884 | Node.js is vulnerable to a denial of service, caused by an error when the whitelist includes "localhost6". By controlling the victim's DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the DNS rebinding protection mechanism using the "localhost6" domain and cause a denial of service. |
44611 44662 44752 45349 45370 46572 |
CVE-2021-23337 | All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template. |
44613 44667 44668 |
CVE-2021-23839 | OpenSSL could provide weaker than expected security, caused by incorrect SSLv2 rollback protection that allows for the inversion of the logic during a padding check. If the server is configured for SSLv2 support at compile time, configured for SSLv2 support at runtime or configured for SSLv2 ciphersuites, it will accept a connection if a version rollback attack has occurred and erroneously reject a connection if a normal SSLv2 connection attempt is made. |
44613 44667 44668 44860 45200 45539 |
CVE-2021-23840 | OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash. |
44613 44667 44668 |
CVE-2021-23841 | OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the X509_issuer_and_serial_hash() function. By parsing the issuer field, an attacker could exploit this vulnerability to cause the application to crash. |
46176 46516 |
CVE-2021-25735 | Kubernetes kube-apiserver could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when performing note updates. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass a Validating Admission Webhook. |
46011 46129 |
CVE-2021-26296 | Apache MyFaces is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. |
45159 45216 45335 |
CVE-2021-27918 | Golang Go is vulnerable to a denial of service, caused by an infinite loop flaw when using xml.NewTokenDecoder with a custom TokenReader. By persuading a victim to open a specially-crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
45159 45216 46335 |
CVE-2021-27919 | Golang Go is vulnerable to a denial of service, caused by a flaw in the Reader.Open API when use a ZIP archive containing files start with ../ . By persuading a victim to open a specially-crafted ZIP archive, a remote attacker
could exploit this vulnerability to cause a denial of service condition. |
44953 44966 |
CVE-2021-28041 | OpenSSH ssh-agent could allow a remote attacker to bypass security restrictions, caused by a double free flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to arbitrary hosts. |
The 3.2.2.2105 fix pack is cumulative and includes all fixes that were included in previous 3.2.2.x fix packs for IBM Cloud Private 3.2.2.
Updated images in 3.2.2.2105
Image | Previous version | New version |
---|---|---|
alertmanager | v0.15.0-f4 | v0.15.0-f5 |
collectd-exporter | v0.4.0-f4 | v0.4.0-f5 |
configmap-reload | v0.2.2-f4 | v0.2.2-f5 |
curl | 4.2.0-build.9 | 4.2.0-build.10 |
dashboard-controller | v1.1.0-f1 | v1.1.0-f3 |
grafana | 5.2.0-f4 | 5.2.0-f5 |
kube-proxy | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-apiserver | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-controller-manager | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-scheduler | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kubelet | v1.19.3-ee-1 | v1.19.3-ee |
iam-policy-decision | 3.2.1.2012 | 3.2.1.2105 |
ibmcloud-image-enforcement | 0.2.2.2012 | 0.2.2.2105 |
icp-catalog-ui | 3.2.1.2012 | 3.2.1.2105 |
icp-cert-manager-acmesolver: | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-cainjector: | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-controller | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-webhook | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-elasticsearch-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-filebeat-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-helm-api | 3.2.1.2012 | 3.2.1.2105 |
icp-helm-repo | 3.2.1.2012 | 3.2.1.2105 |
icp-image-manager | 2.2.6.2001 | 2.2.6-2105 |
icp-inception | 3.2.2.2012-ee=3.2.2.2012-ee | 3.2.2.2105 |
icp-initcontainer | 1.0-icp-build-2012 | 1.0-icp-build-2105 |
icp-kibana-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-logstash-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-management-ingress | 2.4.0.1910 | 2.4.0.2105 |
icp-mongodb-exporter | 3.4.0.2008 | 3.4.0.2105 |
icp-mongodb-install | 3.4.0.2008 | 3.4.0.2105 |
icp-mongodb | 4.0.20.2012 | 4.0.24.2105 |
icp-platform-auth | 3.2.1.2012 | 3.2.1.2105 |
icp-platform-header | 3.2.1.2012 | 3.2.1.2105 |
icp-platform-ui | 3.2.1.2012 | 3.2.1.2105 |
indices-cleaner | 1.3.0-build.2 | 1.3.0-build.4 |
kube-state-metrics | v1.9.4-build. | v1.9.4-build.6 |
metering-data-manager | 3.2.2.2012 | 3.2.2.2105 |
metering-mcmui | 3.2.2.2012 | 3.2.2.2105 |
metering-ui | 3.2.2.2012 | 3.2.2.2105 |
nginx-ingress-controller | 0.23.7 | 0.23.2105 |
node-exporter | v0.16.0-f4 | v0.16.0-f6 |
nvidia-device-plugin | 1.4 | 1.4.2105 |
prometheus | v2.8.0-f1 | v2.8.0-f3 |
prometheus-config-reloader | v0.31 | v0.31-f1 |
prometheus-operator | v0.31 | v0.31-f1 |
prometheus-operator-controller | v1.0.0 | v1.0.0-f2 |
Updated charts in 3.2.2.2105
Chart | Previous (3.2.1.2008) version | New version |
---|---|---|
auth-idp | 3.3.2012 | 3.3.2105 |
auth-pap | 3.3.2012 | 3.3.2012 |
auth-pdp | 3.3.2012 | 3.3.2105 |
helm-api | 3.3.2012 | 3.3.2105 |
helm-repo | 3.3.2012 | 3.3.2105 |
ibm-cert-manager | 3.3.2012 | 3.4.2105 |
ibm-cert-manager-webhook | 3.3.2012 | 3.4.2105 |
ibm-custom-metrics-adapter | 3.4.2012 | 3.4.2105 |
ibm-icplogging | 3.3.1 | 3.3.2 |
ibm-icpmonitoring | 1.6.22012 | 1.6.22105 |
ibm-istio | 1.2.9 | 1.2.10 |
ibmcloud-image-enforcement | 3.4.2012 | 3.4.2105 |
icp-catalog-chart | 3.3.2012 | 3.3.2105 |
icp-management-ingress | 3.4.2012 | 3.4.2105 |
icp-mongodb | 3.5.2012 | 3.5.2105 |
icp-nginx-ingress | 3.4.2012 | 3.4.2105 |
image-manager | 3.4.2012 | 3.4.2105 |
knative | 3.4.2012 | 3.4.2105 |
metering | 3.4.2012 | 3.4.2105 |
mgmt-repo | 3.3.2012 | 3.3.2105 |
mutation-advisor | 3.4.2012 | 3.4.2105 |
nvidia-device-plugin | 3.4.2012 | 3.4.2105 |
platform-ui | 3.4.2012 | 3.4.2105 |
security-onboarding | 3.3.2012 | 3.3.2105 |
Reported problems that are fixed in the IBM Cloud Private 3.2.2.2012 fix pack
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.2.2012
Issue | Category | Description |
---|---|---|
42922 | Certificate management | This fix updates Go to resolve a security-related vulnerability (CVE-2020-28362). |
40202 41428 |
Kubernetes | This fix pack includes the following fixes: - This fix updates the image enforcement policy to add the QPS option for the kube-client that is initialized in the admission controller. - Kubernetes is upgraded to version 1.19.3. - etcd is upgraded to version 3.4.13. - kube-dns is upgraded to version 1.7.0. |
41777 | Kubelet | A Go language issue that caused use of closed network connection kubelet errors and caused pods to remain in a terminating status is resolved. |
41644 41614 |
Metering | This fix updates the Node.js and base image versions to address security-related vulnerabilities. |
39471 40347 40043 41424 41614 42039 43273 43274 43276 43278 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - An issue is resolved that affected the auth-pdp connection to mongodb when the mongodb pod restarts. - An issue is resolved that affected platform-identity-manager for handling invalid roles attribute name in team payload. - The performance of the users getTeams API is improved. - The version of Go is upgraded to version 1.14.12 to address security-related vulnerabilities. - WebSphere Liberty is upgraded to version 20.0.0.10 to address security-related vulnerabilities. - Java is upgraded to version 1.8.0_271 to address security-related vulnerabilities. - The Python cryptography package is upgraded to version 3.3.1 to address security-related vulnerabilities. |
Fixed security-related vulnerabilities in 3.2.2.2012
Issue | CVE-ID | Description |
---|---|---|
34823 | CVE-2019-1551 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By performing a man-in-the-middle attack, a remote attacker could exploit this vulnerability to obtain sensitive information. |
38874 42039 |
CVE-2020-8203 | Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system. |
40561 | CVE-2020-7923 | MongoDB is vulnerable to a denial of service, caused by a flaw in geoNear invariant. By sending specially crafted queries, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. |
41426 | CVE-2020-15187 | Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with containing duplicates of the same entry in the plugin.yaml file. By sending a specially-crafted input, an attacker could exploit this vulnerability to modify a plugin's install hooks to perform a local execution attack. |
41426 | CVE-2020-15186 | Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the plugin names. By sending a specially-crafted input, an attacker could exploit this vulnerability to duplicate the name of another plugin or spoofing the output to helm --help. |
41426 | CVE-2020-15185 | Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with allowing duplicates of the same chart entry in the repository index file. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject a bad chart into a repository. |
41426 | CVE-2020-15184 | Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the alias field on a Chart.yaml. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject unwanted information into a chart. |
41614 | CVE-2020-8252 | Node.js is vulnerable to a buffer overflow, caused by improper bounds checking by the libuv's fs.realpath.native. |
40043 | CVE-2020-15586 | Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
40043 | CVE-2020-14039 | Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system. |
40347 42039 |
CVE-2020-16845 | Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. |
41424 42039 |
CVE-2020-4590 | IBM WebSphere Application Server Liberty running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. |
43169 | CVE-2020-25659 | python-cryptography could allow a remote attacker to obtain sensitive information, caused by a Bleichenbacher timing attack. |
39032 | CVE-2020-8169 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to correctly URL encode the credential data when set using an curl_easy_setopt option. The host name and partial password is leaked in cleartext over DNS on HTTP redirect. An attacker could exploit this vulnerability to obtain sensitive information. |
39032 | CVE-2020-8177 | cURL could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (--remote-header-name) and -I (--include) in the same command line. An attacker could exploit this vulnerability to overwrite a local file. |
42920 | CVE-2020-14792 | An unspecified vulnerability in related to the component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. |
42920 | CVE-2020-14797 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
42920 | CVE-2020-14781 | An unspecified vulnerability in Java SE, Java SE Embedded related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. |
42920 | CVE-2020-14779 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
42920 | CVE-2020-14798 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
42920 | CVE-2020-14796 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. |
42921 | CVE-2020-14782 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
The 3.2.2.2012 fix pack is cumulative and includes all fixes that were included in previous 3.2.2.x fix packs and previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1 up to the 3.2.1.2003 fix pack.
Updated images in 3.2.2.2012
Image | Previous version | New version |
---|---|---|
audit-policy-controller | 3.2.1.1910 | 3.2.1.2012=3.2.1.2012 |
coredns | 1.6.2 | 1.7.0 |
etcd | 3.2.24.2 | 3.4.13 |
hyperkube | v1.16.13-ee | |
iam-policy-administration | 3.2.1.2008 | 3.2.1.2012 |
iam-policy-controller | 3.2.1.2001 | 3.2.1.2012 |
iam-policy-decision | 3.2.1.2006 | 3.2.1.2012 |
ibmcloud-image-enforcement | 0.2.2.2001 | 0.2.2.2012 |
icp-catalog-ui | 3.2.1.2006 | 3.2.1.2012 |
icp-cert-manager-acmesolver | 0.7.0.1-f2001 | 0.7.0.1-f2012 |
icp-cert-manager-cainjector | 0.7.0.1-f2001 | 0.7.0.1-f2012 |
icp-cert-manager-controller | 0.7.0.1-f2001 | 0.7.0.1-f2012 |
icp-cert-manager-webhook | 0.7.0.1-f2001 | 0.7.0.1-f2012 |
icp-helm-api | 3.2.1.2006 | 3.2.1.2012 |
icp-helm-repo | 3.2.1.2006 | 3.2.1.2012 |
icp-helm-rudder | 3.2.1.2006 | 3.2.1.2012 |
icp-iam-onboarding | 3.2.1.2006 | 3.2.1.2012 |
icp-identity-manager | 3.2.1.2008 | 3.2.1.2012 |
icp-identity-provider | 3.2.1.2008 | 3.2.1.2012 |
icp-inception | 3.2.2.2008-ee | 3.2.2.2012-ee |
icp-initcontainer | 1.0.0-build.6 | 1.0-icp-build-2012 |
icp-mongodb | 4.0.16.2008 | 4.0.20.2012 |
icp-oidcclient-watcher | 3.2.1.2001 | 3.2.1.2012 |
icp-platform-api | 3.2.2.2008 | 3.2.2.2012 |
icp-platform-auth | 3.2.1.2008 | 3.2.1.2012 |
icp-platform-header | 3.2.1.2006 | 3.2.1.2012 |
icp-platform-ui | 3.2.1.2006 | 3.2.1.2012 |
icp-secret-watcher | 3.2.1.2001 | 3.2.1.2012 |
icp-web-terminal | 3.2.1.2003 | 3.2.2.2012 |
kubectl | v1.16.7.1 | v1.19.3 |
kube-proxy | v1.19.3-ee-1 | |
kube-apiserver | v1.19.3-ee-1 | |
kube-controller-manager | v1.19.3-ee-1 | |
kube-scheduler | v1.19.3-ee-1 | |
kubelet | v1.19.3-ee-1 | |
mcm-kui-proxy | 3.2.1.1911 | 3.2.2.2012 |
metering-data-manager | 3.2.2.2008 | 3.2.2.2012 |
metering-mcmui | 3.2.2.2008 | 3.2.2.2012 |
metering-ui | 3.2.2.2008 | 3.2.2.2012 |
pause | 3.1 | 3.3 |
tiller | v2.12.3-icp-3.2.1.1911 | v2.16.12-icp-3.2.1.2012 |
Note: Images that include the suffix -oss
(icp-elasticsearch-oss
, icp-filebeat-oss
, icp-kibana-oss
, icp-logstash-oss
) are newer versions of images that did not include
the suffix. For example, icp-elasticsearch-oss
is the replacement for the icp-elasticsearch
image, which is now deprecated.
