PTF MH01520 Readme

Hardware Management Console Readme

For use with Version 8 Release 8.1.0 Service Pack 1

Contents

The information in this Readme contains fix list and other package information about the Hardware Management Console.

PTF MH01520
Package information
List of fixes
Installation
Additional information

PTF MH01520

This package includes fixes for HMC Version 8 Release 8.1.0 Service Pack 1. You can reference this package by APAR# MB03908 and PTF MH01520. This image must be installed on top of HMC Version 8 Release 8.1.0 SP1 (MH01420) with or without additional fixes.

NOTE: This PTF is cumulative and supersedes MH01474, MH01465, MH01468, MH01481, MH01492, MH01494, MH01498 and MH01506.

*Package information*
Package name	Size	Checksum (sha1sum)	APAR#	PTF#
MH01520.iso	1256368128	72e7db08cfb3391295abca98e59f84cb24e46ead	MB03908	MH01520
Splash Panel information (or lshmc -V output)
"version= Version: 8 Release: 8.1.0 Service Pack: 1 HMC Build level 20150504.1 MH01520: Fix for various updates (05-07-2015) ","base_version=V8R8.1.0 "

List of fixes

Security Fixes
This PTF includes fixes for the following security vulnerabilities:

Fixed multiple vulnerabilities in OpenSSL: CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787
Fix for RC4 stream cipher “Bar Mitzvah” vulnerability: CVE-2015-2808

General fixes

RC4 based ciphers have been disabled.

Previously released fixes also included in this PTF:

MH01506 04/06/2015	Security Fixes CVE-2015-0204, CVE-2015-0138 (Freak), CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423, CVE-2013-1418, CVE-2013-6800, CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344, CVE-2014-4345 General Fixes Fixed a problem where HMC was enabling weak ciphers that were not in the lshmcencr enabled cipher list.
MH01498 03/17/2015	Security Fixes Fixed multiple vulnerabilities in IBM Java SDK: CVE-2015-0410 and CVE-2014-6593 NTP security fix for CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296
MH01494 02/10/15	Enhancements This PTF disables SSLv3 protocol on HMC user interfaces. It uses only TLSv1.2 for HMC/FSP connections for server firmware levels that support TLSv1.2. After applying this PTF, remote access to the HMC (Browser, ASM, vterm, 5250 console) will require clients that support TLSv1.0 or TLSv1.2. Security Fixes Fix for GNU C library (glibc) vulnerability that has been referred to as GHOST: CVE-2015-0235 openssl security fixes for: CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2014-3569, CVE-2015-0205, CVE-2015-0206 General fixes Fixed an issue where after an HMC upgrade, lshmcencr may list no active ciphers with weak ciphers enabled on the web GUI. Fixed a problem where the GUI and lshmc -V output may not show PTF information correctly for all applied PTFs. Fixed a problem where serviceable events E35A0017 and E35A0016 are reported. Fixed a problem where intermittently, a POWER8 server with firmware EC level 01AF820 may go to a No Connection state with connection_error_code of 02FF-0003-008087E9 after a FSP restart. Restrictions : Currently in legacy security mode of HMC, it supports only TLSv1.0 Protocol only, not TLSv1.1 nor TLSv1.2. When moved to NIST SP800-131a security mode, it supports only TLSv1.2.
MH01492 01/23/15	Fixed an issue where pressing F10 in the vterm console Java window hangs the HMC GUI.
MH01481 12/17/14	Enhancements This PTF disables SSLv3 on the HMC user interfaces. After applying this PTF, remote access to the HMC (Browser, ASM, GUI vterm, and pegasus) will require clients that support TLSv1.0 IBM i secure remote 5250 console will require TLSv1.1 or higher. The PTF also disables all ciphers except TLSv1.2 on HMC/FSP connections where the server firmware level supports it. For HMCs set to security mode nist_sp800_131a, this PTF changes the HMC-Server FSP encryption mode to enforce TLS1.2. This implies that all POWER6 and POWER7 servers must be upgraded to a firmware level that supports TLS1.2 prior to apply of this PTF when using nist_sp800_131a security mode. Security Fixes CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568, CVE-2014-6512, CVE-2014-3566, CVE-2014-6457, CVE-2014-6558 Fixed a problem where the HMC local login’s browser session attempts to connect to external, non-IBM IP addresses. General fixes Reduced the amount of memory used. This may correct “out of memory” errors such as serviceable event E355004C as well as /var full on some HMCs; particularly on HMCs with the minimum amount of memory. Fixed a problem where the SRIOVLogicalPort configured on any Physical Port shows the location as associated with Physical Port T1 always. Fixed a problem where activation of Partition Firmware (PFW) may fail during a concurrent server firmware update. Fixed problem where HMC boot process can hang for hours during rotation of corrupted log file Fixed a problem where creating or deploying a new partition as a user other than hscroot fails. Errors include HSCL350B on the HMC and “Error creating instance: HTTP error for PUT /rest/api/uom/ManagedSystem/fbd55c40-4802-3d95-b165-b6111e47a3d2/LogicalParition: 500 (Internal Server Error)” from PowerVC.
MH01468 10/21/14	Fixed an issue where restore critical console data from USB flash drive fails. Fixed an issue where after applying Service Pack 1, some PowerVC and “enhanced” GUI tasks fail with the error "3003c 2610-366 The action array contains an undefined action name at index 0: VioService."
MH01465 10/09/14	Fix for Russian Time Zone changes
MH01474 10/01/14	Fix for the following bash security vulnerabilities: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278

Installation

Installation instructions for HMC Version 8 upgrades and corrective service can be found at these locations:

Upgrading or restoring HMC Version 8

Installation methods for HMC Version 8 fixes

Instructions and images for upgrading via a remote network install can be found here:

HMC V8 network installation images and installation instructions

Additional information

Notes:

The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service.
This image requires DVD -R media.
To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted.
The updhmc command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example:
updhmc -t s -h <myservername> -f </home/updates/corrrective_service.iso> -u <HMC_username> -i

In all cases, the HMC application extracts the files needed to install the corrective service.