Open Snap Store Manager (OSSM) now also for AIX
IBM has not introduced any major functional innovations in this release. Only the Open Snap Store Manager (OSSM) is now also available for AIX.
Fixed security vulnerabilities
DB2 code
IBM has closed some security holes in this release, most of which affect the DB2 code. These are potential Denial of Service attacks or unauthorized information retrieval from DB2. All vulnerabilities are rated medium critical by the current CVSS score.
Oracle Java SE and Oracle GraalVM Enterprise Edition
An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the security component could allow an unauthenticated attacker to cause a denial of service resulting in low availability by using unknown attack vectors.
Attack target: denial of service
Attack vector: network
Existing attack scenarios: Not known
Impact: Low
Golang Go
Golang Go is vulnerable to a denial of service caused by a flaw in the Go server's handling of HTTP/2 requests. By sending a specially crafted key, a remote attacker can exploit this vulnerability to cause excessive memory growth, leading to a denial of service situation.
Attack Target: Denial of Service
Attack vector: network
Existing attack scenarios: Not known
Impact: Low
IBM Db2 for Linux, UNIX and Windows 11.1 and 11.5
IBM Db2 for Linux, UNIX, and Windows 11.1 and 11.5 may be vulnerable to a denial of service if a specially crafted "load" command is executed.
Attack target: Denial of Service
Attack vector: Network
Existing attack scenarios: Not known
Impact: High
IBM Db2 for Linux, UNIX and Windows 10.5, 11.1 and 11.5 : Rights Management
IBM Db2 for Linux, UNIX and Windows 10.5, 11.1 and 11.5 is vulnerable to information disclosure due to improper rights management when using specially crafted table access.
Attack target: Information leak
Attack vector: Local
Existing attack scenarios: Not known
Impact: High
Information leak
IBM Db2 for Linux, UNIX, and Windows 10.5, 11.1, and 11.5 is vulnerable to information disclosure because sensitive information may be contained in a log file.
Attack target: Information leak
Attack vector: Local
Existing attack scenarios: Not known
Impact: High
Resolved issues in Spectrum Protect Server
Furthermore, IBM has fixed some important issues that have been rated very high by Severity.
The APAR IT43049 describes a problem in ISP 8.1.16 or 8.1.17 that can lead to I/O errors when using scratch tapes with 3592 drives when Drive Encryption is active, which can have a massive impact on operation:
https://www.ibm.com/support/pages/apar/IT43049
Another problem, which was solved in 8.1.18, concerns the export of data over a server-to-server connection. Here, under certain conditions, it can happen that the data is lost on the target server:
https://www.ibm.com/support/pages/apar/IT42949
The 8.1.18 release of Storage Protect Server also fixes a number of issues that can cause the server to crash under certain conditions.
Also solved are problems that lead to hanging processes. For example, in the case of directory container storage pools, old extents were no longer deleted, resulting in growth in the utilization of the storage pool. Other problems related to tiering, NDMP backups, node replication, container storage pools and storage rules have also been resolved.
Sources and downloads
APAR list
The full APAR list can be viewed at the following link:
Current version of IBM Storage Protect Server
The current version of the IBM Storage Protect Server can be downloaded from the following link:
https://www.ibm.com/support/pages/node/6953019
