Flash (Alert)
Abstract
This document lists the critical updates, HIPER (Highly Pervasive) APAR fixes which should be applied to IBM WebSphere DataPower SOA appliances.
Content
This document is kept current to provide you with the latest information. You can monitor for updates to this document using My Notifications. Important support information is also posted on Twitter.
This document describes Critical Actions you should take to mitigate or prevent problem. and Critical Updates (including HIPER APARs which are APARs where the problem is Highly Pervasive) along with circumventions where possible.
Table of contents:
Important: Create a privileged user id as a back up for the "admin" user id. This will allow you to reset the "admin" user id's password in case that password is lost or forgotten, or in case the "admin" id is locked out.
In order to increase the security features of the appliance, the lockout duration feature was added. APAR IC65339 reports a problem where the "admin" id is locked out when an incorrect password is entered multiple times for this id. The "admin" is continues to be locked out after the lock out duration has expired. Another privileged user id can reset the "admin" id's password regardless if the APAR fix is applied or not.
See: "admin" password lost or forgotten for IBM WebSphere DataPower SOA Appliances
Critical Updates
Important:
- Before installing any fix pack, review DataPower Knowledge Collection on firmware updates. This document provides best practices for upgrading firmware and information on downloading firmware images from Fix Central.
10/03/2012: Critical updates: Apply fix packs.
| APAR | Description | Resolution |
| IC81933 | Symptom: CRYPTO ENGINE HSM2 RUNTIME ERROR CODE 6 ON MACHINE TYPE 7199 / 7198 WITH HSM Users Affected: Those with m/t 7199 or m/t 7198 appliances with the HSM feature installed and running 4.0.2 (This does not affect other releases ) Circumvention: Apply fix pack 4.0.2.6 or newer. |
Fixpacks: 4.0.2.x |
04/05/2012: Critical updates: Apply fix packs.
| APAR | Description | Resolution |
| IC81486 | Symptom: Possible SSL Connection hangs or failures using 4.0.1 or 4.0.2 Users Affected: Those with SSL configurations running 4.0.1 or 4.0.2 without this fix. (This does not affect 3.8.2 firmware users) Circumvention: Apply fix packs. |
Fixpacks: 4.0.2.x 4.0.1.x |
| IC81912 | Symptom: Message "Not permitting connection due to Normal throttling"is presented and intermittent connection rejections may occur unexpectedly. Users Affected: Those using the memory throttler. This problem is more likely to be seen when using 4.0.1 or 4.0.2. Circumvention: Apply fix packs. |
Fixpacks: 4.0.2.x 4.0.1.x 3.8.2.x |
03/31/2012 Critical updates for M/T 9235: Apply fix pack 3.8.1.20, 3.8.2.11, and 4.0.1.8 and 4.0.2.4 fix packs or newer
| APAR | Description | Resolution |
| IC80983 | Symptom: M/T 9235 restarts Users Affected: Those with M/T 9235 appliances which restart. See IBM WebSphere DataPower M/T 9235 appliance may restart due to Baseboard Management Controller (BMC) communications loss Circumvention: Apply fix packs |
Fixpacks: 4.0.2.x 4.0.1.x 3.8.2.x 3.8.1.x |
12/06/11 Critical updates: Apply fix pack 4.0.1.4, 4.0.2.1 or a newer fix pack to appliances running 4.0.1.3 and 4.0.2.0 with SSL enabled front side handlers.
| APAR | Description | Resolution |
| IC78949 | Symptom: SSL handshake failures on incoming connections to SSL enabled front side handlers can cause unpredictable failures in other transactions on the appliance. Click on APAR IC78949 for more details. Users Affected: Affected are users of SSL-enabled HTTPS, IMS Connect, Stateless Raw XML, and Stateful Raw XML handlers using 4.0.1.0 through 4.0.1.3 and version 4.0.2.0, customers using services with certain SSL-enabled handlers might see unpredictable failures in other transactions on the appliance. Circumvention: Apply fix pack 4.0.1.4 and 4.0.2.1, or newer fix pack. |
Fixpacks: 4.0.1.x 4.0.2.x |
4/29/11 Critical updates: Apply fix pack 3.8.1.9 or newer to appliances with HSM feature.
| APAR | Description | Resolution |
| IC72366 | Symptom: IBM WebSphere DataPower appliance with the HSM feature running 3.8.1 may restart. Users Affected: All WebSphere DataPower Appliances with the HSM feature running firmware 3.8.1 Circumvention: Apply fix pack 3.8.1.9 or newer. |
Fixpacks: XS40 3.8.1.x XI50 and XI50B version 3.8.1.x |
01/01/10 Critical update: Apply 3.8.0.1 or newer to all appliances to avoid system outages. All users are affected.
