IBM Support

Fix list for IBM Cloud Orchestrator

Product Documentation


Abstract

This document contains a complete listing of releases, refreshes, fix packs and interim fixes sorted by version for IBM Cloud Orchestrator.

Content

Tab navigation

Visit the IBM Support Portal for IBM Cloud Orchestrator to configure your support portal experience and review FAQs, lists of known problems, fixes, and a wealth of important support information.

Follow IBM Cloud Support on Twitter | devWorks Blog

Review the IBM Cloud Support BLOG article Enhance your IBM Cloud Support Experience for a complete list of the different support offerings along with a brief description on the best way to use each resource to improve your experience using IBM Cloud products and services.

Table of Contents:


Fix Pack 9 (2.5.0.9)

Link Date Released Status

April 2019

Current

The following security vulnerabilities are resolved in this fix pack:

  • CVE-2019-4080: Potential denial of service in WebSphere Application Server Admin Console
  • CVE-2019-4046: WebSphere App Server - Out of Memory Exception can cause DOS
  • CVE-2018-11212 CVE-2019-2426 CVE-2019-2449 CVE-2019-2422 CVE-2018-12547 CVE-2018-12549 CVE-2018-1890: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2019 - Includes Oracle Jan 2019 CPU
  • CVE-2018-1996: Weaker than expected security when using transition mode for SP800-131a in WebSphere Application Server.
  • CVE-2018-1904: 3RD PARTY IBM WebSphere Application Server Deserialization.

This fix pack includes the following component versions installed:

  • NSX 6.4.4
  • WebSphere Application Server 8.5.5.15
  • IBM HTTP Server 8.5.5.15
  • IBM JDK 8.0.5.30
  • PowerVC 1.4.2 FP1
  • Red Hat Enterprise Linux 7.6 for x64
  • IBM SmartCloud® Cost Management 2106 ifix05:
    • Red Hat Enterprise Linux 7.6 for x64
    • IBM Java JDK 8.0.5.30

This fix pack does not include, but adds support for the following component versions:

  • IBM Cloud Manager with OpenStack 4.3 FP 13

Fix Pack 8 (2.5.0.8)

Link Date Released Status
Download 2.5.0.8

December 2018

Superseded

APAR Description
ZZ00709

Problem with GET servers from SCOrchestrator Nova Support toolkit.

ZZ00708 IBM HTTP Server not configured correctly after the installation of V2.5.0.7
ZZ00707

Some host names cause the IBM Cloud Orchestrator installer to fail when running the WCT tool.

ZZ00706

Port 35357 is not listed in the ports used by IBM Cloud Orchestrator

ZZ00705

[IBM Cloud Orchestrator Keystone topology] Authentication models need explanation in the IBM Cloud Orchestrator documentation.

ZZ00704

IBM Cloud Orchestrator along with bring your own OpenStack (BYOOS) requires "Default" domain to be created in OpenStack prior to the installation of IBM Cloud Orchestrator.

The following security vulnerabilities are resolved in this fix pack:

  • CVE-2017-3736 CVE-2017-3732 CVE-2016-0705 CVE-2018-1517 CVE-2018-1656 CVE-2018-2964 CVE-2018-2973 CVE-2018-2952 CVE-2018-2940 CVE-2018-12539  - Multiple vulnerabilities in IBM® SDK Java™ Technology Edition that were disclosed as part of IBM Java SDK updates in July 2018.
  • CVEID: Not Applicable -  The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server does not properly handle requests, which allows remote attackers to execute code.
  • CVE-2018-1695 - WebSphere Application Server form logout could be vulnerable to spoofing attack.
  • CVE-2018-1567 - A vulnerability in java deserialization can result in execution of untrusted data via the application server's SOAP port.
  • CVEID: Not Applicable - Cacheable HTTPS Response
  • CVE-2018-3183 CVE-2018-3169 CVE-2018-3149 CVE-2018-3180 CVE-2018-3214 CVE-2018-13785 CVE-2018-3136 CVE-2018-3139 - IBM SDK, Java Technology Edition Quarterly CPU - Oct 2018 - Includes Oracle Oct 2018 CPU
  • CVE-2018-1767 - 3RD PARTY XSS in IBM WebSphere CacheMonitor
  • CVE-2018-1777 - 3rd party reflected xss in admin console
  • CVE-2018-1794 - 3RD PARTY Reflected XSS - WebSphereOauth20sp
  • CVE-2018-1793 - 3RD PARTY Reflected XSS in WebSphereSamISP
  • CVE-2014-7810 - WebSphere Application Server traditional and liberty vulnerability
  • CVE-2018-1770 - 3RD PARTY CSRF and OOB-XXE Vulnerabilities in WebSphere Web Application Server's Integrated Solutions Console 9.0.0.8, 8.5.5.13, and 8.5.5.9
  • CVE-2018-1719 - WebSphere Application Server is susceptible to TLS downgrade when using FIPS, JVM property, and non WebSphere Application Server keystore/truststore.
  • CVE-2018-1621 - Password disclosure in WebSphere Application Server trace log.
  • CVE-2018-1301 CVE-2017-15715 CVE-2017-15710 - Apache vulnerabilities affect IBM HTTP Server

