IBM Support

IBM Cloud Orchestrator Fix Pack 4 (2.4.0.4) for 2.4

Downloadable files


Abstract

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition 2.4.0.4 has been made generally available and contains fixes to version 2.4 including all predecessor fix packs

Download Description

Table of Contents
Sections Description

The Change history section provides an overview on what is new in this release with a description of any new functions or enhancements when applicable.

The How critical is this fix section provides information related to the impact of this release to allow you to assess how your environment may be affected.

The Prerequisites section provides important information to review prior to the installation of this release.

The Download package section provides the direct link to obtain the download package for installation in your environment.

The Installation instructions section provides the installation instructions necessary to apply this release into your environment.

The Known side effects section contains a link to the known problems (open defects) identified at the time of this release.

Supporting Documentation
Document Description

Click to review the detailed system requirements information for a complete list of hardware requirements, supported operating systems, prerequisites and optional supported software, with component-level details and operating system restrictions.

IBM Knowledge Center provides an entry point to product documentation. You can view, browse, and search online information related to the product.

Click to review a complete list of the defects (APARs) resolved in this release including a list of resolved defects for the entire version family.

Prerequisites

Prerequisites include:

Review the Prerequisites tab in the system requirements report for supported versions of Data Protection and Recovery, Databases and Process Management tools.

Review the Software prerequisites page in the IBM Knowledge Center to ensure your environment meets the minimum hypervisor and operating system requirements, especially if you are upgrading from a previous release of IBM Cloud Orchestrator.

Installation Instructions

This fix pack can be installed as a fresh installation or as an upgrade of an existing installation. Follow the instructions in the tabs below.


Tab navigation


Fresh installation of IBM Cloud Orchestrator


Step 1: Review the installation page in the IBM Knowledge Center.

Step 2: Review the information on the Post Install/Upgrade tab above.


Fresh installation of IBM Cloud Orchestrator Enterprise Edition


Step 1: Review the installation page in the IBM Knowledge Center.

Step 2: Review the information on the Post Install/Upgrade tab above.


Upgrade of IBM Cloud Orchestrator


The following upgrade scenarios are supported:

  • IBM Cloud Orchestrator V2.4 -> IBM Cloud Orchestrator V2.4 Fix Pack 4
  • IBM Cloud Orchestrator V2.4 Fix Pack 1 -> IBM Cloud Orchestrator V2.4 Fix Pack 4
  • IBM Cloud Orchestrator V2.4 Fix Pack 2 -> IBM Cloud Orchestrator V2.4 Fix Pack 4
  • IBM Cloud Orchestrator V2.4 Fix Pack 2 Interim Fix 1 -> IBM Cloud Orchestrator V2.4 Fix Pack 4
  • IBM Cloud Orchestrator V2.4 Fix Pack 3 -> IBM Cloud Orchestrator V2.4 Fix Pack 4

Step 1: Review the Upgrading topic in the IBM Knowledge Center.

Step 2: Review the information on the Post Install/Upgrade tab above.


Upgrade of IBM Cloud Orchestrator Enterprise Edition


The following upgrade scenarios are supported:

  • IBM Cloud Orchestrator Enterprise Edition V2.4 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 4
  • IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 1 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 4
  • IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 2 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 4
  • IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 2 Interim Fix 1 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 4
  • IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 3 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 4

Step 1: Review the Upgrading topic in the IBM Knowledge Center.

Step 2: Review the information on the Post Install/Upgrade tab above.


Post installation information


After you install or upgrade the IBM Cloud Orchestrator or IBM Cloud Orchestrator Enterprise Edition software, complete the following tasks.

Step 1: Resolve vulnerabilities

For vulnerability details and information about fixes, review the Impact assessment section below for details.


Post upgrade information


Step 1: Complete the above tasks first.

Step 2: Complete the tasks described in the Configuring IBM Cloud Orchestrator after upgrading topic in the IBM Knowledge Center.

Download package

The following sections provide detailed information related to this release.

Download's on Fix Central

Click the HTTP link below to obtain the release from Fix Central.

Image directory contents

  • 2.4.0-CSI-ICO-FP0004.tgz: IBM Cloud Orchestrator Version 2.4 Fix Pack 4 for Red Hat Enterprise Linux Multilingual

How critical is this fix?

Impact Assessment
Impact Description

Corrective

This is a maintenance release. It contains fixes for client-reported and internally found defects.

Critical

This release also contains fixes to multiple security vulnerabilities.

