Hardware Management Console Readme For use with Version 8 Release 8.2.0 Service Pack 2 Updated: 23 June 2016 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01637 <#MH01637> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01637 This package includes a fix for HMC Version 8 Release 8.2.0 Service Pack 2. You can reference this package by APAR# MB04024 and PTF MH01637. This image must be installed on top of HMC Version 8 Release 8.2.0 SP2 (PTF MH01488) with or without additional fixes . Note: This PTF supersedes MH01573, MH01581, MH01590, MH01599, MH01607, MH01612, and MH01624. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01637.iso 1387819008 2716b28dc19304b60d27ecb71692bb8c1ae0c509 MB04024 MH01637 Splash Panel information (or lshmc -V output) "version= Version: 8 Release: 8.2.0 Service Pack: 2 HMC Build level 20160611.1 MH01637: Fix for HMC V8R8.2.0 SP2 (06-11-2016) ","base_version=V8R8.2.0 " Known Issues: *1. Special Install Instructions: *Installing this PTF using the Enhanced+ interface may hang. Prior to installing this PTF using the web browser graphical interface perform the following: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced+ GUI, log off the HMC. 3. Install using the normal installation instructions. Alternatively, install this PTF using CLI. *** * 2. After installing this PTF, the security mode cannot be changed. The *chhmc -c security -s modify --mode nist_sp800_131a* command will fail with "/Invalid Parameter/". List of fixes *Security Fixes* * Added functionality to the chhmc command to allow an admin to set a grub password at bootup. * Fixed openSSL vulnerabilities: CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2842. * Fixed security scan vulnerability by enabling TLSv1.2 by default for HMC vterm port (9960) when HMC is in Legacy mode. * Fixed Java vulnerability: CVE-2016-3426. *General fixes* * Fixed an issue where backing up the HMC included PCM data even though the user did not select to include PCM data. * Fixed issue where restoring HMC backup data from USB is failing with error "/The media device is not functioning correctly. Contact your service representative./". * Fixed an issue where a newly added usb device did not get an entry in the /etc/fstab table impacting lshw calls. *Previously released fixes also included in this PTF: * * MH01624* 04/22/16 * Fixed multiple OpenSSL security vulnerabilities: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797 * Fixed multiple Tomcat vulnerabilities: CVE 2015-5174,CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763 * Fixed Vulnerabilities in bind: CVE-2016-1285 and CVE-2016-1286 * Fixed security vulnerability with Strongswan: CVE-2015-8023 * Fixed Httpd security vulnerabilities: CVE-2013-5704, CVE-2015-3183 * Fixed libssh2 security vulnerability: CVE-2016-0787 * Fixed NTP security vulnerabilities: CVE-2015-5300, CVE-2015-7704, CVE-2015-8138 * Fixed a security issue with HMC restricted shell. * Fixed issue where lshmc -r command returned incorrect results when displaying the altdiskboot setting. * Fixed an error obtaining credentials that resulted in call home SRC E3D4310A. * MH01612* 03/15/16 * Fixed a Java security issue: CVE-2016-0448 * Fixed a security vulnerability in glibc: CVE-2015-7547 * Fixed an issue where /var/log/slpd.log is not under log rotation control which can lead to serviceable event E212E134 and the /var filesystem becoming full. *MH01607* 02/17/16 * Fixed multiple OpenSSH vulnerabilities involving the ssh client "Roaming" feature: CVE-2016-0777 and CVE-2016-0778 *MH01599* 01/25/16 * * * Fixed multiple OpenSSL Vulnerabilities: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794 * Fixed multiple Java Vulnerabilities: CVE-2015-4843, CVE-2015-4868, CVE-2015-4806, CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4842, and CVE-2015-4803 * Fixed a security issue with HMC restricted shell * Fixed an issue where the HMC web server may intermittently deadlock. Symptoms include one or more of the following: unable to connect using a browser; browser error "Service Temporarily Unavailable"'; multiple serviceable events for E35A0016 and/or E35A0017; unable to restart due to / file system full from repeated diagnostic dumps. * MH01590* 12/22/15 * * * Fixed Pluggable Authentication Module (PAM) vulnerability: CVE-2015-3238 * Fixed multiple vulnerabilites in Websphere Liberty Profile (WLP): CVE-2015-2017, CVE-2015-1927, and CVE-2015-4938 * MH01581* 11/24/15 *Security Fixes* * Fixed multiple security vulnerabilites in curl: CVE-2014-3613, CVE-2014-3707, CVE-2014-8150, CVE-2015-3143, CVE-2015-3148, and CVE-2015-3153 * Fixed openssh vulnerability: CVE-2015-5600 * Fixed multiple NTP vulnerabilities: CVE-2015-1798, CVE-2015-1799, and CVE-2015-3405 *General fixes* * Enhanced the error handling and reporting if a deadlock should occur. * Fixed a problem where an unsuccessful call home of a serviceable event incorrectly prevents the customer notification from being sent. * Fixed an issue where creating a sysplan fails may fail with error “/System plan formatting is not valid for the following reasons: Inventory Gathering/” when virtual fibre channel adapters are configured. * Fixed