The following critical updates and HIPER APARs (APARs where the problem is Highly Pervasive) are included. If you cannot upgrade quickly, review the problem, and circumventions. This firmware update is on Fix Central. See DataPower Knowledge Collection on firmware updates.
(note updated on 7/19/12 to point to supported firmware levels).
| APAR | Description | Resolution |
| IC64790 | Symptom: A recently discovered vulnerability in the renegotiation feature of the SSL and TLS protocols allows an attacker to inject an arbitrary string into the SSL session. This vulnerability is commonly referred to as the SSL Man-in-the-Middle (MITM) attack or CVE-2009-3555. For more information see: Are DataPower appliances affected by the SSL Man-in-the-Middle attack (CVE-2009-3555)? Users Affected: All WebSphere DataPower users. Circumvention: Apply fix pack as soon as possible or see this technote for circumvention: Are DataPower appliances affected by the SSL Man-in-the-Middle attack (CVE-2009-3555)? |
Fixed in fix packs starting at: |
| IC63771 | Symptom: In some cases a firmware crash could lead to the temporary file system to be completely used. This would require a reboot to recover the appliance or the appliance to be completely unresponsive. Users Affected: All WebSphere DataPower users. Circumvention: None. Apply fix pack as soon as possible. Recovery:
|
Fixed in this fix packs starting at: |
| IC64923 | Symptom: When parsing large xml files, the performance of the SQL injection filter decreases and becomes very slow. If you are using an SQL injection filter and would like to parse large xml files, you will recognize that the performance of this SQL injection filter will decrease. Users Affected: All WebSphere DataPower ODBC Users. Circumvention: None, apply fixpack as soon as possible. Recovery:
|
Fixed in this fix packs starting at: |
| IC61470 | Symptom: The appliance stops responding to network traffic. When you connect with serial cable, you can enter the admin id, and the password for the admin id. After entering password, the appliance hangs for a moment, then prompts you to enter a user id again. You may also experience the symptoms as noted in APAR IC61429 also listed a a critical update in this package. Users Affected: Appliances where the log targets write to the local appliance raid volumes. Models: 9235/9004 with the optional hard drives: XI50 (9235-4BX, 9235-4CX, 9235-4DX, 9235-4FX ) , XS40 (9235-3BX, 9235-3DX), XB60 (9235-62x), and XM70 (9235-6BX) Running firmware: 3.7.1, 3.7.2, 3.7.3 or B2B and LLM at 1.0 or 3.7.3 Circumvention: Options to try:
Recovery: Try the following steps:
|
Fixed in this fix packs starting at: |
| IC61429 | Symptom: The appliance does not respond to the network. When you connect with serial cable you can enter your user id and password. After login you can enter only enter one CLI command. When "show filesystem" is entered as the one command, the output shows zero crypto space available. Users Affected: Appliance configured to connect to a IBM DB2 V9 or higher version database on a back-end server or computer. Models: 9235/9004 or 7993/9003 all XI50, XB60, and XM70 Running firmware: 3.7.1, 3.7.2, 3.7.3 or B2B and LLM at 1.0 or 3.7.3 Circumvention: Don't connect or configure to IBM DB2 V9 or higher database. Recovery:
|
Fixed in this fix packs starting at: |
| IC61427 | Symptom: System does not respond. On connection with serial cable, you can log in but only enter one CLI command. When "show filesystem" is entered as the one command, the output shows zero crypto space available. Users Affected: All appliances showing zero crypto space as output from "show filesystem" command Models: ALL 9235/9004 , 7993/9003 , or 7993/9002 Running firmware: 3.7.1, 3.7.2, 3.7.3, or B2B and LLM at 1.0 or 3.7.3 Circumvention: None Recovery:
|
Fixed in this fix packs starting at: |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.