  • CVE-2017-12613 - Apache Portable Runtime affects IBM HTTP Server

This fix pack includes the following component versions installed:

  • NSX 6.4.1
  • WebSphere Application Server 8.5.5.14
  • IBM HTTP Server 8.5.5.14
  • IBM JDK 8.0.5.25
  • Business Process Manager 8.6 CF201803
  • DB2 10.5.0.10
  • PowerVC 1.4.2
  • IBM SmartCloud® Cost Management 2106 ifix05:
    • DB2 10.5.0.10
    • IBM Java JDK 8.0.5.25

This fix pack does not include, but adds support for the following component versions:

  • IBM Cloud Manager with OpenStack 4.3 FP 12

Fix Pack 7 (2.5.0.7)

Link Date Released Status
Download 2.5.0.7

August 2018

Superseded

APAR Description
ZZ00701 HA upgrade patch required
ZZ00703 Documentation Keystone not updated although install log shows that certificate was imported
ZZ00699 During the IBM Cloud Orchestrator upgrades, ACL settings for Self-Service offerings will be lost
ZZ00698 REST connector in SCORCHESTRATOR toolkit does not provide patch method
ZZ00700 Install with Keystone topology fails when using protocol HTTP in the ICO_INSTALL.RSP file

The following security vulnerabilities are resolved in this fix pack:

  • CVE-2018-1614 - WebSphere Application Server vulnerability with malformed SAML responses from SAML identity provider
  • CVE-2012-5783 - Old httpclient package in WAS needs to be updated
  • CVE-2015-0899 - Mutli-page validator Struts update needed for WAS
  • CVE-2018-2800 CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2815 CVE-2018-2825 CVE-2018-2783 CVE-2018-2794 CVE-2018-2814 CVE-2018-2826 CVE-2018-2790 - IBM SDK, Java Technology Edition Quarterly CPU - Apr 2018 - Includes Oracle Apr 2018 CPU
  • CVE-2017-1743 - Using remote browse in Admin console could allow infomation disclosure with WebSphere Application Server
  • CVE-2017-15710, CVE-2017-15715, CVE-2018-1301 - IBM Cloud Orchestrator | Apache vulnerabilities affect IBM HTTP Server
  • CVE-2017-12613 - Apache Portable Runtime affects IBM HTTP Server
  • CVE-2018-2639 CVE-2018-2638 CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2629 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 CVE-2018-141 - IBM SDK, Java Technology Edition Quarterly CPU - Jan 2018 - Includes Oracle Jan 2018 CPU
  • CVE-2017-1741 - WAS unauthorized users can view data
  • CVE-2017-1731 - Privilege escalation in WebSphere Application Server Admin Console

This fix pack includes the following component versions installed:

  • WebSphere Application Server Liberty Profile 18.0.0.1
  • WebSphere Application Server 8.5.5.13
  • IBM HTTP Server 8.5.5.13
  • IBM JDK 8.0.5.15
  • Business Process Manager 8.6 CF201803
  • DB2 10.5.0.9
  • IBM SmartCloud® Cost Management 2106 ifix04:
    • WebSphere Application Server Liberty Profile 18.0.0.1
    • DB2 10.5.0.9
    • IBM JDK 8.0.5.15
    • RedHat Enterprise Linux 7.5 for x64

This fix pack does not include, but adds support for the following component versions:

  • PowerVC 1.4.1
  • Vcenter 6.7.

    Note: Though support is available for Vcenter 6.7, NSX 6.4.1 is not supported.

