Expert Guide, NewsIBM Storage Protect Server Release 8.1.18: Information and recommended actions

Open Snap Store Manager (OSSM) now also for AIX

IBM has not introduced any major functional innovations in this release. Only the Open Snap Store Manager (OSSM) is now also available for AIX.

Fixed security vulnerabilities

DB2 code

IBM has closed some security holes in this release, most of which affect the DB2 code. These are potential Denial of Service attacks or unauthorized information retrieval from DB2. All vulnerabilities are rated medium critical by the current CVSS score.

Oracle Java SE and Oracle GraalVM Enterprise Edition

An unspecified vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition related to the security component could allow an unauthenticated attacker to cause a denial of service resulting in low availability by using unknown attack vectors.

Attack target: denial of service

Attack vector: network

Existing attack scenarios: Not known

Impact: Low

Golang Go

Golang Go is vulnerable to a denial of service caused by a flaw in the Go server's handling of HTTP/2 requests. By sending a specially crafted key, a remote attacker can exploit this vulnerability to cause excessive memory growth, leading to a denial of service situation.

Attack Target: Denial of Service

Attack vector: network

Existing attack scenarios: Not known

Impact: Low

IBM Db2 for Linux, UNIX and Windows 11.1 and 11.5

IBM Db2 for Linux, UNIX, and Windows 11.1 and 11.5 may be vulnerable to a denial of service if a specially crafted "load" command is executed.

Attack target: Denial of Service

Attack vector: Network

Existing attack scenarios: Not known

Impact: High

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1 and 11.5 : Rights Management

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1 and 11.5 is vulnerable to information disclosure due to improper rights management when using specially crafted table access.

Attack target: Information leak

Attack vector: Local

Existing attack scenarios: Not known

Impact: High

Information leak

IBM Db2 for Linux, UNIX, and Windows 10.5, 11.1, and 11.5 is vulnerable to information disclosure because sensitive information may be contained in a log file.

Attack target: Information leak

Attack vector: Local

Existing attack scenarios: Not known

Impact: High

Resolved issues in Spectrum Protect Server

Furthermore, IBM has fixed some important issues that have been rated very high by Severity.

The APAR IT43049 describes a problem in ISP 8.1.16 or 8.1.17 that can lead to I/O errors when using scratch tapes with 3592 drives when Drive Encryption is active, which can have a massive impact on operation:

https://www.ibm.com/support/pages/apar/IT43049

Another problem, which was solved in 8.1.18, concerns the export of data over a server-to-server connection. Here, under certain conditions, it can happen that the data is lost on the target server:

https://www.ibm.com/support/pages/apar/IT42949

The 8.1.18 release of Storage Protect Server also fixes a number of issues that can cause the server to crash under certain conditions.

Also solved are problems that lead to hanging processes. For example, in the case of directory container storage pools, old extents were no longer deleted, resulting in growth in the utilization of the storage pool. Other problems related to tiering, NDMP backups, node replication, container storage pools and storage rules have also been resolved.

Sources and downloads

APAR list

The full APAR list can be viewed at the following link:

https://www.ibm.com/support/pages/server-apars-fixed-ibm-spectrum-protect-server-version-81-fix-pack-levels#8118

Current version of IBM Storage Protect Server

The current version of the IBM Storage Protect Server can be downloaded from the following link:

https://www.ibm.com/support/pages/node/6953019