  • CVE-2012-6153 - Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates.
  • CVE-2014-3577 - Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates.
  • CVE-2014-8912 - IBM WebSphere Portal and other products could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within web applications.
  • CVE-2015-0254 - Apache Standard Taglibs could allow a remote attacker to execute arbitrary code on the system, caused by an XML External Entity Injection (XXE) error when processing XML data.
  • CVE-2015-1788 - OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field.
  • CVE-2015-1850 - OpenStack Nova could allow a local attacker to obtain sensitive information, caused by the failure to provide input format to several calls of "qemu-img convert".
  • CVE-2015-3197 - OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by an error related to the negotiation of disabled SSLv2 ciphers by malicious SSL/TLS clients.
  • CVE-2015-7400 - IBM Business Process Manager is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data.
  • CVE-2015-7407 - IBM Mashups is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input.
  • CVE-2015-7417 - IBM WebSphere Application Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input.
  • CVE-2015-7454 - IBM Business Process Manager could allow an authenticated user to create pages and spaces that they should not have access to due to improper access restrictions.
  • CVE-2015-7463 - IBM Business Process Manager could allow an authenticated user to delete process and task data through a command that should only be available to administrators.
  • CVE-2015-7494 - A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API.
  • CVE-2015-7548 - OpenStack Nova could allow a local authenticated attacker to obtain sensitive information, caused by an error in instance snapshot.
  • CVE-2015-7575 - The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake.
  • CVE-2015-8749 - OpenStack Nova could allow a remote attacker to obtain sensitive information, caused by a Xen connection password leak when attempting to connect a volume using the Xen API.
  • CVE-2016-0202 - A vulnerability has been identified in tasks, backend object generated for handling any action performed by the application in IBM Cloud Orchestrator.
  • CVE-2016-0203 - An information disclosure vulnerability has been identified in the IBM Cloud Orchestrator task API.
  • CVE-2016-0204 - IBM Cloud Orchestrator could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability.
  • CVE-2016-0205 - A vulnerability has been identified in IBM Cloud Orchestrator that could allow an attacker after authentication to enumerate valid users of the system.
  • CVE-2016-0206 - IBM Cloud Orchestrator could allow a local authenticated attacker to cause the server to slow down for a short period of time by using a specially crafted and malformed URL.
  • CVE-2016-0264 - A buffer overflow vulnerability in the IBM JVM facilitates arbitrary code execution under certain limited circumstances.
  • CVE-2016-0306 - IBM WebSphere Application Server could provide weaker than expected security, caused by the improper TLS configuration.
  • CVE-2016-0359 - IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks.
  • CVE-2016-0363 - IBM SDK, Java Technology Edition contains a vulnerability in the IBM ORB implementation that may allow untrusted code running under a security manager to elevate its privileges. This vulnerability was originally reported as CVE-2013-3009.
  • CVE-2016-0376 - A vulnerability in IBM Java SDK could allow a remote attacker to execute arbitrary code on the system. This vulnerability allows code running under a security manager to escalate its privileges by modifying or removing the security manager. This vulnerability was originally reported as CVE-2013-5456.
  • CVE-2016-0448 - An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information.
  • CVE-2016-0466 - An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service.
  • CVE-2016-0475 - An unspecified vulnerability related to the Libraries component has partial confidentiality impact, partial integrity impact, and no availability impact.
  • CVE-2016-0686 - An unspecified vulnerability related to Serialization has complete confidentiality impact, complete integrity impact, and complete availability impact.
  • CVE-2016-0687 - An unspecified vulnerability related to the VM component has complete confidentiality impact, complete integrity impact, and complete availability impact.
  • CVE-2016-0701 - OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of weak Diffie-Hellman parameters based on unsafe primes that are generated and stored in X9.42-style parameter files.
  • CVE-2016-0702 - OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture.
  • CVE-2016-0703 - OpenSSL could allow a remote attacker to bypass security restrictions, caused by the failure to enforce that a clear-key-length value is 0 for non-export ciphers by the SSLv2 's2_srvr.c code.
  • CVE-2016-0704 - OpenSSL could allow a remote attacker to bypass security restrictions. The s2_srvr.c code overwrites the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites.
  • CVE-2016-0705 - OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys.
  • CVE-2016-0757 - OpenStack Glance could allow a remote authenticated attacker to bypass security restrictions, caused by an error when show_multiple_locations has been enabled.
  • CVE-2016-0777 - OpenSSH could allow a remote attacker to obtain sensitive information, caused by a client information leak from using the roaming connection feature.
  • CVE-2016-0778 - OpenSSH is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the packet_write_wait() and ssh_packet_write_wait() API functions when two non-default options: a ProxyCommand and either ForwardAgent or ForwardX11 are used.
  • CVE-2016-0797 - OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the BN_hex2bn/BN_dec2bn() function.
  • CVE-2016-0798 - OpenSSL is vulnerable to a denial of service, caused by a memory leak in SRP servers.
  • CVE-2016-0799 - OpenSSL could allow a remote attacker to obtain sensitive information, caused by a memory error in the BIO_*printf() functions.
  • CVE-2016-1181 - Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance.
  • CVE-2016-1182 - Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator.
  • CVE-2016-2105 - OpenSSL is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the EVP_EncodeUpdate() function.
  • CVE-2016-2106 - OpenSSL is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the EVP_EncryptUpdate() function.
  • CVE-2016-2107 - OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error when the connection uses an AES CBC cipher and the server support AES-NI.
  • CVE-2016-2108 - OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a buffer underflow when deserializing untrusted ASN.1 structures.
  • CVE-2016-2109 - OpenSSL is vulnerable to a denial of service, caused by a memory allocation error.
  • CVE-2016-2140 - OpenStack Nova could allow a remote authenticated attacker to obtain sensitive information, caused by a host data leak in resize/migration.
  • CVE-2016-2842 - OpenSSL is vulnerable to a denial of service, caused by the failure to verify that a certain memory allocation succeeds by the doapr_outch function.
  • CVE-2016-2960 - IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services.
  • CVE-2016-3056 - IBM Business Process Manager is vulnerable to HTML injection.
  • CVE-2016-3422 - An unspecified vulnerability related to the 2D component could allow a remote attacker to cause a denial of service resulting in a partial availability impact using unknown attack vectors.
  • CVE-2016-3426 - An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
  • CVE-2016-3427 - An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
  • CVE-2016-3443 - An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
  • CVE-2016-3449 - An unspecified vulnerability related to the Deployment component has complete confidentiality impact, complete integrity impact, and complete availability impact.
  • CVE-2016-5901 - IBM Business Process Manager is vulnerable to cross-site scripting.
  • CVE-2016-5983 - IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources.