Updated charts in 3.2.2.2012
Chart | Previous (3.2.2.2008) version | New version |
---|---|---|
audit-logging | 3.3.1910 | 3.4.2012 |
auth-idp | 3.3.2008 | 3.3.2012 |
auth-pap | 3.3.2008 | 3.3.2012 |
auth-pdp | 3.3.2008 | 3.3.2012 |
calico | 3.8.9 | 3.3.2012 |
helm-api | 3.3.2006 | 3.3.2012 |
helm-repo | 3.3.2006 | 3.3.2012 |
iam-policy-controller | 3.3.2001 | 3.3.2012 |
ibm-cert-manager | 3.3.2001 | 3.4.2012 |
ibm-cert-manager-webhook | 3.3.2001 | 3.4.2012 |
ibm-custom-metrics-adapter | 3.4.2008 | 3.4.2012 |
ibm-icplogging | 3.2.1 | 3.3.1 |
ibm-icpmonitoring | 1.6.22008 | 1.6.22012 |
ibm-istio | 1.2.7 | 1.2.9 |
ibm-mcm-kui | 3.3.1911 | 3.3.2012 |
ibm-mcm-prod | 3.4.2008 | 3.4.2012 |
ibm-minio-objectstore | 2.4.2003 | 2.4.2012 |
ibm-search-prod | 3.4.2008 | 3.4.2012 |
ibmcloud-image-enforcement | 3.3.2001 | 3.4.2012 |
icp-catalog-chart | 3.3.2006 | 3.3.2012 |
icp-management-ingress | 3.3.1910 | 3.4.2012 |
icp-mongodb | 3.5.2008 | 3.5.2012 |
icp-nginx-ingress | 3.4.2008 | 3.4.2012 |
image-manager | 3.3.2001 | 3.4.2012 |
knative | 3.4.2008 | 3.4.2012 |
kube-dns | 3.4.2006 | 3.4.2012 |
metering | 3.4.2008 | 3.4.2012 |
metrics-server | 3.4.2006 | 3.4.2012 |
mgmt-repo | 3.3.2006 | 3.3.2012 |
mutation-advisor | 3.3.2008 | 3.4.2012 |
node-problem-detector-draino | 0.5 | 3.4.2012 |
nsx-t-container-plugin | 3.3.2008 | 3.3.2012 |
nvidia-device-plugin | 3.3.0 | 3.4.2012 |
oidcclient-watcher | 3.3.2001 | 3.3.2012 |
platform-ui | 3.4.2008 | 3.4.2012 |
platform-api | 3.4.2008 | 3.4.2012 |
secret-watcher | 3.3.2001 | 3.3.2012 |
security-onboarding | 3.3.2008 | 3.3.2012 |
service-catalog | 3.4.2008 | 3.4.2012 |
system-healthcheck-service | 3.3.1911 | 3.3.2012 |
vulnerability-advisor | 3.3.2008 | 3.4.2012 |
web-terminal | 3.3.2003 | 3.3.2012 |
Reported problems that are fixed in the IBM Cloud Private 3.2.2.2008 fix pack
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.2.2008
Issue | Category | Description |
---|---|---|
39229 | Calico | Calico is upgraded to version 3.8.9 to address a security vulnerability. |
40048 | Kubernetes | This fix updates Kubernetes to version 1.16.7.1 to remove the curl tool within Kubectl and address security vulnerabilities. |
31863 34244 35166 35312 35476 37301 37619 38548 39076 39222 40036 |
Logging | This fix pack includes the following fixes: - Elastic Stack components (Logstash, Filebeat, Elasticsearch, Kibana) are upgraded from version 6.6.1 to version 6.8.10 to address security vulnerabilities. - The logstash-input-beats plug-in is upgraded to version 6.0.11. |
38874 | Metering | This fix updates Lodash version to version 4.17.19 to address security vulnerabilities. |
40270 | Platform-API | This fix updates platform-api to fix crashes with "fatal error: concurrent map read and map write". |
39586 | Service-Catalog | This fix update the Elasticsearch version to version 6.8.10 to be consistent with logging. |
35851 40048 40091 |
Security - Identity and Access Management (IAM) | This fix pack includes the following fixes: - An issue is addressed that prevented the namespace from being deleted when the service catalog is enabled. This issue occurs because the service catalog API resource does not implement the protocol buffer (protobuf) marshalling interface and cannot be encoded to a protobuf message. - Roles are updated to support configuring networking ingresses and networking policies. - This fix pack also includes fixes to resolve security-related vulnerabilities. |
Fixed security-related vulnerabilities in 3.2.2.2008
Issue | CVE-ID | Description |
---|---|---|
31863 | CVE-2019-1547 | OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. |
31863 | CVE-2019-1549 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. |
35166 35312 |
CVE-2019-1551 | OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. |
31863 | CVE-2019-1563 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. |
35476 | CVE-2020-7238 | Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. |
34244 | CVE-2019-7620 | Elastic Logstash is vulnerable to a denial of service, caused by a flaw in the Beats input plugin. By sending a specially-crafted network packet, a remote attacker could exploit this vulnerability to cause the application to stop responding. Upgrade to the latest version of Logstash (6.8.4, 7.4.1 or later), available from the Elastic Web site. |
37619 | CVE-2019-11612 | The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. |
35851 | CVE-2019-15604 | Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort. |
35851 | CVE-2019-15605 | Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
35851 | CVE-2019-15606 | Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons. |
38548 | CVE-2020-7012 | Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the Upgrade Assistant. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system. |
38548 | CVE-2020-7013 | Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in TSVB . By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system. |
38548 | CVE-2020-7015 | Elastic Kibana is vulnerable to cross-site scripting, caused by improper validation of user-supplied input in TSVB visualization. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
39076 | CVE-2020-7614 | Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by a race condition in the response headers. By sending specially-crafted requests, an attacker could exploit this vulnerability to obtain sensitive information of another user from the response header. |
37996 | CVE-2020-7921 | MongoDB Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper serialization of internal state in the authorization subsystem. An attacker could exploit this vulnerability to bypass IP whitelisting protection. |
39032 | CVE-2020-8169 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to correctly URL encode the credential data when set using an curl_easy_setopt option. The host name and partial password is leaked in cleartext over DNS on HTTP redirect. An attacker could exploit this vulnerability to obtain sensitive information. |
39032 39067 |
CVE-2020-8177 | curl could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (--remote-header-name) and -I (--include) in the same command line. An attacker could exploit this vulnerability to overwrite a local file. |
38874 | CVE-2020-8203 | Fixed for the Metering component only. Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system. |
40048 | CVE-2020-8553 | Kubernetes ingress-nginx could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the annotation nginx.ingress.kubernetes.io/auth-type: basic is used. By sending a specially crafted request, an attacker could exploit this vulnerability to create a new Ingress definition and replace the password file. |
39624 | CVE-2020-8557 | Kubernetes kubelet is vulnerable to a denial of service, caused by an issue with not including the /etc/hostsfile file by the kubelet eviction manager when calculating ephemeral storage usage. By writing a large amount of data to the /etc/hostsfile, a local authenticated attacker could exploit this vulnerability to fill the storage space of the node and cause the node to fail. |
39624 | CVE-2020-8559 | Kubernetes kube-apiserver could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when multiple clusters share the same certificate authority trusted by the client. By intercepting certain requests and sending a redirect response, an attacker could exploit this vulnerability to compromise other nodes. |
38544 | CVE-2020-13401 | Docker Docker CE is vulnerable to a man-in-the-middle attack, caused by improper validation of router advertisements. By sending rogue router advertisements, an attacker could exploit this vulnerability using man-in-the-middle techniques to gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. |
39229 | CVE-2020-13597 | Clusters using Calico (version 3.14.0 and earlier), Calico Enterprise (version 2.8.2 and earlier), can be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege can reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default. This vulnerability allows an attacker to redirect full or partial network traffic from the node to the compromised pod. |
39222 | CVE-2020-14422 | Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. |
The 3.2.2.2008 fix pack is cumulative and includes all fixes that were included in the 3.2.2.2006 fix pack and the previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1 up to the 3.2.1.2003 fix pack.
Updated images in 3.2.2.2008
Image | Previous version | New version |
---|---|---|
calico-cni | v3.5.2.1 | v3.8.9 |
calico-ctl | v3.5.2.1 | v3.8.9 |
calico-kube-controllers | v3.5.2.1 | v3.8.9 |
calico-node | v3.5.2.1 | v3.8.9 |
curl | 4.2.0-f4 | 4.2.0-build.6 |
default-http-backend | 1.5.2 | 1.5.5 |
hyperkube | v1.16.7-ee.2006 | v1.16.13-ee |
iam-policy-administration | 3.2.1.2006 | 3.2.1.2008 |
icp-elasticsearch-oss | icp-elasticsearch-6.6.1 | 6.8.10-build.1 |
icp-filebeat-oss | icp-filebeat-6.6.1 | 6.8.10-build.1 |
icp-identity-manager | 3.2.1.2006 | 3.2.1.2008 |
icp-identity-provider | 3.2.1.2006 | 3.2.1.2008 |
icp-initcontainer | 1.0.0-f4 | 1.0.0-build.6 |
icp-kibana-oss | icp-kibana-6.6.1 | 6.8.10-build.1 |
icp-logstash-oss | icp-logstash-6.6.1 | 6.8.10-build.1 |
icp-mongodb | 4.0.12-build.3 | 4.0.16.2008 |
icp-mongodb-exporter | 3.4.0 | 3.4.0.2008 |
icp-mongodb-install | 3.4.0 | 3.4.0.2008 |
icp-multicluster-endpoint-operator | 3.2.2.2006 | 3.2.2.2008 |
icp-platform-api | 3.2.2.2006 | 3.2.2.2008 |
icp-platform-auth | 3.2.1.2008 | 3.2.1.2008 |
indices-cleaner | 1.2.0 | 1.3.0-build.1 |
kubectl | v1.16.7 | v1.16.7.1 |
logging-pki-init | 2.3.0 | 2.3.0-build.3 |
metering-data-manager | 3.2.2.2006 | 3.2.2.2008 |
metering-mcmui | 3.2.2.2006 | 3.2.2.2008 |
metering-ui | 3.2.2.2006 | 3.2.2.2006 |
nginx-ingress-controller | 0.23.1.1911 | 0.23.7 |
search-collector | 3.2.1.2001 | 3.2.2.2008 |
service-catalog-service-catalog | v0.1.40-icp | v0.1.40-icp.2008 |
Note: Images that include the suffix -oss
(icp-elasticsearch-oss
, icp-filebeat-oss
, icp-kibana-oss
, icp-logstash-oss
) are newer versions of images that did not include
the suffix. For example, icp-elasticsearch-oss
is the replacement for the icp-elasticsearch
image, which is now deprecated.