  • RedHat Enterprise Linux 7.5
  • IBM Cloud Manager with OpenStack 4.3 FP 11


Fix Pack 6 (2.5.0.6)

Link Date Released Status
Download 2.5.0.6

April 2018

Superseded

APAR Description
ZZ00659 IBM Cloud Orchestrator 2.5.0.5 fresh installation using DirectDriver with external database fails
ZZ00692 Windows 2016 image deployments require SMB V1 to be enabled inside the image
ZZ00658 Changes needed for IBM Cloud Orchestrator 2.5.0.5 update instructions
ZZ00685 Using internet explorer browser, project switch details can be refreshed intermittently causing loss of function in offerings.
ZZ00686 IBM Cloud Orchestrator 2.5.0.5 DirectDriver UI issue. All the menus relevant to VMware DirectDriver show Japanese, not Korean.
ZZ00649 Search for self-service offerings does not work
ZZ00657 Knowledge Center must be updated with correct IBM Cloud Manager version
ZZ00691 IBM Cloud Orchestrator fix pack upgrade space requirements
ZZ00650 While trying to add three AZ to a new domain, we are getting the error "Quota limits of domain are exceeding"
ZZ00653 Parameters must be better explained
ZZ00695 Missing keystone support in SCORCHESTRATOR.PY
SE68443 Staging user and tenant not found errors for CMO managed PowerVC nodes HTTP 404
ZZ00687 IBM Cloud Orchestrator install prerequisite checker does not account for OpenStack endpoints being bound to multiple network interfaces
ZZ00688 SmartCloud Cost Management charset detector library may detect wrong encoding for input CSR file
ZZ00675 Multiple HS are displayed in IBM Cloud Orchestrator offering creation does display version information

The following security vulnerabilities are resolved in this fix pack:

  • CVE-2017-9798, CVE-2017-12618 - IBM Cloud Orchestrator |vulnerability in apache apr affects IBM HTTP server
  • CVE-2017-13704 - IBM Cloud Orchestrator |Opnesource dnsmasq vulnarability
  • CVE-2017-1583, CVE-2011-4343 - Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition April 2017
  • CVE-2017-1583, CVE-2011-4343 - Information discosure in MyFaces for WebSphere App Server
  • CVE-2017-1583, CVE-2011-4343 - information disclosure in apache myfaces
  • CVE-2013-0340, CVE-2013-0341 - Open Source James Clark Expat Vulnerabilities
  • CVE-2017-1681 - Information Disclosure in WAS with handling of application requests

This fix pack includes the following component versions installed:

  • WebSphere Application Server Liberty V17.0.0.4
  • IBM HTTP Server V8.5.5.13
  • IBM JDK V8.0.5.6 for IBM Cloud Orchestrator
  • IBM Business Process Manager Standard V8600CF201712

This fix pack does not include, but adds support for the following component versions:

  • PowerVC V1.4
  • NSX V6.3.1
  • IBM Cloud Manager with OpenStack V4.3 FP 10


Fix Pack 5 (2.5.0.5)
Link Date Released Status
Download 2.5.0.5

December 2017

Superseded

APAR Description
ZZ00642 In SmartCloud Cost Management, remove unused regions from MCS collection.
ZZ00667 IBM Cloud Orchestrator Knowledge Center mentions "Dashboard extension" capability with reference to availability on Marketplace.
ZZ00666 Configuration for IBM Cloud Orchestrator in production / development mode does not apply the revert to human service.

The following security vulnerabilities are resolved in this fix pack:

  • CVE-2013-0340, CVE-2013-0341 - Open Source James Clark Expat Vulnerabilities
  • CVE-2016-8919 - WebSphere deserialization of untrusted data (SOAP Connector)
  • CVE-2017-3514, CVE-2017-3512, CVE-2017-3511, CVE-2017-3526, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289, CVE-2017-3512, CVE-2017-3511 - Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition April 2017
  • CVE-2017-1151 - Privilege escalation in WAS OIDC
  • CVE-2016-0360 - Deserialization RCE vulnerability in IBM WebSphere JMS Client
  • CVE-2017-3289 CVE-2017-3272 CVE-2017-3241 CVE-2017-3260 CVE-2016-5546 CVE-2017-3253 CVE-2016-5548 CVE-2016-5549 CVE-2017-3252 CVE-2016-5547 CVE-2016-5552 CVE-2017-3261 CVE-2017-3231 CVE-2017-3259 CVE-2016-2183 - IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU
  • CVE-2016-7103 - jquery-ui Vulnerabilities Web Services Client security Bindings could be weaker than expected in WAS
  • CVE-2017-1501 - Web Services Client security Bindings could be weaker than expected in WAS
  • CVE-2017-1425 - Cross-site scripting vulnerability in IBM Business Process Manager (BPM)
  • CVE-2017-7679, CVE-2017-7668, CVE-2017-3167 - Apache HTTP Server Vulnerabilities
  • CVE-2017-1382 - WAS may have insecure permissions when custom startup scripts are used
  • CVE-2016-2183 - IBM® DB2® LUW is vulnerable to Sweet32 Birthday Attack
  • CVE-2017-1150 - Information Disclosure vulnerability affects IBM® DB2® LUW
  • CVE-2017-1140 - Persistent cross-site scripting vulnerability in IBM Business Process Manager
  • CVE-2017-1121 - Cross-site scripting vulnerability in WebSphere Application Server Admin Console