Definitions

Regression: An error in the Maintenance Delivery Vehicle (MDV) that produces incorrect or unexpected behavior causing a supported feature to stop functioning as designed.
This includes:

  • Coding errors that cause a regression
  • Documentation or packaging problems that cause a regression
  • Errors reported in a new function delivered in a MDV that cause a regression

Incomplete: An error in the MDV has not regressed, but does not work as designed.
This includes:

  • Fixed APARs which did not solve the original problem but did not break anything new
  • APARs reporting documentation errors, such as readme errors, that cause problems applying an MDV but do not lead to a regression

Notes:
  • Regression and incomplete APARs are considered fix-in-error or MDV-in-error
  • Definitions above apply only to valid APARs that result in product fixes (APARs returned as working-as-designed are not assessed for being fix-in-error)
  • Issues in major releases due to new functionality do not apply in this definition

There are no known regressions to report.

Problems solved

Defects resolved

Click the Fix List link in the table of contents above to review a list of the problems solved in this release.

Known side effects

Review the following list of known issues and open defects:

Review the Known errors and limitations section of the IBM Knowledge Center for issues related to this release.

Additional Issues:

  • If you do not have any children DS jobs because you did not add any Region Server in your environment, before using the passwords.sh script to change the admin user password, you must edit the script to change the following line (on one line):
    if ! processconfigfiles $job_id "$nodes" "modify" "admin_password" "$pwd" "$obfpwd"
    "vmware-discovery.conf" "admin.json" ; then
    to the following line (on one line):
    if ! processconfigfiles $job_id "$nodes" "modify" "admin_password" "$pwd" "$obfpwd"
    "vmware-discovery.conf" "admin.json" "keystonerc" "openrc" ; then
    For information about the passwords.sh script, see the Using the IBM Cloud Orchestrator password management tool topic in the IBM Knowledge Center.
  • When a local database is used in the Region Server, the passwords.sh script does not change the password of the db2inst1 user in the Region Server.
  • In an High-Availability topology, after running the passwords.sh script to change the bpm_admin password, the changes are not reflected correctly in the soap.client.props property file on the primary and secondary Central Server 2. When this problem occurs, you might be unable to manage the Business Process Manager component by using System Automation Application Manager.