Updated charts in 3.2.2.2008
Chart | Previous (3.2.2.2006) version | New version |
---|---|---|
auth-idp | 3.3.2006 | 3.3.2008 |
auth-pap | 3.3.2006 | 3.3.2008 |
auth-pdp | 3.3.2006 | 3.3.2008 |
calico | 3.3.0 | 3.8.9 |
ibm-calico-route-reflector | 3.3.0 | 3.8.9 |
ibm-custom-metrics-adapter | 3.3.2003 | 3.4.2008 |
ibm-mcm-prod | 3.3.2006 | 3.4.2008 |
ibm-icplogging | 2.4.1910 | 3.2.1 |
ibm-icpmonitoring | 1.6.2006 | 1.6.22008 |
ibm-istio | 1.2.6. | 1.2.7 |
ibm-search-prod | 3.3.2006 | 3.4.2008 |
icp-mongodb | 3.5.2006 | 3.5.2008 |
icp-nginx-ingress | 3.3.1911 | 3.4.2008 |
knative | 3.3.2006 | 3.4.2008 |
metering | 3.4.2006 | 3.4.2008 |
mutation-advisor | 3.3.2003 | 3.3.2008 |
nsx-t-container-plugin. | 3.3.0. | 3.3.2008. |
platform-api | 3.4.2006 | 3.4.2008 |
security-onboarding. | 3.3.2006 | 3.3.2008 |
service-catalog. | 3.3.0. | 3.4.2008 |
vulnerability-advisor. | 3.3.2006 | 3.3.2008 |
Reported problems that are fixed in the IBM Cloud Private 3.2.2.2006 fix pack
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.2.2006
Issue | Category | Description |
---|---|---|
35851 36565 |
Catalog-UI | This fix updates Node.js to resolve security-related vulnerabilities. |
38062 38683 |
GlusterFS | This fix pack includes the following fixes: - The icp-storage-util image is updated to version 3.2.1.2006 to upgrade OpenSSL to 1.1.1g. - The Storage GlusterFS Health page from Grafana is updated to address an issue that prevented data from displaying. |
36566 | Helm API & Helm Repo | This fix updates the Node.js version to resolve security-related vulnerabilities. |
35721 35935 38934 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - An issue with the GET userinfo API in platform-identity-provider is resolved. This issue caused intermittent failures with Helm upgrade and delete commands. - The LDAP recursiveSearch config variable is now configurable. The value can change between true and false as required when the LDAP user login process is running too slow due to nested user groups. - WebSphere Liberty is upgraded to version 20.0.0.5. - The IBM JDK is upgraded to version 1.8.0_sr6fp10. - Fixes to resolve security-related vulnerabilities. |
36413 37151 |
Kuberntes core | This fix pack includes the following fixes: - Kubernetes is upgraded to version 1.16.7. - The Metrics server is updated to version 0.3.4. - The core DNS is upgraded to version 1.6.2. |
38934 | Policy Decision Point (PDP) | This fix improves the performance of the PDP service and resolves an issue that caused a container restart due to memory leak error. |
35928 38647 |
Metering | This fix updates the Node.js version address security-related vulnerabilities. |
35928 38647 |
Multicluster-Endpoint | This fix updates the metering image version to version 3.2.2.2006. |
38684 | Network policy | This fix modifies the network policy to ensure that the Kubernetes API server can reach the platform-identity-manager. This modification is needed for installing Knative. |
32149 32151 34916 35454 35527 35721 35877 35879 35935 36030 36233 36587 36817 37648 37844 37846 37944 |
Security - Identity and Access Management (IAM) | This fix pack includes the following fixes: - An issue that caused a CrashLoopBackOff error for the auth-pap pod is resolved. - WebSphere Liberty is upgraded to version 20.0.0.5. - The IBM JDK is upgraded to version 1.8.0_sr6fp10. - Fixes to resolve security-related vulnerabilities. |
Fixed security-related vulnerabilities in 3.2.2.2006
Issue | CVE-ID | Description |
---|---|---|
38572 38573 |
CVE-2018-1002102 | Kubernetes API server could allow a remote authenticated attacker to conduct phishing attacks, caused by an improper validation of URL redirection. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. |
34823 34859 |
CVE-2019-1551 | OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. |
31863 32149 |
CVE-2019-1547 | OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the co-factor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. |
31863 32149 |
CVE-2019-1549 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. |
31863 32149 |
CVE-2019-1563 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. |
31866 32151 |
CVE-2019-5481 | cURL libcurl is vulnerable to a denial of service, caused by a double free flaw during kerberos FTP data transfer. By sending a specially-crafted size of data, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
31866 | CVE-2019-5482 | cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet function. By sending specially-crafted request containing an OACK without the BLKSIZE option, a remote attacker could overflow a buffer and execute arbitrary code on the system. |
32678 23646 |
CVE-2019-9947 | Python is vulnerable to HTTP header injection, caused by improper validation of input in urllib and urllib2. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. |
32678 23646 |
CVE-2019-9948 | Python could allow a remote attacker to bypass security restrictions, caused by improper input validation by the urllib. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass the blacklist file: URIs protection mechanisms. |
35851 35877 35928 35952 35953 36565 36566 37944 |
CVE-2019-15604 | Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort. |
35851 35877 35928 35952 35953 36565 36566 37944 |
CVE-2019-15605 | Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
35851 35877 35928 35952 35953 36565 36566 37944 |
CVE-2019-15606 | Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons. |
32777 32933 |
CVE-2019-16935 | Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
36569 36587 |
CVE-2019-17573 | Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
37835 37846 |
CVE-2020-2754 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2755 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2756 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2757 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2781 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2800 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2803 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
37835 37846 |
CVE-2020-2805 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
37835 37846 |
CVE-2020-2830 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
36802 36817 |
CVE-2020-4303 | IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
36802 36817 |
CVE-2020-4304 | IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
37620 37648 |
CVE-2020-4329 | IBM WebSphere Application Server could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. |
37833 37844 |
CVE-2020-4421 | IBM WebSphere Application Liberty could allow an authenticated user using openidconnect to spoof another users identify. |
38545 38647 38649 38650 |
CVE-2020-8172 | Node.js could allow a remote attacker to bypass security restrictions. The 'session' event could be emitted before the 'secureConnect' event and possibly allow for the reuse of the TLS session. An attacker could exploit this vulnerability to bypass host certificate verification and gain access to the system. |
38545 38647 38649 38650 |
CVE-2020-8174 | Node.js is vulnerable to a buffer overflow, caused by multiple memory corruptions in the napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() functions. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service. |
38545 38647 38649 38650 |
CVE-2020-10531 | International Components for Unicode (ICU) for C/C++ is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. |
38545 38647 38649 38650 |
CVE-2020-11080 | Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTINGS frames, an attacker could exploit this vulnerability to consume all available CPU resources. |
36896 36961 |
CVE-2020-11254 | Kubernetes is vulnerable to a denial of service, caused by a flaw in kube-apiserver. By sending a specially-crafted request using YAML payloads, a remote authenticated attacker could exploit this vulnerability to consume excessive CPU cycles. |
Updated images in 3.2.2.2006
Image | Previous version | New version |
---|---|---|
coredns | 1.2.6.1 | 1.6.2 |
hyperkube | v1.13.12-ee.2003 | v1.16.7-ee.2006 |
iam-policy-decision | 3.2.1.2001 | 3.2.1.2006 |
iam-policy-administration | 3.2.1.2003 | 3.2.1.2006 |
icp-iam-onboarding | 3.2.1 | 3.2.1.2006 |
icp-catalog-ui | 3.2.1.2001 | 3.2.1.2006 |
icp-helm-api | 3.2.1.2001 | 3.2.1.2006 |
icp-helm-repo | 3.2.1.1911 | 3.2.1.2006 |
icp-identity-manager | 3.2.1.2003 | 3.2.1.2006 |
icp-identity-provider | 3.2.1.2003 | 3.2.1.2006 |
icp-mongodb | 4.0.12 | 4.0.12-build.3 |
icp-mongodb-exporter | 3.2.1 | 3.4.0 |
icp-mongodb-install | 3.2.1 | 3.4.0 |
icp-multicluster-endpoint-operator | 3.2.1.2001 | 3.2.2.2006 |
icp-platform-api | 3.2.1.2003 | 3.2.2.2006 |
icp-platform-auth | 3.2.1.2003 | 3.2.1.2006 |
icp-platform-header | 3.2.1.2003 | 3.2.1.2006 |
icp-platform-ui | 3.2.1.2003 | 3.2.1.2006 |
icp-storage-util | 3.2.1.1911 | 3.2.1.2006 |
kubectl | v1.13.11.1911 | v1.16.7 |
metering-data-manager | 3.2.1.2001 | 3.2.2.2006 |
metering-mcmui | 3.2.1.1911 | 3.2.2.2006 |
metering-ui | 3.2.1.1911 | 3.2.2.2006 |
metrics-server | v0.3.1.2003 | v0.3.4 |
Updated charts in 3.2.2.2006
Chart | Previous (3.2.1.2003) version | New version |
---|---|---|
auth-idp | 3.3.2003 | 3.3.2006 |
auth-pap | 3.3.2003 | 3.3.2006 |
auth-pdp | 3.3.2003 | 3.3.2006 |
helm-api | 3.3.2001 | 3.3.2006 |
helm-repo | 3.3.1911 | 3.3.2006 |
ibm-glusterfs | 1.5.2001 | 1.5.2006 |
ibm-icpmonitoring | 1.6.1910 | 1.6.2006 |
ibm-istio | 1.2.4 | 1.2.6 |
ibm-mcm-prod | 3.3.2001 | 3.3.2006 |
ibm-search-prod | 3.3.2001 | 3.3.2006 |
icp-catalog-chart | 3.3.2001 | 3.3.2006 |
icp-mongodb | 3.3.0 | 3.5.2006 |
icp-platform-netpols | 3.3.0 | 3.3.2006 |
knative | 3.3.1911 | 3.3.2006 |
kube-dns | 3.3.2001 | 3.4.2006 |
metering | 3.3.2001 | 3.4.2006 |
metrics-server | 3.3.2003 | 3.4.2006 |
mgmt-repo | 3.3.1911 | 3.3.2006 |
platform-api | 3.3.2003 | 3.4.2006 |
platform-ui | 3.3.2003 | 3.4.2006 |
security-onboarding | 3.3.2003 | 3.3.2006 |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.2203 fix pack
The fixes included within this 3.2.1.2203 fix pack includes all fixes that are included within the 3.2.1.2203 fix pack that do not apply to the updated version of Kubernetes of the 3.2.1.2203 fix pack. The 3.2.2.2105 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.1.2203 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2203 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.1.2203 fix pack instead of this 3.2.1.2203 fix pack.
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.1.2203
Category | Description |
---|---|
Installer | This fix pack includes the following fixes: - Uplift Python version to Python 3 - Remove nfnetlink library check in cluster nodes - Update base images and Go versions to address security-related vulnerabilities |
Audit Logging | This fix pack includes the following fixes: - Update base image and Go versions to address security-related vulnerabilities |
Catalog UI | This fix pack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities - Bug fix for a rare bug where green loading icon spins endlessly and helm releases does not show properly due to request queue problems |
Certificate Management | This fix pack includes the following fix: - Update Go version (1.17.5) to resolve security-related vulnerabilities |
GlusterFS | This fix pack includes the following fixes: - Update curl version to address security-related vulnerabilities - Update OpenSSH to address security-related vulnerabilities |
Helm API | This fixpack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities - Update Rudder image Go version from 1.14.14 to 1.17.7 for security-related vulnerabilities |
Helm Repo | This fixpack includes the following fixes: - Update Node.js from 14.16.0 to 14.19.0 and the base image for security-related vulnerabilities |
Image Manager and ICP Registry | This fix pack includes the following fixes: - Update Go version to address security-related vulnerabilities - Update OpenSSL to address security-related vulnerabilities |
Ingress | This fix pack includes the following fixes: - Update nginx base image, uplift openSSL version, update Go version |
Istio | This fix pack includes the following fixes: - Update Go version to address security-related vulnerabilities - Update version of sudo used to address security-related vulnerabilities |
Kubernetes | This fix pack includes the following fixes: - Fix the slow master switchover in Etcd VIP manager in HA environment by immediately broadcasting it to all the nodes, hence reducing the time for ARP cache update. |
Kube-dns | This fix pack includes the following fixes: - Update CoreDNS image from 1.7.0 to 1.9.1 to resolve Go related security vulnerabilities - Community changelog: https://github.com/coredns/coredns/blob/master/notes/coredns-1.9.1.md |
Logging | This fix pack includes the following fixes: - Update elasticstack (elasticsearch, filebeat, logstash, and kibana) from version 6.8.14 to 6.8.23 in order to address the log4j security-related vulnerabilities - Update pki-init's OpenSSL version to address security-related vulnerabilities - Update Elasticsearch's version of curl to address security-related vulnerabilities |
Metering | This fix pack includes the following fixes: - Update the Node.js and base image versions to address security-related vulnerabilities - Fix to allow the data manager purger to process data in chunks rather than on a single cursor |
Metrics Server | This fix pack includes the following fixes: - Update metrics server from v0.3.4 to v0.5.2 to resolve Go related security vulnerabilites - Community changelog version v0.3.z to v0.4.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.4.0 - Community changelog version v0.4.5 to v0.5.0: https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.0 |
MinIO | This fix pack includes the following fixes: - Update Go verision from 1.15 to 1.17.8 to address security-related vulnerabilities - Update MinIO version from RELEASE.2019-04-09T01-22-30Z to RELEASE.2022-01-08T03-11-54Z - Update MinIO client version from RELEASE.2019-04-03T17-59-57Z to RELEASE.2022-01-07T06-01-38Z - Update MinIO client Go version from 1.12 to 1.17.8 to address security-related vulnerabilities |
Monitoring | This fix pack includes the following fixes: - Update base image and Go versions to address security-related vulnerabilities |
Mutation Advisor | This fix pack includes the following fixes: - Update elasticstack (elasticsearch, filebeat, logstash, and kibana) from version 6.8.14 to 6.8.23 in order to address the log4j security-related vulnerabilities - Update pki-init's OpenSSL version to address security-related vulnerabilities - Update Elasticsearch's version of curl to address security-related vulnerabilities |
Platform API | This fix pack includes the following fix: - Update Go version (1.17.5) to resolve a security-related vulnerabilities |
Platform UI | This fix pack includes the following fixes: - Update the Node.js and base image versions to address security-related vulnerabilities |
Security IAM | This fix pack includes the following fixes: - Update base image, Go versions, liberty versions, and node versions to address security-related vulnerabilities |
Fixed security-related vulnerabilities in 3.2.1.2203
CVE-ID | Description |
---|---|
CVE-2018-16843 | Description: nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive memory consumption. |
CVE-2018-16844 | Description: nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive CPU consumption. |
CVE-2018-16845 | Description: nginx is vulnerable to a denial of service, caused by an error when compiled with the ngx_http_mp4_module. By persuading a victim to open a specially-crafted mp4 file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or obtain sensitive information from worker process memory |
CVE-2019-20372 | NGINX could allow a remote attacker to obtain sensitive information, caused by a flaw in certain error_page configurations. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system |
CVE-2019-7401 | Description: NGINX Unit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the router process. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the router process to crash. |
CVE-2020-28491 | Description: FasterXML jackson-dataformats-binary is vulnerable to a denial of service, caused by an unchecked allocation of byte buffer flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a java.lang.OutOfMemoryError exception resulting in a denial of service condition. |
CVE-2020-8231 | curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set. |
CVE-2020-8284 | curl: FTP PASV command response can cause curl to connect to arbitrary host. |
CVE-2020-8285 | curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used. |
CVE-2020-8286 | cURL libcurl could allow a remote attacker to bypass security restrictions, caused by improper OCSP response verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to breach a TLS server. |
CVE-2021-20329 | MongoDB Go Driver could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation of cstrings when marshalling Go objects into BSON. By sending a specially-crafted Go object with specific string, an attacker could exploit this vulnerability to inject additional fields into marshalled documents. |
CVE-2021-20492 | IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793. |