This fix pack extends support for the following component versions:

  • Red Hat Operating System V7.4
  • IBM Cloud Manager with OpenStack V4.3.FP9
  • IBM HTTP Server V8.5.5.12
  • PowerVC V1.4
  • WebSphere Application Server Liberty V17.0.0.3
  • WebSphere Application Server 8.5.5.12
  • IBM Java SDK/JRE V8.0.5.1 for IBM Cloud Orchestrator

    Note: The IBM JDK for Business Process Manager and WebSphere Application Server is at V7.0.10.5.

  • DB2 V10.5.0.9
  • Business Process Manager V8.5.7.CF201706
  • SmartCloud Cost Management V2.1.0.6 ifix02


Fix Pack 4 (2.5.0.4)
Link Date Released Status
Download 2.5.0.4

June 2017

Superseded

APAR Description
ZZ00589 Null pointer exception for view history when inbox is not claimed.
ZZ00593 Stack creation fails.
ZZ00623 Logout and Token Expiration behaving differently.
ZZ00629 Resource Bundle Group with res does not exist.
ZZ00639 Heat template with GET_FILE fails if submitted from ICO.
ZZ00641 IBM Cloud Orchestrator REST API does not allow projectName and domainName options.
ZZ00655 HA services do not come up after restarting the services.
ZZ00656 ICO 2503 upgrade failure

The following security vulnerabilities are resolved in this fix pack:

  • CVE-2017-1134 - Privilege escalation vulnerability affects IBM® DB2® LUW.
  • CVE-2017-1159 - Open Redirect vulnerability in IBM Business Process Manager.
  • CVE-2016-8934 - Cross-site scripting in WebSphere Application Server Admin console.
  • CVE-2017-1140 - "Clickjacking" (application running in a frame) vulnerability in IBM Content Navigator.
  • CVE-2017-1194 - Incorrect redirection for an OAuth authorization request in WebSphere App Server both Traditional and Liberty.
  • CVE-2016-8743 - [Open Source] - Apache HTTP Server Vulnerabilities.
  • CVE-2016-6109 - Cross Site Scripting vulnerability in IBM Business Process Manager (BPM).

This fix pack extends support for the following component versions:

  • Red Hat Operating System V7.3
  • IBM Cloud Manager with OpenStack V4.3.FP8
  • NSX V6.3.1

    Note:NSX V6.3.1 is supported in VMware vSphere V6.5a or higher.

  • VMware vSphere V6.5
  • PowerVC V1.3.3
  • IBM Java SDK/JRE V8.0.4.2
  • DB2 V10.5.0.8
  • Business Process Manager V8.5.7.CF201703
  • SmartCloud Cost Management V2.1.0.6