    To solve the problem, run the following procedure:

    1. Edit the opt/ibm/BPM/v8.5/profiles/Node1Profile/properties/soap.client.props file on primary Central Server 2. In the following section:
      # - krb5CcacheFile           ( authenticationTarget=KRB5 and loginSource=krb5Ccache, this
      #                              optional property can be set to specify a location of the
      #                              Kerberos credential cache as an URL. )
      ...
      # Note: For Microsoft Windows Kerberos native ccache, set the following properties to blank
      #               com.ibm.SOAP.krb5CcacheFile=
      #               com.ibm.SOAP.loginUserid=
      #               com.ibm.SOAP.loginPassword=your_password
      #------------------------------------------------------------------------------
      remove the password string (your_password, for example) so that the line is changed to
      #               com.ibm.SOAP.loginPassword=
      
    2. Save the file and copy it to the secondary Central Server 2 to overwrite the existing opt/ibm/BPM/v8.5/profiles/Node1Profile/properties/soap.client.props file.
    3. Stop the System Automation Application Manager automation and restart the primary and secondary Central Server 2.
    4. To validate the changes, restart the System Automation Application Manager automation and try to set offline and online the Business Process Manager component on both the primary and secondary Central Server 2.
  • In the Self-service user interface, the following error message is displayed when an offering is cancelled:
    You have been automatically logged out for security reasons. Unfortunately, because of this we are unable 
    to save your information at this time. Please run this task again to save your information.
    You can ignore this message because it does not affect the cancel operation.
  • If you are using IBM Cloud Orchestrator in a non-English language, the following message might be displayed in English:
    CTJCA2100: The operation failed. See the mail report for additional details.
  • In the Using the IBM Cloud Orchestrator password management tool topic, the following step is not correct and must be removed:

    "4. Optional: Run the following command to create a backup of the current environment:

    ./passwords.sh backup environment
    The program downloads or copies the current environment into the ./passwords.sh-backup directory and then creates an archive file ./passwords.sh-backup-<timestamp>.tgz. The actual and modified Deployment Service environment files are located in the /var/chef/environment directory."

Open defects

Review the following list of open defects for IBM Cloud Orchestrator on the IBM Support Portal.

Change history

What's new

For information about the new features and enhancements, review the What is new in this release topic in the IBM Knowledge Center.

Additionally, the following enhancement was added to this fix pack:

Prerequisite checker
A prerequisite checker is now included during Deployment Server upgrade and Central Server upgrade.

Click the link in the Download Options column:

Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
ICO 2.4 fixes 18 Nov 2016 English 1 HTTP

Technical support

Follow IBM Cloud Tech Support on Twitter | devWorks Blog

Review the IBM Cloud Support BLOG article Enhance your IBM Cloud Support Experience for a complete list of the different support offerings along with a brief description on the best way to use each resource to improve your experience using IBM Cloud products and services.

Problems (APARS) fixed
SE64178, ZZ00316, ZZ00318, ZZ00333, ZZ00373, ZZ00384, ZZ00391, ZZ00406, ZZ00409, ZZ00414, ZZ00422, ZZ00423, ZZ00428, ZZ00430, ZZ00433, ZZ00450, ZZ00455, ZZ00462, ZZ00463, ZZ00465, ZZ00472, ZZ00473, ZZ00475, ZZ00478, ZZ00479, ZZ00492, ZZ00494, ZZ00495, ZZ00496, ZZ00497, ZZ00503, ZZ00504, ZZ00505, ZZ00507, ZZ00509, ZZ00510, ZZ00511, ZZ00512, ZZ00513, ZZ00514, ZZ00516, ZZ00517, ZZ00518, ZZ00519, ZZ00520, ZZ00521, ZZ00522, ZZ00525, ZZ00527, ZZ00531, ZZ00532, ZZ00534, ZZ00536, ZZ00537, ZZ00538, ZZ00539, ZZ00541, ZZ00542, ZZ00543, ZZ00547, ZZ00548, ZZ00550, ZZ00553, ZZ00554, ZZ00558, ZZ00559, ZZ00572, ZZ00577, ZZ00582, ZZ00590, ZZ00594

Document information

More support for: IBM Cloud Orchestrator
Installation

Software version: 2.4.0.4

Operating system(s): AIX, Linux, Windows

Software edition: All Editions

Reference #: C4000049

Modified date: 08 June 2017