CVE-2021-22139 | Elastic Kibana is vulnerable to a denial of service, caused by a lack of timeout or a limit on the request size in the webhook actions. By sending a large number of requests, a remote attacker could exploit this vulnerability to exhaust the connection pool, leading to a denial of service. |
CVE-2021-22569 | Google Protocol Buffer (protobuf-java) is vulnerable to a denial of service, caused by an issue with allow interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open a specially-crafted content, a remote attacker could exploit this vulnerability to cause a timeout in ProtobufFuzzer function, and results in a denial of service condition. |
CVE-2021-22876 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain user credentials, and use this information to launch further attacks against the affected system. |
CVE-2021-22898 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sending a specially-crafted request using a clear-text network protocol, an attacker could exploit this vulnerability to obtain sensitive internal information to the server, and use this information to launch further attacks against the affected system. |
CVE-2021-22918 | Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv__idna_toascii() function. |
CVE-2021-22924 | curl: Bad connection reuse due to flawed path name checks. |
CVE-2021-22925 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain TELNET stack contents, and use this information to launch further attacks against the affected system. |
CVE-2021-22926 | Curl libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the CURLOPT_SSLCERT option mixup with TLS library Secure Transport. By creating a specially-crafted file name with the same name as the app wants to use by name, an attacker could exploit this vulnerability to trick the application to use the file based cert instead of the one referred to by name, and allow libcurl to send the wrong client certificate in the TLS connection handshake. |
CVE-2021-22930 | Node.js could allow a remote attacker to bypass security restrictions, caused by a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior. |
CVE-2021-22945 | cURL libcurl is vulnerable to a denial of service, caused by a use-after-free and double free flaw when sending data to an MQTT server. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-22946 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a required TLS bypassed issue. By sniffing the network, an attacker could exploit this vulnerability to obtain sensitive data in clear text over the network, and use this information to launch further attacks against the affected system. |
CVE-2021-22947 | cURL libcurl is vulnerable to a man-in-the-middle attack, caused by a flaw when connecting to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. |
CVE-2021-22959 | Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers. |
CVE-2021-22960 | Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests. |
CVE-2021-23362 | Node.js hosted-git-info module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the fromUrl function in index.js. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-2369 | An unspecified vulnerability in Oracle Java SE related to the Library component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
CVE-2021-2388 | An unspecified vulnerability in Oracle Java SE related to the Hotspot component could allow an unauthenticated attacker to take control of the system. |
CVE-2021-2432 | An unspecified vulnerability in Oracle Java SE related to the JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-25737 | Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a host network hijacking flaw due to holes in EndpointSlice validation. By redirecting pod traffic to private networks on a Node, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. |
CVE-2021-25740 | Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a confused deputy attack. By sending a specially-crafted request to create or edit Endpoints or EndpointSlices in the Kubernetes API, an attacker could exploit this vulnerability to obtain backend IPs information, and use this information to launch further attacks against the affected system. |
CVE-2021-25741 | Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange flaw in kubelet. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a container with subpath volume mounts to access files and directories outside of the volume. |
CVE-2021-25742 | Description: Kubernetes NGINX Ingress Controller could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the custom snippets feature. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain all secrets in the cluster, and use this information to launch further attacks against the affected system. |
CVE-2021-25743 | Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by improper filtering of ANSI escape characters in kubectl. By sending a specially-crafted input, an attacker could exploit this vulnerability to hide all the events, changing the title of the terminal window, and spoof the data. |
CVE-2021-29842 | IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202. |
CVE-2021-29921 | Python is vulnerable to server-side request forgery, caused by improper input validation of octal strings in the stdlib ipaddress. By submitting a specially-crafted IP address to a web application, an attacker could exploit this vulnerability to conduct SSRF or local file include attacks. |
CVE-2021-29923 | Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR |
CVE-2021-31525 | net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations |
CVE-2021-32690 | Helm could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied input by the index.yaml file. By gaining access to the chart archives, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. |
CVE-2021-33194 | Golang Go is vulnerable to a denial of service, caused by an infinite loop in golang.org/x/net/html. By sending a specially-crafted ParseFragment input, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-33195 | Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system |
CVE-2021-33196 | Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By persuading a victim to open a specially-crafted archive file, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition |
CVE-2021-33197 | Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop arbitrary headers, including those set by the ReverseProxy.Director. |
CVE-2021-33198 | Golang Go is vulnerable to a denial of service, caused by a flaw in the SetString and UnmarshalText methods of math/big.Rat. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition. |
CVE-2021-34558 | Description: The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic |
CVE-2021-35517 | Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' tar package. |
CVE-2021-35556 | An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35559 | An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Swing component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35560 | An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow an unauthenticated attacker to take control of the system. |
CVE-2021-35564 | An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the Keytool component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
CVE-2021-35565 | An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35578 | An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35586 | An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the ImageIO component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-35588 | An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
CVE-2021-3601 | OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA cert. An attacker could exploit this vulnerability for MITM to any connection from the victim machine. |
CVE-2021-36090 | Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' zip package. |
CVE-2021-36158 | xrdp package for Alpine Linux is vulnerable to a man-in-the-middle attack, caused by improper generation of RSA certificates and private keys in the RDP sessions. An attacker could exploit this vulnerability to track users. |
CVE-2021-36221 | Golang Go is vulnerable to a denial of service, caused by a race condition upon an ErrAbortHandler abort. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a net/http/httputil ReverseProxy panic. |
CVE-2021-3712 | Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when processing ASN.1 strings. By sending specially crafted data, an attacker could exploit this vulnerability to read contents of memory on the system or perform a denial of service attack. |
CVE-2021-37136 | Netty netty-codec is vulnerable to a denial of service, caused by not allow size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-37137 | Netty netty-codec is vulnerable to a denial of service, caused by not restrict the chunk length in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause excessive memory usage, and results in a denial of service condition. |
CVE-2021-3733 | Python is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the AbstractBasicAuthHandler class in urllib. By persuading a victim to visit a specially-crafted web site, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-37701 | The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. |
CVE-2021-37712 | Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system. |
CVE-2021-37713 | Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target. An attacker could exploit this vulnerability to create or overwrite arbitrary files and execute arbitrary code on the system. |
CVE-2021-39031 | IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875. |
CVE-2021-39134 | Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack, caused by the failure of multiple dependencies to coexist within the same level in the node_modules hierarchy. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to create and overwrite arbitrary files on the system with elevated privileges. |
CVE-2021-39135 | Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack. By replacing the node_modules folder of the root project or any of its dependencies with a symbolic link, an attacker could exploit this vulnerability to write package dependencies to any arbitrary location on the file system. |
CVE-2021-41035 | Eclipse Openj9 could allow a remote attacker to gain elevated privileges on the system, caused by not throwing IllegalAccessError for MethodHandles that invoke inaccessible interface methods. By persuading a victim to execute a specially-crafted program under a security manager, an attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code on the system. |
CVE-2021-41092 | Docker CLI could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when running "docker login my-private-registry.example.com" command with a misconfigured configuration file. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system. |
CVE-2021-41771 | Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the ImportedSymbols function in debug/macho. By using specially-crafted binaries, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition. |
CVE-2021-41772 | Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the Reader.Open function. By using a specially-crafted ZIP archive containing an invalid name or an empty filename field, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition. |
CVE-2021-43797 | Netty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding request header names. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
CVE-2021-44532 | Node.js could allow a remote attacker to bypass security restrictions, caused by a string injection vulnerability when name constraints were used within a certificate chain. An attacker could exploit this vulnerability to bypass the name constraints. |
CVE-2021-44533 | Node.js could allow a remote attacker to bypass security restrictions, caused by the incorrect handling of multi-value Relative Distinguished Names. |
CVE-2021-44716 | Description: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. |
CVE-2021-44717 | Description: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. |
CVE-2022-21824 | Node.js could provide weaker than expected security, caused by an error related to the formatting logic of the console.table() function. An attacker could exploit this vulnerability using console.table properties to allow an empty string to be assigned to numerical keys of the object prototype. |
CVE-2022-22704 | zabbix-agent2 package for Alpine Linux could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a design flaw in systemd. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root. |
CVE-2022-23772 | Golang Go is vulnerable to a denial of service, caused by a buffer overflow in the Rat.SetString function in math/big. By sending a specially-crafted request, an attacker could exploit this vulnerability to consume large amount of RAM and cause the application to crash. |
CVE-2022-23773 | An unspecified error with not treating branches with semantic-version names as releases in cmd/go in Golang Go has an unknown impact and attack vector. |
CVE-2022-23806 | Golang Go is vulnerable to a denial of service, caused by a flaw with IsOnCurve function returns true for invalid field elements. By sending a specially-crafted request, an attacker could exploit this vulnerability to causes a panic in ScalarMult, and results in a denial of condition. |
The 3.2.1.2203 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1.
Updated images in 3.2.1.2203
Image | Previous version | New version |
---|---|---|
alertmanager | v0.15.0-f5 | v0.15.0-f6 |
collectd-exporter | v0.4.0-f5 | v0.4.0-f6 |
configmap-reload | v0.2.2-f5 | v0.2.2-f6 |
curl | 4.2.0-build.9 | 4.2.0-build.10 |
dashboard-controller | v1.1.0-f3 | v1.1.0-f4 |
grafana | 5.2.0-f5 | 5.2.0-f6 |
kube-proxy | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-apiserver | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-controller-manager | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kube-scheduler | v1.19.3-ee-1 | v1.19.3_icp-ee-2105 |
kubelet | v1.19.3-ee-1 | v1.19.3-ee |
iam-policy-decision | 3.2.1.2012 | 3.2.1.2105 |
ibmcloud-image-enforcement | 0.2.2.2012 | 0.2.2.2105 |
icp-catalog-ui | 3.2.1.2012 | 3.2.1.2105 |
icp-cert-manager-acmesolver: | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-cainjector: | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-controller | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-webhook | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-elasticsearch-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-filebeat-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-helm-api | 3.2.1.2012 | 3.2.1.2105 |
icp-helm-repo | 3.2.1.2012 | 3.2.1.2105 |
icp-image-manager | 2.2.6.2001 | 2.2.6-2105 |
icp-inception | 3.2.2.2012-ee=3.2.2.2012-ee | 3.2.2.2105 |
icp-initcontainer | 1.0-icp-build-2012 | 1.0-icp-build-2105 |
icp-kibana-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-logstash-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-management-ingress | 2.4.0.1910 | 2.4.0.2105 |
icp-mongodb-exporter | 3.4.0.2008 | 3.4.0.2105 |
icp-mongodb-install | 3.4.0.2008 | 3.4.0.2105 |
icp-mongodb | 4.0.20.2012 | 4.0.24.2105 |
icp-platform-auth | 3.2.1.2012 | 3.2.1.2105 |
icp-platform-header | 3.2.1.2012 | 3.2.1.2105 |
icp-platform-ui | 3.2.1.2012 | 3.2.1.2105 |
indices-cleaner | 1.3.0-build.2 | 1.3.0-build.4 |
kube-state-metrics | v1.9.4-build. | v1.9.4-build.6 |
metering-data-manager | 3.2.2.2012 | 3.2.2.2105 |
metering-mcmui | 3.2.2.2012 | 3.2.2.2105 |
metering-ui | 3.2.2.2012 | 3.2.2.2105 |
nginx-ingress-controller | 0.23.7 | 0.23.2105 |
node-exporter | v0.16.0-f6 | v0.16.0-f7 |
nvidia-device-plugin | 1.4 | 1.4.2105 |
prometheus | v2.8.0-f3 | v2.8.0-f4 |
prometheus-config-reloader | v0.31-f1 | v0.31-f2 |
prometheus-operator | v0.31-f1 | v0.31-f2 |
prometheus-operator-controller | v1.0.0-f2 | v1.0.0-f3 |
Updated charts in 3.2.1.2203
Chart | Previous (3.2.1.2105) version | New version |
---|---|---|
auth-idp | 3.3.2105 | 3.3.2203 |
auth-pap | 3.3.2012 | 3.3.2203 |
auth-pdp | 3.3.2105 | 3.3.2203 |
helm-api | 3.3.2105 | 3.3.2203 |
helm-repo | 3.3.2105 | 3.3.2203 |
ibm-cert-manager | 3.4.2105 | 3.3.2203 |
ibm-cert-manager-webhook | 3.4.2105 | 3.3.2203 |
ibm-custom-metrics-adapter | 3.4.2012 | 3.4.2105 |
ibm-icplogging | 3.3.2 | 3.3.6 |
ibm-icpmonitoring | 1.6.22105 | 1.6.12203 |
ibm-istio | 1.2.10 | 1.2.42203 |
ibmcloud-image-enforcement | 3.4.2105 | 3.3.2105 |
icp-catalog-chart | 3.3.2105 | 3.3.2203 |
icp-management-ingress | 3.4.2105 | 3.3.2203 |
icp-mongodb | 3.5.2105 | 3.3.2203 |
icp-nginx-ingress | 3.4.2105 | 3.3.2203 |
image-manager | 3.4.2105 | 3.3.2203 |
knative | 3.4.2105 | 3.3.2203 |
metering | 3.4.2105 | 3.3.2203 |
mgmt-repo | 3.3.2105 | 3.3.2203 |
mutation-advisor | 3.4.2105 | 3.3.2203 |
nvidia-device-plugin | 3.4.2105 | 3.3.2105 |
platform-ui | 3.4.2105 | 3.3.2203 |
security-onboarding | 3.3.2105 | 3.3.2203 |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.2105 fix pack
The fixes included within this 3.2.1.2105 fix pack includes all fixes that are included within the 3.2.2.2105 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2105 fix pack. The 3.2.1.2105 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2105 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2105 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2105 fix pack instead of this 3.2.1.2105 fix pack.