Repair and Verify procedure for serviceable event BA15D001 when the slot contains a 4 port Ethernet adapter. * Fixed an issue where the HMC Format media task may not detect a working USB flash drive as a possible target for the format operation. * Updated safety instructions for non-concurrent system planar and other exchanges that require part of the system to be disassembled, for POWER 8 servers. * Enhanced diagnostics for HMC Performance and Capacity Monitor related issues. * Fixed an issue where rrstartlpar command could only be executed by a user with hmcsuperadmin user role. Users with hmcoperator and hscpe roles can now execute the command; consistent with the roles required for other migration operations. * Fixed an issue where displaying server utilization snapshot data incorrectly included hourly data. * Fixed an issue where the user specified utilization data sample rate is ignored and a sample rate of 30 seconds was used instead. * Fixed an issue with a Power Supply Exchange procedure that may incorrectly cause serviceable event B1602A33 to be reported during the repair. * HMC will now display incomplete (and not save area version mismatch) if a HMC with this PTF is connected to a server that was previously managed by a HMC at a later version such as V8 R8.4.0. * Fixed an issue of where enabling “remote operation” in the GUI does not persist the firewall change to open ports 443, 12443, and 9960 (remote web access). The firewall will be disabled the next time a user changes another setting via "Change Network Settings" panel. * Updated the error message returned by lslic command when the server is not in a connected state. Old message: “/An unknown error occurred while trying to perform this command. Retry the command. If the error persists, contact your software support representative/.” New message: “/HSCF0004E An error occurred trying to survey the target FSP-P.// //Please verify the connection to the managed system./”. * Enhanced HMC diagnostics for serviceable events E2FF1801. * Fixed a problem that can result in multiple reports of serviceable events E35A0016 AND E35A0017 * Fixed a rare, intermittent problem that can cause RMC to hang; requiring an HMC reboot to recover. * Fixed an issue where after an upgrade to HMC V8 R8.2.0 Service Pack 2 (MH01488), ldap users are no longer able to login to the HMC, and lshmcldap -r user throws an exception: “/The command lshmcldap failed. / Details: /…// //Create LDAP Context// //<-> initLdapContext getting exception!// //ERROR: Can't initialize LdapContext!// //javax.naming.CommunicationException: // //exception is java.net.SocketException:// //java.security.NoSuchAlgorithmException: SSLContext Default// //implementation not found: ]// //com.sun.jndi.ldap.Connection.(Connection.java:213)// //com.sun.jndi.ldap.LdapClient.(LdapClient.java:128)// //…/ * Fixed an issue where the dhcpd lease files may grow indefinitely leading to /var disk full errors. *MH01573* 10/19/15 *Security Fixes* * Miscellaneous security updates including: o Timezone 2015f update o httpd/mod_ssl updates o krb5 updates: CVE-2014-5352, CVE-2014-9421, and CVE-2014-9422 o ntp updates: CVE-2014-9297 and CVE-2014-9298 o strongswan updates: CVE-2015-4171 o autofs update: CVE-2014-8169 o gnutls updates: CVE-2014-8155, CVE-2015-0282, and CVE-2015-0294 * Security fix for glibc libraries (CVE-2013-7424) * Security fix for libuser library (CVE-2015-3245, CVE-2015-3246) * Security fix for net-snmp (CVE-2014-3565) *General fixes* * Fixed an issue where deploy system plan may fail with unknown error. * Fixed an issue where a serviceable event customer notification is not sent when the callhome fails. * Fixed issue with problem callhome with some blades and Flex ITEs. * Fix to include the Alternate phone (Phone2) field in the problem (PMH) contact information. * Fixed an issue where the keyboard setting may be reset to default values after reboot. * Fixed a problem where HMC may stop responding on port 12443 impacting applications such as PowerVC. * Fixed an issue with data replication to prevent an error during configuration resulting in message "The Hardware Management Console at the specified address could not be reached or is not at the appropriate level of code to be used as a data source" * Added additional pedbg collections for field issues Back to top <#ibm-content> Installation *Special Install Instructions: *Installing this PTF using the Enhanced+ interface may hang. Prior to installing this PTF using the web browser graphical interface perform the following: 1. If already logged in to the HMC using Enhanced+ GUI, log off the HMC. 2. Log in again selecting the Log In option of "Classic". 3. Install using the normal installation instructions. Alternatively, install this PTF using CLI. *** * Installation instructions for HMC Version 8 upgrades and corrective service can be found at these locations: Upgrading or restoring HMC Version 8 Installation methods for HMC Version 8 fixes Instructions and images for upgrading via a remote network install can be found here: HMC V8 network installation images and installation instructions Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>