Fix Pack 3 (2.5.0.3)
Link Date Released Status
Download 2.5.0.3

28 April 2017

Superseded

APAR Description
ZZ00610 ICO25-Attach Volume Page throwing a timeout error.
ZZ00564 Applying ICM 4304 fixpack to an existing ICM environment, running the ICO configuration "ICM_CONFIG_ICO.SH" script again results in errors.
ZZ00571 ICO_configure SCCM-paSsWord case fails OpenStackContext.
ZZ00621 ICO App Scan Results - mod_headers related protection.
ZZ00627 ICO UI does not pass availability zone when creating a volume.
ZZ00616 The CLOUDBASE-INIT service fails reading SoftLayer meta data.
ZZ00620 ICO App Scan Results- Browser Exploit Against SSL/TLS.
ZZ00578 Need to improve the documentation associated to ICM_CONFIGURE_ICO_HORIZON_EXTENSION.SH script.
ZZ00613 IBM Cloud Orchestrator 2.5 RHEL 7.1
ZZ00608 Incorrect metadata property name in CUSTOMIZATION.JSON file while customizing ICO SELF SERVICE UI.
ZZ00598 ICO send email implementation service has empty data mapping objects.
ZZ00592 Change ICO browser tab title in CUSTOMIZATIONS.JSON dosen't work.
ZZ00580 SCCM subscription PUT REST API does not "PUT" any updated rate values into the database.
ZZ00557 Change the instance type to MULTI-INSTANCE.
ZZ00552 The parameter -SIZE need to be added to IKEYCMD
ZZ00606 Lists actions defined on a given instance not working.
ZZ00604 Have to logon to ICO UI before running REST call
ZZ00600 In IBM Cloud Orchestrator 2.5.X.X REST CALL FOR LDAP USER FAILS.
ZZ00596 IBM Cloud Manager does not manage Openstack services for new cluster.
ZZ00585 IBM Cloud Orchestrator 2.5 - Internal Server Error 500 on UI page.
ZZ00551 IBM Cloud Orchestrator 2.5 - LDAP users case sensitive issues switching.
ZZ00515 PDcollect tool does not collect HTTP logs for IBM Cloud Orchestrator HA.
ZZ00577 User can view the volume information from another domain.
ZZ00567 LDAP Integration with IBM Cloud Orchestrator 2.5.0.1 with iFix 1 problem.

The following security vulnerabilities are resolved in this fix pack:

  • CVE-2014-8912 - Information disclosure vulnerability in IBM Business Process Manager.
  • CVE-2015-7575 - TLS protocol MD5 hash weak security "SLOTH" Vulnerability
  • CVE-2016-0385 - Potential bypass security in WebSphere Application Server.
  • CVE-2016-1181, CVE-2016-1182 - Security vulnerabilities in Apache Struts might affect IBM Business Process Manager.
  • CVE-2016-5983 - Potential remote arbitrary Java code execution with a serialized object from untrusted source in IBM WebSphere Application Server.
  • CVE-2016-2960 - Potential denial of service vulnerability in IBM WebSphere Application Server when using SIP services.
  • CVE-2012-0876, CVE-2012-1148, CVE-2016-4472, CVE-2016-0718 - Multiple Denial of Service vulnerabilities with Expat may affect IBM HTTP Server.
  • CVE-2016-5573, CVE-2016-5597, CVE-2016-3485 -Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server and IBM Process Designer used in IBM Business Process Manager.
  • CVE-2016-9736 - Potential information disclosure in WebSphere Application Server using malformed SOAP requests on WebSphere Application Server.
  • CVE-2016-5986 - Potential Information Disclosure vulnerability in WebSphere Application Server and WebSphere Application Server Liberty.
  • CVE-2016-5983 - Potential code execution vulnerability in WebSphere Application Server.
  • CVE-2016-3092 - Denial of Service vulnerability in Multistream Class affect Apache Commons Fileupload that is used in WebSphere Application Server, Business Process Manager.
  • CVE-2016-7099, CVE-2016-5325, CVE-2016-5573 - Multiple Security Vulnerabilities in in IBM SDK for Node.js affect affect IBM Business Process Manager (BPM) Configuration Editor.
  • CVE-2016-5582, CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554, CVE-2016-5542 - Multiple Security Vulnerabilities as per IBM SDK, Java Technology Edition Quarterly CPU - Oct 2016.
  • CVE-2016-8934 - Potential cross-site scripting vulnerability in IBM WebSphere Application Server.
  • CVE-2016-8743 - Potential response splitting attack vulnerability in IBM HTTP Server.
  • CVE-2017-1121 - Potential Cross-site scripting vulnerability in WebSphere Application Server.
  • CVE-2016-5597 - Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager.
  • CVE-2016-0306 - Potential security vulnerability in IBM WebSphere Application Server if FIPS 140-2 is enabled.
  • CVE-2016-3056 - HTML injection vulnerability in Business Space might affect IBM Business Process Manager.
  • CVE-2016-5995 - IBM DB2 for Linux, Unix and Windows is vulnerable to a privilege escalation due to code being built with binaries with libraries in insecure locations.
    http://www-01.ibm.com/support/docview.wss?uid=swg21990061 .
  • CVE-2016-0729, CVE-2016-4463 - Vulnerabilty in XMLC affects IBM® DB2® LUW. http://www-01.ibm.com/support/docview.wss?uid=swg21984685
  • CVE-2016-0201, CVE-2015-7420 & CVE-2015-7421 - Vulnerabilities in the GSKit component of IBM® DB2® LUW.
    http://www-01.ibm.com/support/docview.wss?uid=swg21977787
  • CVE-2016-4985, CVE-2016-5362, CVE-2015-8914, CVE-2016-5363, CVE-2016-4428 - OpenStack Neutron, Horizon and Ironic Vulnerabilities affect IBM Cloud Manager with OpenStack - http://www-01.ibm.com/support/docview.wss?uid=isg3T1024250