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.1.2105
Issue | Category | Description |
---|---|---|
43801 44227 41478 44913 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - Fixes a login issue in the management console or cloudctl. - Fixes a cluster login issue where the user is not authorized to update a release in development and production environments. - Resolves MongoDB connection timeout issues with auth-pdp in IBM Cloud Private Version 3.2.2 clusters. - Fixes an issue with one of the auth-idp pod platform-auth-service containers, where the certificates
are not imported properly to Liberty during pod startup. |
41790 | Metering | Fixes an issue related to Metering Pod heap limit allocation that caused a JavaScript heap out of memory error. |
46474 | MongoDB | Fixes an issue where mongodump binary cannot connect to MongoDB. |
45446 46571 |
Platform UI | This fix pack includes the following fixes: - Fixes an issue that caused a node to display as able to be scheduled when it is not. - Fixes scaling workload issues in the management console. |
Fixed security-related vulnerabilities in 3.2.1.2105
Issue | CVE-ID | Description |
---|---|---|
44229 44243 44356 44515 45537 |
CVE-2020-1971 | OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME, an attacker could exploit this vulnerability to cause the application to crash. |
44552 44504 |
CVE-2020-2773 | An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
46131 46243 |
CVE-2020-5258 | Dojo dojo could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object. |
46403 46517 |
CVE-2020-7924 | MongoDB Database Tools could allow a remote attacker to bypass security restrictions, caused by a flaw in the usage of specific command line parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass certificate validation. |
44229 44243 44356 44515 45537 |
CVE-2020-8265 | Node.js is vulnerable to a denial of service, caused by a use-after-free in TLSWrap within the TLS implementation. By writing to a TLS enabled socket, an attacker could exploit this vulnerability to corrupt memory and cause a denial of service. |
44229 44243 44356 44515 45537 |
CVE-2020-8287 | Node.js is vulnerable to HTTP request smuggling. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
44013 44534 |
CVE-2020-8567 | Kubernetes Secrets Store CSI Driver for Vault Plugin, Azure Plugin, and GCP Plugin could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted SecretProviderClass objects containing "dot dot" sequences (/../) to write arbitrary files on the system. |
44013 44534 |
CVE-2020-8568 | Kubernetes Secrets Store CSI Driver could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted request containing "dot dot" sequences (/../) to write content to the host filesystem and sync file contents to Kubernetes Secrets. |
44013 44534 |
CVE-2020-8569 | Kubernetes CSI snapshot-controller is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when processing a VolumeSnapshot custom resource. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause the application to crash. |
40043 40086 |
CVE-2020-14039 | Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system. |
44042 44182 |
CVE-2020-14781 | An unspecified vulnerability in Java SE, Java SE Embedded related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. |
40043 40086 |
CVE-2020-15586 | Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
40347 | CVE-2020-16845 | Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
42922 42966 44431 |
CVE-2020-28362 | Golang Go is vulnerable to a denial of service, caused by improper input validation by the math/big.Int methods. By sending a specially-crafted inputs, a remote attacker could exploit this vulnerability to cause the application to crash. |
42922 42966 44431 |
CVE-2020-28366 | Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a code injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
42922 42966 44431 |
CVE-2020-28367 | Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by an argument injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
44661 45346 |
CVE-2020-28500 | Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
43626 43808 |
CVE-2020-28851 | Golang Go is vulnerable to a denial of service, caused by improper input validation while parsing the -u- extension in language.ParseAcceptLanguage. By sending a specially-crafted HTTP Accept-Language header, a remote attacker could exploit this vulnerability to cause an index out of range panic. |
43626 43808 |
CVE-2020-28852 | Golang Go is vulnerable to a denial of service, caused by improper input validation while processing a BCP 47 tag in language.ParseAcceptLanguage. By sending a specially-crafted HTTP Accept-Language header, a remote attacker could exploit this vulnerability to cause a slice bounds out of range panic. |
44183 44234 44279 44357 44431 |
CVE-2021-3114 | An unspecified error with the P224() Curve implementation can generate incorrect outputs in Golang Go has an unknown impact and attack vector. |
44183 44234 44279 44357 44431 |
CVE-2021-3115 | Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a command injection flaw when using the go get command to fetch modules that make use of cgo. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
43714 43939 43807 44330 44431 |
CVE-2021-3121 | An unspecified error with the lack of certain index validation, also known as the "skippy peanut butter" issue in GoGo Protobuf has an unknown impact and attack vector. |
45535 45970 46130 |
CVE-2021-3449 | OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash. |
45535 45970 46130 |
CVE-2021-3450 | OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose. |
46682 46906 |
CVE-2021-20228 | Ansible Engine could allow a local authenticated attacker to obtain sensitive information, caused by sensitive info is not masked or not protected by the no_log feature by default. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. |
46403 46517 |
CVE-2021-20334 | MongoDB Compass for Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper access control. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary with the privileges of the user. |
44470 44475 |
CVE-2021-21303 | Helm could allow a local authenticated attacker to bypass security restrictions, caused by the failure to sanitized multiple fields in various .yaml files. By sending a specially-crafted request, an attacker could exploit this vulnerability to send deceptive, obscure or alter information to a terminal screen. |
44860 45539 |
CVE-2021-22883 | Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an 'unknownProtocol', an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory. |
44860 45539 |
CVE-2021-22884 | Node.js is vulnerable to a denial of service, caused by an error when the whitelist includes "localhost6". By controlling the victim's DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the DNS rebinding protection mechanism using the "localhost6" domain and cause a denial of service. |
44611 45349 |
CVE-2021-23337 | All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template. |
44860 45539 |
CVE-2021-23840 | OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash. |
46011 46129 |
CVE-2021-26296 | Apache MyFaces is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. |
45159 45335 |
CVE-2021-27918 | Golang Go is vulnerable to a denial of service, caused by an infinite loop flaw when using xml.NewTokenDecoder with a custom TokenReader. By persuading a victim to open a specially-crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
45159 45335 |
CVE-2021-27919 | Golang Go is vulnerable to a denial of service, caused by a flaw in the Reader.Open API when use a ZIP archive containing files start with ../ . By persuading a victim to open a specially-crafted ZIP archive, a remote attacker
could exploit this vulnerability to cause a denial of service condition. |
The 3.2.1.2012 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1.
Updated images in 3.2.1.2105
Image | Previous version | New version |
---|---|---|
alertmanager | v0.15.0-f4 | v0.15.0-f5 |
collectd-exporter | v0.4.0-f4 | v0.4.0-f5 |
configmap-reload | v0.2.2-f4 | v0.2.2-f5 |
curl | 4.2.0-build.9 | 4.2.0-build.10 |
dashboard-controller | v1.1.0-f1 | v1.1.0-f3 |
grafana | 5.2.0-f4 | 5.2.0-f5 |
iam-policy-decision | 3.2.1.2012 | 3.2.1.2105 |
ibmcloud-image-enforcement | 0.2.2.2012 | 0.2.2.2105 |
icp-catalog-ui | 3.2.1.2012 | 3.2.1.2105 |
icp-cert-manager-acmesolver | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-cainjector | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-controller | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-cert-manager-webhook | 0.7.0.1-f2012 | 0.7.0.1-f2105 |
icp-elasticsearch-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-filebeat-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-helm-api | 3.2.1.2012 | 3.2.1.2105 |
icp-helm-repo | 3.2.1.2012 | 3.2.1.2105 |
icp-image-manager | 2.2.6.2001 | 2.2.6.2105 |
icp-inception | 3.2.1.2012-ee | 3.2.1.2105-ee |
icp-initcontainer | 1.0-icp-build-2012 | 1.0-icp-build-2105 |
icp-kibana-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-logstash-oss | 6.8.10-build.4 | 6.8.14-build.1 |
icp-management-ingress | 2.4.0.1910 | 2.4.0.2105 |
icp-mongodb-exporter | 3.4.0.2008 | 3.4.0.2105 |
icp-mongodb-install | 3.4.0.2008 | 3.4.0.2105 |
icp-mongodb | 4.0.20.2012 | 4.0.24.2105 |
icp-platform-auth | 3.2.1.2012 | 3.2.1.2105 |
icp-platform-header | 3.2.1.2012 | 3.2.1.2105 |
icp-platform-ui | 3.2.1.2012 | 3.2.1.2105 |
indices-cleaner | 1.3.0-build.2 | 1.3.0-build.4 |
kube-state-metrics | v1.3.0-f4 | v1.3.0-f5 |
logging-pki-init | 2.3.0-build.7 | 2.3.0-build.8 |
metering-data-manager | 3.2.1.2012 | 3.2.1.2105 |
metering-mcmui | 3.2.1.2012 | 3.2.1.2105 |
metering-ui | 3.2.1.2012 | 3.2.1.2105 |
nginx-ingress-controller | 0.23.7 | 0.23.2105 |
node-exporter | v0.16.0-f4 | v0.16.0-f6 |
nvidia-device-plugin | 1.4 | 1.4.2105 |
prometheus | v2.8.0-f1 | v2.8.0-f3 |
prometheus-config-reloader | v0.31 | v0.31-f1 |
prometheus-operator | v0.31 | v0.31-f1 |
prometheus-operator-controller | v1.0.0 | v1.0.0-f2 |
tiller | v2.16.12-icp-3.2.1.2012 | v2.16.12-icp-3.2.1.2105 |
Updated charts in 3.2.1.2105
Chart | Previous (3.2.1.2008) version | New version |
---|---|---|
auth-idp | 3.3.2012 | 3.3.2105 |
auth-pdp | 3.3.2012 | 3.3.2105 |
helm-api | 3.3.2012 | 3.3.2105 |
helm-repo | 3.3.2012 | 3.3.2105 |
ibm-cert-manager | 3.3.2012 | 3.3.2105 |
ibm-cert-manager-webhook | 3.3.2012 | 3.3.2105 |
ibm-custom-metrics-adapter | 3.3.2012 | 3.3.2105 |
ibm-icplogging | 3.3.1 | 3.3.2 |
ibm-icpmonitoring | 1.6.12012 | 1.6.12105 |
ibm-istio | 1.2.4.2012 | 1.2.4.2105 |
ibmcloud-image-enforcement | 3.3.2012 | 3.3.2105 |
icp-catalog-chart | 3.3.2012 | 3.3.2105 |
icp-management-ingress | 3.3.1910 | 3.3.2105 |
icp-mongodb | 3.3.2012 | 3.3.2105 |
icp-nginx-ingress | 3.3.2012 | 3.3.2105 |
image-manager | 3.3.2001 | 3.3.2105 |
knative | 3.3.2012 | 3.3.2105 |
metering | 3.3.2012 | 3.3.2105 |
mgmt-repo | 3.3.2012 | 3.3.2105 |
mutation-advisor | 3.3.2012 | 3.3.2105 |
nvidia-device-plugin | 3.3.0 | 3.3.2105 |
platform-ui | 3.3.2012 | 3.3.2105 |
security-onboarding | 3.3.2012 | 3.3.2105 |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.2012 fix pack
The fixes included within this 3.2.1.2012 fix pack includes all fixes that are included within the 3.2.2.2012 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2012 fix pack. The 3.2.1.2012 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2012 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2012 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2012 fix pack instead of this 3.2.1.2012 fix pack.
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.1.2012
Issue | Category | Description |
---|---|---|
42961 42922 |
Certificate management | This fix updates Go to resolve a security-related vulnerability (CVE-2020-28362). |
43382 | Istio | This fix updates the cert-manager-controller image version to version 0.7.0.1-f2012. |
40202 | Kubernetes | This fix updates the image enforcement policy to add the QPS option for the kube-client that is initialized in the admission controller. |
41644 41614 |
Metering | This fix updates the Node.js and base image versions to address security-related vulnerabilities. |
39471 40347 40043 41424 41614 42039 43273 43274 43276 43278 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - An issue is resolved that affected the auth-pdp connection to mongodb when the mongodb pod restarts. - An issue is resolved that affected platform-identity-manager for handling an invalid roles attribute name in team payload. - The users getTeams API performance is improved. - Go is upgraded to version 1.14.12 to address security-related vulnerabilities. - WebSphere Liberty is upgraded to version 20.0.0.10 to address security-related vulnerabilities. - Java is upgraded to version 1.8.0_271 to address security-related vulnerabilities. - The Python cryptography package is upgraded to version 3.3.1 to address security-related vulnerabilities. |
Fixed security-related vulnerabilities in 3.2.1.2012
Issue | CVE-ID | Description |
---|---|---|
34823 | CVE-2019-1551 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By performing a man-in-the-middle attack, a remote attacker could exploit this vulnerability to obtain sensitive information. |
38874 42039 |
CVE-2020-8203 | Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system. |
41426 | CVE-2020-15187 | Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with containing duplicates of the same entry in the plugin.yaml file. By sending a specially-crafted input, an attacker could exploit this vulnerability to modify a plugin's install hooks to perform a local execution attack. |
41426 | CVE-2020-15186 | Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the plugin names. By sending a specially-crafted input, an attacker could exploit this vulnerability to duplicate the name of another plugin or spoofing the output to helm --help. |
41426 | CVE-2020-15185 | Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with allowing duplicates of the same chart entry in the repository index file. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject a bad chart into a repository. |
41426 | CVE-2020-15184 | Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the alias field on a Chart.yaml. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject unwanted information into a chart. |
41614 | CVE-2020-8252 | Node.js is vulnerable to a buffer overflow, caused by improper bounds checking by the libuv's fs.realpath.native. |
40043 | CVE-2020-15586 | Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
| 40043 | CVE-2020-14039 | Go could allow a remote attacker to bypass security restrictions,
caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system. | | 40347
42039| CVE-2020-16845 | Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. | | 41424
42039
| CVE-2020-4590 | IBM WebSphere Application Server Liberty running oauth-2.0 or
openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. | | 43169 | CVE-2020-25659 |
python-cryptography could allow a remote attacker to obtain sensitive information, caused by a Bleichenbacher timing attack. | | 39032 | CVE-2020-8169 | cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to correctly URL encode the credential data when set using an curl_easy_setopt option. The host name and partial password is leaked in cleartext
over DNS on HTTP redirect. An attacker could exploit this vulnerability to obtain sensitive information. | | 39032 | CVE-2020-8177 | cURL could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (--remote-header-name) and -I (--include) in the same command line. An attacker could exploit
this vulnerability to overwrite a local file. | | 42920 | CVE-2020-14792 | An
unspecified vulnerability in related to the component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. | | 42920 | CVE-2020-14797 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and no availability impact. | | 42920 | CVE-2020-14781 | An unspecified vulnerability in Java SE, Java SE Embedded related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. | | 42920
| CVE-2020-14779 | An unspecified vulnerability in Java SE, Java SE Embedded related
to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. | | 42920 | CVE-2020-14798 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and no availability impact. | | 42920 | CVE-2020-14796 | An unspecified vulnerability in Java SE, Java SE Embedded related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. | |
42921 | CVE-2020-14782 | An unspecified vulnerability in Java SE, Java SE Embedded
related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
The 3.2.1.2012 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1.
