Security fixes

IBM Cloud Pak System has identified and fixed user interface pages and fields that are prone to security issues because of non-permissible characters.

Note: The non-permissible characters are angular brackets (< >), percentage ( % ), question mark (?), ampersand (&), semicolon ( ;), and equal to ( =).
List of some of the important security fixes in IBM Cloud Pak System:
  • For security reasons, all passwords that you enter during the design and deployment of patterns in IBM Pattern Builder are not stored in the browser cache.
  • Page loading may slow down because of the no-store flag in Cache_Control. To resolve the issue, search for cacheControl in fileOpen /opt/ibm/rainmaker/purescale.app/private/expanded/ibm/purescale.ui.base-4.1.0.0/config/zero.configSearch and remove the no-store flag as follows: 
    /config/security/cacheControl = [ 
     "must-revalidate", 
     "max-age=0", 
     "private", 
     "no-cache"
]

    After you update the cacheControl, restart service60.

  • The Catalog of IBM Cloud Pak System includes security validation for Script Packages and Add-Ons. When you want to create a new add-on or script package, browse to select a package that is of type zip, tgz, gar, or gz extension. A security validation checks whether the uploaded compressed file is valid or not. You cannot undo the issues in the package uploads that you did by using versions lower than V2.3.1.x. For uploads other than Script Packages and Add-Ons, manually check to confirm that the file does not contain characters that are not permissible.
  • The Cloud Pak System cleans the input strings in the HTTP server of JavaScript files and does not allow you to enter characters that are not permissible in the field values. Also, a validation strategy checks whether the input string confirms to a list of acceptable inputs or else it transforms them to a format that conforms to specifications.
  • The Cloud Pak System cleans the content of non-permissible characters and sends to the web browser in the form of JavaScript segment that may also include HTML, Flash, or any other type of code that the browser may run. It includes a validation strategy that checks whether the input confirms to a list of acceptable input specifications. If you pass a URL that contains non-permissible characters in the content, then a forbidden page error message is displayed.
  • Whenever you pass content by using REST API, the Cloud Pak System validates the content for any non-permissible characters, and then it either converts to an acceptable format or rejects the content.
  • When you deploy virtual system patterns in the Patterns > Virtual System Patterns page, note that the deployment name cannot begin with special characters, such as plus (‘+’), hyphen (’-‘), at symbol (’@’), or equal (’=’). If you enter any of these characters in the beginning of the deployment name, then the following error message is displayed:
    CMPRE0007E: The input JSON is not valid or prone to XSS attacks.