This fix pack extends support for the following component versions:

  • WebSphere Application Server Liberty V16.0.0.4
  • WebSphere Application Server V8.5.5.11
  • Red Hat Operating System V7.2
  • IBM DB2 V10.5.0.8
  • IBM HTTP Server V8.5.5.11
  • PowerVC V1.3.2.1
  • IBM JDK V8.0.3.22
  • NSX V6.2.2 and V6.2.4
  • IBM Cloud Manager with OpenStack V4.3.0.7
  • IBM Business Process Manager Standard V8.5.7, V8.5.7 CF2016.12:
    • 8.5.5.0-ws-was-ifpi70169
    • 8.5.5.0-ws-was-ifpi73367
    • 8.5.5.11-ws-was-ifpi70627
    • 8.5.5.11-ws-wasihs-ifpi73984

    This fix pack also includes the following SmartCloud Cost Management components:

    • Jazz™ for Service Management V1.1.2.1
    • IBM Tivoli® Common Reporting V3.1.2.1
    • Red Hat Operating System V7.2
    • VMware vCenter Collector V6 U2
    • WebSphere Application Server with Liberty Profile V16.0.0.4


    Fix Pack 2 (2.5.0.2)
    Link Date Released Status
    Download 2.5.0.2

    31 May 2016

    Superseded

    APAR Description
    ZZ00394 Parallel tasks are not seen in ICO UI.
    ZZ00433 Toolkit changes required to obtain full JSON REST response from GenericREST.jar.
    ZZ00443 ICO SCUI not honoring default for alternate domains.
    ZZ00447 ICO 2.5.0.1 FP precheck fails in a default 2.5 environment with error "Object found that should not exist".
    ZZ00463 Visual interference between page title and menu.
    ZZ00483 Vulnerability in Virtual Machine Authentication Credentials Disclosure (CVE-2016-0203).
    ZZ00501 There is no difference in permissions between a member role user and an admin role user.
    ZZ00505 VMs in IWD with deleted state, however they are active in SoftLayer.
    ZZ00506 VMs provisioned from ICO to SoftLayer have 10 Mbps NICS.
    ZZ00507 Public Cloud Gateway (PCG) uses quota files to cache quota values when changes are made to a project directly.
    ZZ00510 In some cases, no contents are seen on the Self-Service UI dashboard when ICO is setup with LDAP.
    ZZ00511 Attempt to access non-existent Kernel REST endpoint result in looping issue.
    ZZ00518 Applications accept a URL as a query string parameter and perform a redirect based on the URL are open to abuse.
    ZZ00526 ICO UI customization uses a hard-coded color value for the project selector drop-down box.
    ZZ00531 Unable to enter mount point name.
    ZZ00535 Issue with simple token generation.
    ZZ00538 Modify flavor not working for non admin project virtual machines.
    ZZ00540 bpm-dmgr and bpm-node are not in HA for ICO HA setup.
    ZZ00541 SSO not working on ICO for SSOLoginServlet for ICO.
    ZZ00547 There are no partitions/Windows volume and the disk shows as offline.
    ZZ00555 systemctl command cannot stop ICM/ICO services which are in HA.
    ZZ00558 ICO2402 - VM in deleted state during restore from image.
    ZZ00559 ICO is unable to list images in case where SoftLayer has an image with no associated block devices.
    ZZ00567 LDAP Integration with ICO 2.5.0.1 with iFix 1 problem - Issue after LDAP authentication to dashboard UI-

    The following security vulnerabilities are resolved in this fix pack:

    • CVE-2015-0205 - OpenSSL could allow a remote authenticated attacker to bypass security restrictions, caused by the acceptance of a DH certificate for client authentication without verification.
    • CVE-2015-1283 - Denial of service may affect IBM HTTP Server. Multiple integer overflows in the XML_GetBuffer function in Expat allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data.
    • CVE-2015-1788 - Vulnerability in OpenSSL affects IBM DB2 LUW. OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field.
    • CVE-2015-7417 - Cross-site scripting vulnerability in IBM WebSphere Application Server. IBM WebSphere Application Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input.
    • CVE-2015-7463 - IBM Business Process Manager authorization checks for process and task deletion are insufficient. IBM Business Process Manager could allow an authenticated user to delete process and task data through a command that should only be available to administrators.
    • CVE-2015-7494 - Vulnerability in Cross Domain Services Action. A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API. An authenticated domain admin user might modify cross domain resources via a /services/[action]/launch API call, provided it would have been possible for the domain admin user to gain access to a resource identifier of the other domain.
    • CVE-2015-7575 - Vulnerability in IBM Java SDK affects IBM DB2 LUW. The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. This vulnerability is commonly referred to as "SLOTH".
    • CVE-2016-0203 - Vulnerability in Virtual Machine Authentication Credentials Disclosure. A vulnerability has been identified in the IBM Cloud Orchestrator task API. The task API might allow an authenticated user to view background information associated with actions performed on virtual machines in projects where the user belongs to.
    • CVE-2016-0204 - IBM Cloud Orchestrator could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability.
    • CVE-2016-0206 - Vulnerability affects JSON parsing malformed URL in teamwork executeServiceByName API Denial of Service. IBM Cloud Orchestrator could allow a local authenticated attacker to cause the server to slow down for a short period of time by using a specially crafted and malformed URL.
    • CVE-2016-0448 - Vulnerability in IBM Java SDK affects WebSphere Application Server. An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information.
    • CVE-2016-0466 - Vulnerability in IBM Java SDK affects WebSphere Application Server. An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service.
    • CVE-2016-0475 - Vulnerability in IBM Java SDK affects WebSphere Application Server. An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact.
    • CVE-2016-0777 - Vulnerabilities in OpenSSH affect IBM i. OpenSSH could allow a remote attacker to obtain sensitive information, caused by a client information leak from using the roaming connection feature.
    • CVE-2016-0778 - Vulnerabilities in OpenSSH affect IBM i. OpenSSH is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the packet_write_wait() and ssh_packet_write_wait() API functions when two non-default options: a ProxyCommand and either ForwardAgent or ForwardX11 are used.

    This fix pack includes the following fix packs:

    • IBM DB2 Enterprise Server Edition V10.5.0, Fix Pack 7
    • IBM WebSphere Application Server Network Deployment V8.5.5, Fix Pack 9
    • IBM HTTP Server for WebSphere Application Server V8.5.5, Fix Pack 9

    This fix pack also includes the following IBM Business Process Manager cumulative fix and interim fixes:

    • IBM Business Process Manager Standard V8.5.6.0 Cumulative Fix 2 (V8.5.6.0 CF02)
    • JR54682 -- MULTIPLE VULNERABILITIES IN IBM JAVA SDK AFFECT IBM PROCESS DESIGNER
    • JR55110 -- MULTIPLE VULNERABILITIES IN IBM SDK FOR JAVA SHIPPED WITH IBM PROCESS DESIGNER AND WEBSPHERE LOMBARDI EDITION
    • JR55136 -- YOU CANNOT START EXPOSED HUMAN SERVICES IN PROCESS CENTER WHEN THEY ARE NOT RUN FOR A SPECIFIC SNAPSHOT
    • JR55205 -- P.E. TW.SYSTEM.SERIALIZER.FROMXML BEHAVIOR CHANGE IN IBM BPM V8.5.6 CF02 CAUSES APPLICATION FAILURE


    Interim Fix 1 (2.5.0.1_iFix001)
    Link Date Released Status
    Download 2.5.0.1_iFix001

    08 February 2016

    Superseded

    APAR Description
    ZZ00445 The parameters in send message implementation mapping are missing in the toolkit.
    ZZ00500 ICO 2501 HA installation failure attempting to locate TSAMP binaries.
    ZZ00528 Checksum value for TSAMP package expected by ICO installer does not match with TSAMP package downloaded from Passport Advantage.
    ZZ00529 ICO HA install log file contains links to an internal IBM website.

    The following security vulnerabilities are resolved in this fix pack:

    • CVE-2015-4734 - An unspecified vulnerability related to the JGSS component could allow a remote attacker to obtain sensitive information.
    • CVE-2015-4872 - An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
    • CVE-2015-5006 - IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache.
    • CVE-2015-7400 - IBM Business Process Manager is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service.
    • CVE-2015-7407 - IBM Mashups is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
    • CVE-2015-7450 - Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
    • CVE-2015-7454 - IBM Business Process Manager could allow an authenticated user to create pages and spaces that they should not have access to due to improper access restrictions.