Updated images in 3.2.1.2012
Image | Previous version | New version |
---|---|---|
audit-policy-controller | 3.2.1.1910 | 3.2.1.2012 |
iam-policy-administration | 3.2.1.2008 | 3.2.1.2012 |
iam-policy-controller | 3.2.1.2001 | 3.2.1.2012 |
iam-policy-decision | 3.2.1.2006 | 3.2.1.2012 |
ibmcloud-image-enforcement | 0.2.2.2001 | 0.2.2.2012 |
icp-catalog-ui | 3.2.1.2006 | 3.2.1.2012 |
icp-cert-manager-acmesolver | 0.7.0.1-f2001 | 0.7.0.1-f2012 |
icp-cert-manager-cainjector | 0.7.0.1-f2001 | 0.7.0.1-f2012 |
icp-cert-manager-controller | 0.7.0.1-f2001 | 0.7.0.1-f2012 |
icp-cert-manager-webhook | 0.7.0.1-f2001 | 0.7.0.1-f2012 |
icp-helm-api | 3.2.1.2006 | 3.2.1.2012 |
icp-helm-repo | 3.2.1.2006 | 3.2.1.2012 |
icp-helm-rudder | 3.2.1.2006 | 3.2.1.2012 |
icp-iam-onboarding | 3.2.1.2006 | 3.2.1.2012 |
icp-identity-manager | 3.2.1.2008 | 3.2.1.2012 |
icp-identity-provider | 3.2.1.2008 | 3.2.1.2012 |
icp-inception | 3.2.1.2008-ee | 3.2.1.2012-ee |
icp-mongodb | 4.0.16.2008 | 4.0.20.2012 |
icp-oidcclient-watcher | 3.2.1.2001 | 3.2.1.2012 |
icp-platform-api | 3.2.1.2008 | 3.2.1.2012 |
icp-platform-auth | 3.2.1.2008 | 3.2.1.2012 |
icp-platform-header | 3.2.1.2006 | 3.2.1.2012 |
icp-platform-ui | 3.2.1.2006 | 3.2.1.2012 |
icp-secret-watcher | 3.2.1.2001 | 3.2.1.2012 |
metering-data-manager | 3.2.1.2008 | 3.2.1.2012 |
metering-mcmui | 3.2.1.2008 | 3.2.1.2012 |
metering-ui | 3.2.1.2008 | 3.2.1.2012 |
tiller | v2.12.3-icp-3.2.1.1911 | v2.16.12-icp-3.2.1.2012 |
Updated charts in 3.2.1.2012
Chart | Previous (3.2.1.2008) version | New versio |
---|---|---|
audit-logging | 3.3.1910 | 3.3.2012 |
auth-idp | 3.3.2008 | 3.3.2012 |
auth-pap | 3.3.2008 | 3.3.2012 |
auth-pdp | 3.3.2008 | 3.3.2012 |
helm-api | 3.3.2006 | 3.3.2012 |
helm-repo | 3.3.2006 | 3.3.2012 |
iam-policy-controller | 3.3.2001 | 3.3.2012 |
ibm-cert-manager | 3.3.2001 | 3.3.2012 |
ibm-cert-manager-webhook | 3.3.2001 | 3.3.2012 |
ibm-istio | 1.2.4.2012 | 1.2.4 |
ibmcloud-image-enforcement | 3.3.2012 | 3.3.2001 |
icp-catalog-chart | 3.3.2012 | 3.3.2006 |
icp-mongodb | 3.3.2012 | 3.3.2008 |
metering | 3.3.2012 | 3.3.2008 |
mgmt-repo | 3.3.2012 | 3.3.2006 |
oidcclient-watcher | 3.3.2012 | 3.3.2001 |
platform-api | 3.3.2012 | 3.3.2008 |
platform-ui | 3.3.2012 | 3.3.2008 |
secret-watcher | 3.3.2012 | 3.3.2001 |
security-onboarding | 3.3.2012 | 3.3.2008 |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.2008 fix pack
The fixes included within this 3.2.1.2008 fix pack includes all fixes that are included within the 3.2.2.2008 fix pack that do not apply to the updated version of Kubernetes of the 3.2.2.2008 fix pack. The 3.2.1.2008 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2008 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2008 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2008 fix pack instead of this 3.2.1.2008 fix pack.
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.1.2008
Issue | Category | Description |
---|---|---|
39229 | Calico | Calico is upgraded to version 3.8.9 to address a security vulnerability. |
40048 | Kubernetes | This fix updates the Kubernetes ingress-nginx to address a security vulnerability related to ingress-nginx. |
31863 34244 35166 35312 35476 37301 37619 38548 39076 39222 40036 |
Logging | This fix pack includes the following fixes: - Elastic Stack components (Logstash, Filebeat, Elasticsearch, Kibana) are upgraded from version 6.6.1 to version 6.8.10 to address security vulnerabilities. - The logstash-input-beats plug-in is upgraded to version 6.0.11. |
38874 | Metering | This fix updates Lodash version to version 4.17.19 to address security vulnerabilities. |
40270 | Platform-API | This fix updates platform-api to fix crashes with "fatal error: concurrent map read and map write". |
35815 | Security - Identity and Access Management (IAM) | This fix pack includes fixes to resolve security-related vulnerabilities. |
Fixed security-related vulnerabilities in 3.2.1.2008
Issue | CVE-ID | Description |
---|---|---|
31863 | CVE-2019-1547 | OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. |
31863 | CVE-2019-1549 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. |
35166 35312 |
CVE-2019-1551 | OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. |
31863 | CVE-2019-1563 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. |
35476 | CVE-2020-7238 | Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. |
34244 | CVE-2019-7620 | Elastic Logstash is vulnerable to a denial of service, caused by a flaw in the Beats input plugin. By sending a specially-crafted network packet, a remote attacker could exploit this vulnerability to cause the application to stop responding. Upgrade to the latest version of Logstash (6.8.4, 7.4.1 or later), available from the Elastic Web site. |
37619 | CVE-2019-11612 | The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. |
35851 | CVE-2019-15604 | Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort. |
35851 | CVE-2019-15605 | Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
35851 | CVE-2019-15606 | Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons. |
38548 | CVE-2020-7012 | Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the Upgrade Assistant. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system. |
38548 | CVE-2020-7013 | Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in TSVB . By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code in the context of Kibana process on the host system. |
38548 | CVE-2020-7015 | Elastic Kibana is vulnerable to cross-site scripting, caused by improper validation of user-supplied input in TSVB visualization. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
39076 | CVE-2020-7614 | Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by a race condition in the response headers. By sending specially-crafted requests, an attacker could exploit this vulnerability to obtain sensitive information of another user from the response header. |
37996 | CVE-2020-7921 | MongoDB Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper serialization of internal state in the authorization subsystem. An attacker could exploit this vulnerability to bypass IP whitelisting protection. |
38874 | CVE-2020-8203 | Fixed for the Metering component only. Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system. |
40048 | CVE-2020-8553 | Kubernetes ingress-nginx could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when the annotation nginx.ingress.kubernetes.io/auth-type: basic is used. By sending a specially crafted request, an attacker could exploit this vulnerability to create a new Ingress definition and replace the password file. |
38544 | CVE-2020-13401 | Docker Docker CE is vulnerable to a man-in-the-middle attack, caused by improper validation of router advertisements. By sending rogue router advertisements, an attacker could exploit this vulnerability using man-in-the-middle techniques to gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. |
39229 | CVE-2020-13597 | Clusters using Calico (version 3.14.0 and earlier), Calico Enterprise (version 2.8.2 and earlier), can be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege can reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default. This vulnerability allows an attacker to redirect full or partial network traffic from the node to the compromised pod. |
39222 | CVE-2020-14422 | Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. |
The 3.2.1.2008 fix pack is cumulative and includes all fixes that were included in previous 3.2.1.x fix packs for IBM Cloud Private 3.2.1.
Updated images in 3.2.1.2008
Image | Previous version | New version |
---|---|---|
calico-cni | v3.5.2.1 | v3.8.9 |
calico-ctl | v3.5.2.1 | v3.8.9 |
calico-kube-controllers | v3.5.2.1 | v3.8.9 |
calico-node | v3.5.2.1 | v3.8.9 |
curl | 4.2.0-f4 | 4.2.0-build.6 |
default-http-backend | 1.5.2 | 1.5.5 |
iam-policy-administration | 3.2.1.2006 | 3.2.1.2008 |
icp-identity-manager | 3.2.1.2006 | 3.2.1.2008 |
icp-identity-provider | 3.2.1.2006 | 3.2.1.2008 |
icp-initcontainer | 1.0.0-f4 | 1.0.0-build.6 |
icp-mongodb | 4.0.12 | 4.0.16.2008 |
icp-mongodb-exporter | 3.2.1 | 3.4.0.2008 |
icp-mongodb-install | 3.2.1 | 3.4.0.2008 |
icp-platform-api | 3.2.1.2006 | 3.2.1.2008 |
icp-platform-auth | 3.2.1.2008 | 3.2.1.2008 |
indices-cleaner | 1.2.0 | 1.3.0-build.1 |
logging-pki-init | 2.3.0 | 2.3.0-build.3 |
metering-data-manager | 3.2.1.2006 | 3.2.1.2008 |
metering-mcmui | 3.2.1.2006 | 3.2.1.2008 |
metering-ui | 3.2.1.2006 | 3.2.1.2008 |
nginx-ingress-controller | 0.23.1.1911 | 0.23.7 |
Updated charts in 3.2.1.2008
Chart | Previous version | New version |
---|---|---|
auth-idp | 3.3.2006 | 3.3.2008 |
auth-pap | 3.3.2006 | 3.3.2008 |
auth-pdp | 3.3.2006 | 3.3.2008 |
calico | 3.3.0 | 3.8.9 |
ibm-calico-route-reflector | 3.3.0 | 3.8.9 |
ibm-custom-metrics-adapter | 3.3.2003 | 3.3.2008 |
ibm-icplogging | 2.4.1910 | 3.2.1 |
ibm-icpmonitoring | 1.6.1910 | 1.6.12008 |
icp-mongodb | 3.3.0 | 3.3.2008 |
icp-nginx-ingress | 3.3.1911 | 3.3.2008 |
knative | 3.3.1911 | 3.3.2008 |
metering | 3.3.2006 | 3.3.2008 |
mutation-advisor | 3.3.2003 | 3.3.2008 |
platform-api | 3.3.2006 | 3.3.2008 |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.2006 fix pack
The fixes included within this 3.2.1.2006 fix pack includes all fixes that are included within the 3.2.2.2006 fix pack that do not apply to the updated version of Kubernetes. The 3.2.1.2006 fix pack is intended for applying fixes to environments that use the 1.13.12 version of Kubernetes. If you apply the 3.2.2.2006 fix pack to upgrade the supported Kuberenetes version, do not apply the 3.2.1.2006 fix pack. If you need to upgrade the supported Kubernetes version, you must apply the 3.2.2.2006 fix pack instead of this 3.2.1.2006 fix pack.
Review the following tables, which identify the list of fixes and changes that are included in this fix pack to see see whether your reported problem was fixed:
Fixed problems in 3.2.1.2006
Issue | Category | Description |
---|---|---|
35851 36565 |
Catalog-UI | This fix updates Node.js to resolve security-related vulnerabilities. |
36566 | Helm API & Helm Repo | This fix updates the Node.js version to resolve security-related vulnerabilities. |
35721 35935 38934 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - An issue with the GET userinfo API in platform-identity-provider is resolved. This issue caused intermittent failures with Helm upgrade and delete commands. - The LDAP recursiveSearch config variable is now configurable. The value can change between true and false as required when the LDAP user login process is running too slow due to nested user groups. - WebSphere Liberty is upgraded to version 20.0.0.5. - The IBM JDK is upgraded to version 1.8.0_sr6fp10. - Fixes to resolve security-related vulnerabilities. |
38934 | Policy Decision Point (PDP) | This fix improves the performance of the PDP service and resolves an issue that caused a container restart due to memory leak error. |
35928 38647 |
Metering | This fix updates the Node.js version address security-related vulnerabilities. |
35928 38647 |
Multicluster-Endpoint | This fix updates the metering image version to version 3.2.2.2006. |
32149 32151 34859 35454 35527 35877 35879 36030 36233 36587 36817 37648 37844 37846 37944 |
Security - Identity and Access Management (IAM) | This fix pack includes the following fixes: - An issue that caused a CrashLoopBackOff error for the auth-pap pod is resolved. - WebSphere Liberty is upgraded to version 20.0.0.5. - The IBM JDK is upgraded to version 1.8.0_sr6fp10. - Fixes to resolve security-related vulnerabilities. |
Fixed security-related vulnerabilities in 3.2.1.2006
Issue | CVE-ID | Description |
---|---|---|
38572 38573 |
CVE-2018-1002102 | Kubernetes API server could allow a remote authenticated attacker to conduct phishing attacks, caused by an improper validation of URL redirection. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. |
34823 34859 |
CVE-2019-1551 | OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By re-using the DH512 private key, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. |
31863 32149 |
CVE-2019-1547 | OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the co-factor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. |
31863 32149 |
CVE-2019-1549 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. |
31863 32149 |
CVE-2019-1563 | OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. |
31866 32151 |
CVE-2019-5481 | cURL libcurl is vulnerable to a denial of service, caused by a double free flaw during kerberos FTP data transfer. By sending a specially-crafted size of data, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
31866 | CVE-2019-5482 | cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet function. By sending specially-crafted request containing an OACK without the BLKSIZE option, a remote attacker could overflow a buffer and execute arbitrary code on the system. |
32678 23646 |
CVE-2019-9947 | Python is vulnerable to HTTP header injection, caused by improper validation of input in urllib and urllib2. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. |
32678 23646 |
CVE-2019-9948 | Python could allow a remote attacker to bypass security restrictions, caused by improper input validation by the urllib. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass the blacklist file: URIs protection mechanisms. |
35851 35928 35952 35953 36565 36566 |
CVE-2019-15604 | Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort. |
35851 35928 35952 35953 36565 36566 |
CVE-2019-15605 | Node.js vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. |
35851 35928 35952 35953 36565 36566 |
CVE-2019-15606 | Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons. |
32777 32933 |
CVE-2019-16935 | Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
36569 36587 |
CVE-2019-17573 | Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
37835 37846 |
CVE-2020-2754 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2755 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2756 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2757 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2781 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2800 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. |
37835 37846 |
CVE-2020-2803 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
37835 37846 |
CVE-2020-2805 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
37835 37846 |
CVE-2020-2830 | Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. |
36802 36817 |
CVE-2020-4303 | IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
36802 36817 |
CVE-2020-4304 | IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
37620 37648 |
CVE-2020-4329 | IBM WebSphere Application Server could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. |
37833 37844 |
CVE-2020-4421 | IBM WebSphere Application Liberty could allow an authenticated user using openidconnect to spoof another users identify. |
38545 38647 38649 38650 |
CVE-2020-8172 | Node.js could allow a remote attacker to bypass security restrictions. The 'session' event could be emitted before the 'secureConnect' event and possibly allow for the reuse of the TLS session. An attacker could exploit this vulnerability to bypass host certificate verification and gain access to the system. |
38545 38647 38649 38650 |
CVE-2020-8174 | Node.js is vulnerable to a buffer overflow, caused by multiple memory corruptions in the napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() functions. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service. |
38545 38647 38649 38650 |
CVE-2020-10531 | International Components for Unicode (ICU) for C/C++ is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. |
38545 38647 38649 38650 |
CVE-2020-11080 | Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTINGS frames, an attacker could exploit this vulnerability to consume all available CPU resources. |
Updated images in 3.2.1.2006
Image | Previous version | New version |
---|---|---|
iam-policy-administration | 3.2.1.2003 | 3.2.1.2006 |
iam-policy-decision | 3.2.1.2001 | 3.2.1.2006 |
icp-iam-onboarding | 3.2.1 | 3.2.1.2006 |
icp-catalog-ui | 3.2.1.2001 | 3.2.1.2006 |
icp-helm-api | 3.2.1.2001 | 3.2.1.2006 |
icp-helm-repo | 3.2.1.1911 | 3.2.1.2006 |
icp-identity-manager | 3.2.1.2003 | 3.2.1.2006 |
icp-identity-provider | 3.2.1.2003 | 3.2.1.2006 |
icp-platform-auth | 3.2.1.2003 | 3.2.1.2006 |
icp-platform-header | 3.2.1.2003 | 3.2.1.2006 |
icp-platform-ui | 3.2.1.2003 | 3.2.1.2006 |
metering-data-manager | 3.2.1.2001 | 3.2.1.2006 |
metering-mcmui | 3.2.1.1911 | 3.2.1.2006 |
metering-ui | 3.2.1.1911 | 3/2.1.2006 |
Updated charts in 3.2.1.2006
Chart | Previous version | New version |
---|---|---|
auth-idp | 3.3.2003 | 3.3.2006 |
auth-pap | 3.3.2003 | 3.3.2006 |
auth-pdp | 3.3.2003 | 3.3.2006 |
helm-api | 3.3.2001 | 3.3.2006 |
helm-repo | 3.3.1911 | 3.3.2006 |
icp-catalog-chart | 3.3.2001 | 3.3.2006 |
metering | 3.3.2001 | 3.3.2006 |
mgmt-repo | 3.3.1911 | 3.3.2006 |
platform-ui | 3.3.2003 | 3.3.2006 |
security-onboarding | 3.3.2003 | 3.3.2006 |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.2003 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack:
Fixed problems in 3.2.1.2003
Issue | Category | Description |
---|---|---|
32959 | Custom metrics adapter | This fix updates the Go programming language version to version 1.12.12. |
34434 | Installer | This fix resolves an issue that caused any customization of OpenID Connect (OIDC) to be overwritten when applying a fix pack. |
32959 | Metrics server | This fix updates the Go programming language version to version 1.12.17. |
32959 | MinIO storage | This fix updates the Go programming language version to version 1.12.17. |
35939 | Mutation Advisor | This fix updates MinIO to version RELEASE.2019-04-09T01-22-30Z.2003, and updates the MinIO client (mc) to version RELEASE.2019-04-03T17-59-57Z.2003. |
32705 34691 36538 |
Platform UI | This fix pack includes the following fixes: - The console Overview page is updated to display all resources and associated values. - The Nodes page and Configmaps page are updated to reduce load times. |
1334 | Policy Administration Point (PAP) | This fix resolves an issue that caused a CreateContainerError with icp-mongodb pods by reusing a single mongodb connection for policy APIs in the Policy Administration Point (PAP). |
35527 35879 36030 36233 36345 |
Security-IAM | This fix pack includes the following fixes: - WebSphere Application Server Liberty is upgraded to version 20.0.0.2. - The IDTOKEN_LIFETIME parameter format is updated to support minutes and seconds. The IBM SDK, Java Technology Edition Quarterly CPU is updated to the January 2020 version. |
35939 | Vulnerability Advisor | This fix updates the sas-base and ma-file-annotator image version to version 3.2.0.2003 to remediate a nodejs security vulnerability. |
Fixed security-related vulnerabilities in 3.2.1.2003
Issue | CVE-ID | Description |
---|---|---|
36345 | CVE-2019-4732 | IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618. |
34260 | CVE-2019-16276 | Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
35836 36345 |
CVE-2020-2583 | An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
35836 36345 |
CVE-2020-2593 | An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. |
35836 36345 |
CVE-2020-2604 | An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to take control of the system. |
35836 36345 |
CVE-2020-2659 | An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.2001 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
Fixed problems in 3.2.1.2001
Issue | Category | Description |
---|---|---|
34557 | Catalog-UI | This fix updates the instance details page to correct overlapping text and notifications. |
32710 32899 34614 |
Certificate Management - cert-manager, cert-manager-webhook, cert-manager-cainjector | This fix updates the Go programming language version to version 1.13.2. |
34557 34784 |
Helm-API | This fix resolves an issue that caused the helm-api container to crash when Helm repositories failed to synchronize. |
34484 | Helm Releases and Search | This fix resolves an issue that caused the Helm release status to incorrectly show "superseded". |
902 34916 |
Helm-CRD-Admission-Controller | This fix resolves an issue that caused the permissions check for the cluster administrator role to fail. |
32959 | IBM Cloud Private registry | This fix updates icp-registry version 2.6.2.5.2001 to upgrade the Go programming language version to version 1.12.3. |
32900 | IBM Multicloud Manager | This fix updates the Go programming language version to version 1.12.14 for the icp-findings-adapter image. |
33042 34916 |
Identity and Access Management (IAM) - platform-auth-service, platform-oidc ingress | This fix updates HTTP request headers to prevent a CORS vulnerability. |
32959 | Image enforcement | This fix updates image-enforcement version 0.2.2.2001 to upgrade the Go programming language version to version 1.12.3. |
32959 | Image manager | This fix updates image-manager version 2.2.6.2001 to upgrade the Go programming language version to version 1.12.3. |
34319 34782 |
Install | This fixpack includes the following fixes: - An issue is resolved that prevented users from running the addon command when they set hostname as kubelet_nodename within the config.yaml file.- The install process is updated to complete actions on the MongoDB admin secrets when users upgrade IBM Cloud Private to version 3.2.1.2001 or roll back to 3.1.1. |
35287 | Istio | This fix updates the cert-manager-controller image version to version 0.7.0.1-f2001. |
34461 | Metering | This fix resolves an issue that caused the metering reader to crash when the productID annotation for the workload exists but the productName or productVersion annotations are missing. |
30907 34660 |
Multicluster-Endpoint | This fixpack inclues the following fixes: - The CPU consumption of the klusterlet-component-operator is reduced by reducing the frequency of reconciliations with the operator. - The Tiller image is updated to version 3.2.1.1911. - The metering images are updated to version 3.2.1.1911. |
30907 34204 34660 34735 |
Platform-API | This fixpack inclues the following fixes: - The default multicluster-endpoint version is updated to version 3.2.1.2001. - The management console is updated to prevent IP addresses from being disclosed on the Install CLI tools page. |
34227 | Platform Header | This fix updates the management console to redirect users to the Login page when a session expires. |
33797 33912 |
Platform UI | This fixpack includes the following fixes: - The namespace dropdown for all namespaced resource pages is now searchable. - The namespace dropdown will now default to the first namespace within the list, rather than All Namespaces .- Performance improvements have been added to the deployments page to decrease loading times when many namespaces are present. - A DISABLE_LAUNCH_LINKS environment variable can now be added to the platform-ui daemonset to disable launch links on the overview deployments page to further decrease loading times. |
34406 | Policy governance, risk and compliance | This fix updates Lodash version to version 4.17.15 to address a denial of service vulnerability. |
34307 34916 |
Security-IAM | This fix pack includes the following fixes: - The Go programming language version is updated to version 1.13.4 - WebSphere Liberty is upgraded to version 19.0.0.12. |
28994 | Service discovery (kube-dns) | This fix removes hostname rewrite in kube-dns configmap to prevent issues with OpenID Connect (OIDC) onboarding. |
Fixed security-related vulnerabilities in 3.2.1.2001
Issue | CVE-ID | Description |
---|---|---|
34916 | CVE-2019-4663 | IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245. |
34391 34406 |
CVE-2019-10744 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. |
32781 | CVE-2019-11253 | Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. |
32710 32900 32959 |
CVE-2019-16276 | Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
34307 34614 34657 |
CVE-2019-17596 | Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. |
34391 34406 |
CVE-2019-1010266 | lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11. |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.1911 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
Fixed problems in 3.2.1.1911
Issue | Category | Description |
---|---|---|
33385 33475 |
Audit logging | This fix updates the audit logging service so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool, such as QRadar and Splunk, on Red Hat OpenShift Container Platform. |
32708 33736 |
Catalog-UI | This fix pack includes the following fixes: - The packaged Lodash is updated from version 4.17.5 to version 4.17.12. - The Catalog is updated to display the service broker service plan picker icon. |
33420 34132 |
etcd | This fix corrects an issue when etcd fails to run as the etcd user with the ID 2375 when that user already exists on hosts. |
28870 32707 32838 |
Helm-Tiller (helm-repo, mgmt-repo, helm-api, and rudder) |
This fix pack includes the following fixes: - The Go programming language version is updated to version 1.12.11. - The packaged Lodash is updated from version 4.17.5 to a version that is greater than 4.17.12. - An issue is resolved for the audit service when SELinux enforcement is enabled. The issue caused the audit container to lack the privileges for sending and rotating audit logs. With this fix, the audit sidecar service can run in an environment. |
28870 32707 32838 |
Helm-Tiller (tiller) | This fix updates the Go programming language version to version 1.12.1. |
32956 33082 |
IBM Multicloud Manager | This fix pack includes the following fixes: - The Kubernetes CLI (kubectl) image version is updated to version 1.13.11. - The Go programming language version for the IBM Multicloud Manager API is updated to version 1.12.10. |