    This interim fix includes the following fix pack:

    • Java(TM) SE Runtime Environment (build pxa6480sr2-20151023_01(SR2))

    This interim fix also includes the following IBM WebSphere Application Server interim fix:

    • IFPI51440 - Ship Java 6/26 SR8 FP15 FOR WSAS V8.5.0.X AND V8.5.5.X

    This interim fix also includes the following IBM Business Process Manager cumulative fixes:

    • IBM Business Process Manager Standard V8.5.6.0 Cumulative Fix 1 (V8.5.6.0 CF01)
    • JR54748 - CVE-2015-7450 - VULNERABILITY IN APACHE COMMONS COLLECTIONS AFFECTS IBM BPM DOCUMENT STORE
    • JR54678 -- MULTIPLE SECURITY VULNERABILITIES EXIST IN BUSINESS SPACE AND MASHUPS
    • JR55154 -- OPTIONALLY DISABLE USER AND GROUP SEARCH(GET METHOD) IN BUSINESS SPACE


    Fix Pack 1 (2.5.0.1)
    Link Date Released Status
    Download 2.5.0.1 Download 2.5 Enterprise Edition

    18 December 2015

    Superseded

    APAR Description
    ZZ00396 YAML parser needs to be updated not to remove #ps1 and #ps1_sysnative
    ZZ00419 Problem listing, creating and deleting networks using ICO UI
    ZZ00451 Nullpointer exception while viewing roles from a user in Self-Service UI
    ZZ00483 Multiple Security Vulnerabilities in ICO Enterprise

    The following security vulnerabilities are resolved in this fix pack:

    • CVE-2014-6221 - Random Data Generation using GSKit MSCAPI/MSCNG Interface Code does not generate cryptographically random data. An attacker could use this weakness to gain complete confidentially and/or integrity compromise.
    • CVE-2015-0138 - A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
    • CVE-2015-0157 - IBM DB2 LUW contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by executing a specially-crafted SQL statement with the vulnerable scalar functions. This could result in a DB2 server crash; if so, the server would need to be restarted.
    • CVE-2015-0159 - An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations.
    • CVE-2015-1885 - WebSphere Application Server Full Profile and Liberty Profile could allow a remote attacker to gain elevated privileges on the system caused when OAuth grant type of password is used.
    • CVE-2015-1932 - IBM WebSphere Application Server and IBM WebSphere Virtual Enterprise could allow a remote attacker to obtain information that identifies the proxy server software being used.
    • CVE-2015-2017 - IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
    • CVE-2015-3183 - Apache HTTP Server is vulnerable to HTTP request smuggling, caused by a chunk header parsing flaw in the apr_brigade_flatten() function. By sending a specially-crafted request in a malformed chunked header to the Apache HTTP server, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
    • CVE-2015-4000 - The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic.
    • CVE-2015-7450 - Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.

    This fix pack includes the following fix packs:

    • IBM DB2 Enterprise Server Edition V10.5.0, Fix Pack 6
    • IBM WebSphere Application Server Network Deployment V8.5.5, Fix Pack 7
    • IBM HTTP Server for WebSphere Application Server V8.5.5, Fix Pack 7

    This fix pack also includes the following IBM WebSphere Application Server interim fixes:

    • IFPI52103 - Apache Commons Collections issue affecting WebSphere Application Server (CVE-2015-7450)
    • IFPI45266 - The HTTP Channel allows response splitting
    • IFPI50291 - BEANS SEARCHED FOR THROUGH INSTANCE INTERFACE IN WAS 8.5.5.7 NOT FOUND

    This fix pack also includes the following IBM Business Process Manager cumulative fix and interim fixes:

    • IBM Business Process Manager Standard V8.5.6.0 Cumulative Fix 1 (V8.5.6.0 CF01)


    Initial Release (2.5)
    Link Date Released Status
    Download 2.5

    14 August 2015

    Superseded

    APAR Description
    -- Initial release



Related information

V.R.M.F. Maintenance Stream Delivery Vehicle glossary
Software Product Compatibility Reports
Fix Central

Document information

More support for: IBM Cloud Orchestrator

Component: Documentation

Software version: 2.2, 2.2.0.1, 2.3, 2.3.0.1, 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5, 2.5, 2.5.0.1, 2.5.0.2, 2.5.0.3, 2.5.0.4, 2.5.0.5, 2.5.0.6, 2.5.0.7, 2.5.0.8

Operating system(s): Linux

Reference #: 7045667

Modified date: 26 April 2019