32688 32875 32940 33363 33389 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - Support is added for enabling and disabling SAML without requiring WebSphere Liberty to be restarted. - WebSphere Liberty is upgraded to version 19.0.0.11. - An issue is fixed that caused nil values during authorization to be handled improperly. - An issue is fixed that caused the at_hash field for the identity token that is generated by the platform-identity-provider to not conform to OPENID specifications. - An issued is fixed that caused a problem with configuring a LDAP connection for Redhat LDAP and Oracle LDAP. |
33385 | Install | This fix removes an obsolete port check for port 8443. |
34175 | Istio | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911. |
171 32710 32950 |
Key Management Service (KMS) | This fix updates the Go programming language version to version 1.13.1. |
419 32710 32950 |
Key Management Service (KMS) plug-in | This fix updates the Go programming language version to version 1.13.1. |
34186 | Knative | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911. |
32862 | Kubernetes | This fix resolves an issue for high availability (HA) that caused a pod to still be in the Running state even when the Docker service was stopped on the master node. As part of this fix, a readiness probe is added for the kube-dns
DaemonSet and additional default toleration. |
33422 | Metering | This fix updates the packaged Lodash version to a version greater than 4.17.12. |
34181 | Mutation advisor | The IBM Cloud Private audit service (icp-audit-service) image version is updated to 3.2.1.1911 so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool. |
419 32710 |
Notary service | This fix updates the Go programming language version to version 1.13.1. |
33331 33388 |
Platform-API | This fix pack includes the following fixes: - The packaged Kubernetes CLI (kubectl) is updated from version 1.13.9 to version 1.13.11. - The Swagger UI is updated to version 3.24.0. |
32355 32463 32711 32771 33424 |
Platform UI | This fix pack includes the following fixes: - The kubectl version is updated to version 1.13.11. - The packaged Lodash is updated to version 4.17.12. - The platform UI is updated to not delete service IDs from a team when a new user is added. - The management console is updated to display an error message when an error occurs during the deletion of a service ID that is associated with a team. |
34179 | Policy administration point | The IBM Cloud Private audit service (icp-audit-service) image version is updated to 3.2.1.1911 so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool. |
34185 | Search | This fix updates the Kubernetes CLI (kubectl) image version to version 1.13.11.1911. |
32953 | System healthcheck service | This fix updates the Go programming language version to version 1.13.2. |
33080 | Visual Web Terminal | This fix pack includes the following fixes: - The packaged Kubernetes CLI (kubectl) is updated to version 1.13.11. - A bug is fixed that prevented users from using various Helm commands in Visual Web-terminal. |
34176 34183 |
Vulnerability Advisor | This fix pack includes the following fixes: - The Kubernetes CLI (kubectl) image version is updated to version 1.13.11. - The IBM Cloud Private audit service (icp-audit-service) image version is updated to 3.2.1.1911 so that the audit sidecar service can send audit logs to a security information and event management (SIEM) tool. |
32904 | Web-terminal | This fix removes the tar command for security-related reasons. |
Fixed security-related vulnerabilities in 3.2.1.1911
Issue | CVE-ID | Description |
---|---|---|
32147 32379 |
CVE-2019-16843 | Fixed for the NGINX ingress component only. nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. |
32147 32379 |
CVE-2019-16844 | Fixed for the NGINX ingress component only. nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. |
31863 32147 32379 |
CVE-2019-1547 | Fixed for the NGINX ingress component only. Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
31863 32147 32379 |
CVE-2019-1549 | Fixed for the NGINX ingress component only. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). |
31863 32147 32379 |
CVE-2019-1563 | Fixed for the NGINX ingress component only. In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
32602 32940 |
CVE-2019-4304 | IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950. |
32607 32940 |
CVE-2019-4305 | IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951. |
32608 32940 |
CVE-2019-4441 | IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177. |
32379 | CVE-2019-9511 | Fixed for the NGINX ingress component only. Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
32979 33389 |
CVE-2019-9512 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
32379 32979 33389 |
CVE-2019-9513 | Fixed for the NGINX ingress component and icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. |
32979 33389 |
CVE-2019-9514 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. |
32979 33389 |
CVE-2019-9515 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
32379 | CVE-2019-9516 | Fixed for the NGINX ingress component only. Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. |
32979 33389 |
CVE-2019-9517 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. |
32979 33389 |
CVE-2019-9518 | Fixed for the icp-platform-auth image only. Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. |
32589 32707 32708 32711 33422 33424 33736 |
CVE-2019-10744 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. |
32771 32839 33080 33082 33331 |
CVE-2019-11251 | Kubernetes could allow a remote attacker to gain unauthorized access to the system, caused by an error in kubectl cp that allows a combination of two symlinks to copy a file outside of its destination directory. An attacker could exploit this vulnerability to write arbitrary files outside of the destination tree. |
32710 32838 32950 32952 32953 32956 |
CVE-2019-16276 | Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
32975 33388 |
CVE-2019-17495 | A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that |
Reported problems that are fixed in the IBM Cloud Private 3.2.1.1910 fix pack
Review the list of fixed problems to see whether your reported problem was fixed in this fix pack.
Fixed problems in 3.2.1.1910
Issue | Category | Description |
---|---|---|
32779 | Certificate management | The duration for the default Root CA certificate is changed from 3650 days to 824 days to support changes to the trusted certificate requirements for macOS 10.15. |
32273 | Cluster management | This fix updates the management console to fix a bug on the Clusters page. This bug caused the table on the Nodes tab for a cluster to display the nodes for all imported clusters instead of the nodes for only the selected cluster. |
32108 | Docker | This fix corrects a Docker installation issue that prevented Docker from installing on Linux x86_64 hosts. |
31070 32051 32836 32837 |
Identity and Access Management (IAM) | This fix pack includes the following fixes: - Support is added for the use of the underscore _ character in the LDAP server URL for authenticating LDAP. - An issue is fixed that caused the state parameter to be missing from callback URLs during OpenID Connect (OIDC) authentication. - A login issue is fixed that occurred when the team namespace resource is added without the scope field. - The Go programming language version is updated to version 1.12.10 to fix a publicly disclosed vulnerability. |
31107 31655 31763 |
Management console | This fix pack includes the following fixes: - The management console is updated to avoid frequent reloads of the Teams page to request authorization of the user before the user can access the page again. - An error is corrected that caused the Overview page in the management console to have blank or missing resource overview cards when data is missing. |
32425 | Multicluster management endpoint | This fixpack includes the following fixes: - A bug is fixed that prevented clusters with a user deployed Tiller in the kube-system namespace from being successfully imported. - A bug is fixed that caused an ImagePullBackoff error for the Prometheus pod in the multicluster-endpoint namespace. - A bug is fixed that caused the service account to be continuously appended to the Users section of the privileged SecurityContextConstraint. This behavior caused the privileged SecurityContextConstraint to exceed the ETCD data size limit. |
28889 | Platform-API | This fixpack includes the following fixes: - The Docker Hub registry is set as the default registry for the Klusterlet self-destruct work. - A background thread runs that waits until resources are available before starting the auto-import process to prevent the process from starting prematurely. - A bug is fixed for the cloudctl mc cluster import operation that caused --kube-host to be applied incorrectly. - A bug is fixed for the cloudctl mc cluster delete operation that caused resources to be deleted in the wrong order, which then required clusters to be manually deleted. |
Fixed security-related vulnerabilities in 3.2.1.1910
Issue | CVE-ID | Description |
---|---|---|
32147 | CVE-2019-1547 | Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases, it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used, then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
32147 | CVE-2019-1549 | OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). |
32147 | CVE-2019-1563 | In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). |
19587 31145 |
CVE-2019-9512 | Fixed for Heketi only. Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
19587 31145 |
CVE-2019-9514 | Fixed for Heketi only. Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. |
32681 | CVE-2019-9947 | Fixed for the icp-storage-util image only. An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. |
32681 | CVE-2019-9948 | Fixed for the icp-storage-util image only. urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. |
31724 | CVE-2019-11250 | The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected. |
19587 31145 | CVE-2018-14647 | Fixed for the icp-storage-util image only. Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable. |
19587 31145 | CVE-2019-14809 | Fixed for Heketi only. net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com . |
32837 | CVE-2019-16276 | Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
Reported problems that are fixed in IBM Cloud Private 3.2.1
Review the list of fixed problems to see whether your reported problem was fixed in this release.
Issue | Description |
---|---|
21259 | How to deploy a Helm release without manually changing the image repository |
21733 | Web terminal does not work |
25482 | IBM Cloud Private - web terminal issue |
21187 | Installer does not upload the password rule of default admin into ICP API service |
23733 | Worker nodes still displayed via cloudctl command after removing them |
21703 | CF 3.1.2 Offline Install Failing: Unable to Find Image cfp-config-manager-3.1.2-024 |
21044 | Client needs a patch or steps to update TLS 1.2 for port 443 (ingress) |
19766 | Low SSL vulnerabilities still showing after upgrading from 2.1.0.3 to 3.1 |
23949 | The server version - openresty/1.13.6.2 was disclosed in the HTTP server response header. |
19088 | vulnerability is 42873 - SSL Medium Strength Cipher Suites Supported |
17024 | Kibana service is in red status: config: Error 503 Service Unavailable |
24087 | Internal Server Error when attempt to view audit log on Kibana using a user who has Auditor role |
23975 | Auditor user can see application logs in Kibana discover |
20773 | cluster domain name starting with svc is breaking mongodb install |
24305 | Grafana direct rendering: Error templating init failed: Unauthorized |
22673 | ICP Mongodb in PodInitializing state |
20292 | Audit Log volume or rate is causing ELK to become unstable - Customer would like ingestion of Audit Logs to be disabled |
18073 | Installing Core service: Mongodb patch for IBM Cloud Private version 2.1.0.3 clusters breaks helm-api |
22130 | monitoring-prometheus fails to start with an error - Opening storage failed lock DB directory: resource temporarily unavailable |
23037 | There is not authority control in logging and monitoring when switched to them from ICP console. |
18989 | cloudctl load chart fails from time to time |
19475 | EVRY: ICP 311: a user which is restricted to a given namespace cannot run helm |
23061 | Helm chart/repo resources rights |
25319 | How to restore local repo |
21408 | ibm-mariadb-dev helm chart broken for PPC platform on 3.1.1 |
20582 | Issues to apply some ICP 3.1.1 fixes |
24890 | skip_pre_check does not actually skip the cluster_CA_domain check |
21841 | 310->312 Load balancer address should be same as cluster CA domain, |
21832 | pre-check the cluster status before upgrading |
24067 | Upgrade to 3.1.2 mandates matching cluster_CA_domain and cluster_lb_address |
22726 | The istio-proxy container shows exec format error on Power system |
23507 | Compliance UI shows a completely blank window |
23266 | MCM 3.1.2. MongoDB pod memory consumption |
24297 | Customer needs to restrict the source IP addresses which can access ICP |
22811 | CVE-2019-1002100 |
18941 | Detail steps to backup/restore on ICP CNE 3.1.x |
23586 | Error messages about mariadb occurred repeatedly Error: 105: Key already exists (/mariadb_lock) |
19029 | EVRY:High CPU use on Masters in multi-master ICP 311 |
21858 | ICP 2.1.0.3 - Failed to activate interim fix: icp-2.1.0.3-build502221 |
23721 | ICP 3.1.1 - Garbage collection failing |
20719 | Need a patch icp-2.1.0.3-build510945 applicable to amd64 platform |
23672 | Reference authority of Docker image from dashboard |
21368 | Unisys 2.1.0.3 Deployments Maxing out Workers, Nodes go Unhealthy |
14141 | Update ICP 2.1.0.3 to include a critical Kubernetes fix available in v1.10.5 |
25394 | /var/lib/calico/nodename should be removed when removing a node |
23438 | ICP4D: Failed install of ICP for Data v1.2.1 on RHEL7.5 VM (Softlayer). |
23645 | Cannot add additional resources to team / losing previously added ones too |
21856 | Container overview page is NOT available in ICP 3.1.2 |
23772 | Deployments - CREATED column is not accurate, or totally wrong |
21076 | EVRY:ICP 311 selected items are unselected at Edit |
21722 | Fresh 3.1.1 install - services are assigned master VIP instead of proxy VIP |
20586 | HA cluster: Inconsistency in the pod status - running or terminating |
23253 | ICP Web Console Deployments sorting (Created Date) does not work correctly |
19933 | LDAP password in plain text in browser UI in ICP 2.1.0.2 |
19562 | LDAP User search UI not in sync with backend response |
14225 | The popup window is too small to show LDAP string while creating a team |
23763 | Usability issue on creating a team page |
20867 | Adding LDAPS connection crashes platform-identity-mgmt container |
24999 | Console Login Failing with 400 Bad Request, MariaDB ERROR 1210 (HY000) at line 1: WSREP (galera) not started |
21567 | ICP 3.1.1 auth-idp pod keeps restarting |
21396 | In Group a User appears 2 times |
11994 | Inconsistent/erroneous behavior configuring LDAP for ICP |
23530 | Issue for fix Denied (LDAP user not recognized as cluster admin) |
20463 | LDAPS - incorrect user - error code 49 |
19930 | Logging in 10-20 times in a row with cloudctl login successful only 2 or 3 times |
21331 | Login via bx pr not working consistently from Jenkins pipeline |
22261 | OICD errors for post-installed products (TA / MC / CAM) when SAML is enabled |
21897 | OIDC onboarding for workloads |
22980 | Request fix to change port 8443 / TCP over SSL to TLSv1.2 |
21555 | Unable to log in with LDAP but can add users with no problem |
22583 | Web interface unresponsive when navigating to a team |
24112 | MCM 3.1.2. Grafana dashboard does not reflect changes if a component of the Application is moved to other cluster |
23954 | New Rule function in Manage Whitelist for Mutation Advisor is vulnerable to stored cross site scripting (XSS) vulnerability. |
25439 | ICP 3.1.0 - VA Behavior in case of unsupported images |
18542 | Vulnerability Advisor - IP instead of the cluster name in the console |
18940 | CAM performance and HA |