Hardware Management Console Readme For use withVersion 7 Release 7.9.0 Service Pack 3 Updated: 28 October 2016 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01644 <#MH01644> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01644 This package includes fixes for HMC Version 7 Release 7.9.0 Service Pack 3. You can reference this package by APAR MB04029 and PTF MH01644. This image must be installed on top of HMC Version 7 Release 7.9.0 Service Pack 3 (MH01546) *_with_* MH01635 installed. Note: This PTF supersedes MH01597, MH01605, MH01610, MH01622, and MH01628. /Package information (PTF size and checksum updated 8/26/16)/ Package name Size Checksum (sha1sum) APAR# PTF# MH01644.iso 2075924480 b5ff6a1d583068da6840f8bb42366ab69dd29f01 MB04029 MH01644 Splash Panel information (or lshmc -V output) * *"version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20160825.1 MH01644: security updates (08-25-2016) ","base_version=V7R7.9.0 " Command line changes * Enhanced the chhmcencr and lshmcencr commands to support user configuration of the encryption ciphers and Message Authentication Code (MAC) algorithms used by the HMC Secure Shell (SSH) interface. Known Issues * Using the lshmcencr command enhancements to list the current SSH encryptions will initially show no results (l*shmcencr -c ssh -t c*). This indicates the default list of all the supported SSH ciphers is currently configured. Once a user modifies the defaults using the *chhmcencr -c ssh* command, the list command will correctly return the active ciphers. * This PTF has been rebuilt to resolve an issue that can cause one or more managed servers to go to an "incomplete" state. The impacted PTF has a build date of 08-16-2016. Users that have already applied the 08-16 build of MH01644 should download the new build and re-apply the PTF, even if they are currently not encountering any symptoms. Impacted build: "version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20160816.1 MH01644: security updates (08-16-2016) ","base_version=V7R7.9.0 " * ASM for POWER5 servers will launch a blank white screen and eventually a "Connection timed out" error if PTF MH01635 is not installed prior to MH01644 or MH01659. The install order and supersedes lists have been updated to include PTF MH01635 prior to installing either MH01644 or MH01659. List of fixes *Security Fixes* * Fixed Apache Tomcat Vulnerability: CVE-2016-3092. * Fixed multiple NTP vulnerabilities: CVE-2015-7703, CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, and CVE-2016-2518. * Fixed multiple OpenSSH vulnerabilities: CVE-2015-6563, CVE-2015-6564, CVE-2016-3115, and CVE-2016-1908. * Fixed IBM Websphere Application Server (WAS) vulnerability: CVE-2016-2923. **General Fixes* * * Updated the expiration date for the vterm applet. The current certificate expires August 25th 2016. * Fixed an issue where, after successfully applying a concurrent server firmware update, the HMC Change Licensed Internal Code panel could show an incorrect pending deferred firmware level. The problem does not impact the GUI view levels task or lslic command. This issue is only exposed by a rare type of concurrent server firmware update which has never been released in the field but could occur in the future. * Fixed an issue where HMC backups to a remote server may fail with /rc=26 permission denied/ when the remote user has write access to the target. The problem only occurs when a previous backup was done and the remote user does not have the permissions to overwrite an existing RemoteAccessFile.Test file. * Fixed a problem where HMC to HMC communication intermittently fails resulting in serviceable event B3036620. Other symptoms include failure to negotiate a primary HMC for problem analysis which can result in failure to report a server serviceable event or calling home the same event twice. Repeated occurrences of the B3036620 without a HMC reboot can eventually lead to a hang of the HMC where users are unable to login via the GUI or run commands via ssh. * No longer initialize the OS version the HMC shows for VIOS partitions with the underlying OS kernel version information. This practice sometimes caused the OS version shown for VIOS partitions to be the base AIX version, or to be the VIOS OS version appended with the AIX OS version distribution number. After this fix, if the HMC is unable to query the OS version information from the VIOS, the OS version shown will be blank. * Changed the backup critical console data function to no longer fail when the backup of performance monitoring data fails. With this fix, a warning is reported if the performance monitoring data is not successfully backed up and the backup function continues. Prior to this fix, the backup function failed with the wrong error. * Fixed a rare timing issue where attempting to view properties on a powered off server can cause the HMC to lose connection to all managed servers until the next HMC reboot. SRC E23D040A may be reported due to the core dump of the hdwr_svr process. * Fixed a problem where, on the local HMC console session, the HMC Management > Open Restricted Shell Terminal GUI task is not displayed for any HMC user except hscroot. * Fixed an issue where a managed system may go into an Incomplete state after removing I/O hardware due to stale data in the hardware discovery cache causing an unhandled NullPointerException. * Fixed an issue that impacts partition profiles that contain SR-IOV logical ports and also contain virtual Ethernet adapters that use non-default vSwitches. After the first activation of the profile, any non-default vSwitches used by virtual Ethernet adapters in the profile will be changed to the default vSwitch. The user must edit all affected profiles to restore the original vSwitch names/ / *Previously released fixes also included in this PTF: * * MH01635* 6/23/16 * Added functionality to the chhmc command to allow an admin to set a grub password at bootup. * Removed support for all the Ciphers which are less than or equal to 1024 bits for port 443. * Fixed openSSL vulnerabilities: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109 * Fixed Java vulnerability: CVE-2016-3426 * Fixed Power Hardware Management Console: CVE-2016-0230 * Fix gnutls security vulnerabilities: CVE-2015-2806 and CVE-2015-8313 * Fixed an issue with the "mu" key not working when using an IBM spacesaver keyboard with the Japanese keyboard layout. * Fixed an issue with pedbg failing to collect all the necessary data when the zip file exceeded 2GB. * Fixed an issue where the event log showed HSCL05E9 when activating new partitions. * Fixed a backup issue where PCM data was included even though the user did not select to include PCM data./ / * MH01628* 05/16/16 * Disabled DHE ciphers with private key less than or equal to 1024 bits. * Enhanced logging for serviceable event E212E122 logged against /dev./ / * MH01622* 04/22/16 * Fixed the following openssl security vulnerabilities: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797 * Fixed Tomcat vulnerabilities: CVE 2015-5174,CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763 * Fixed Vulnerabilities in bind: CVE-2016-1285 and CVE-2016-1286 * Fixed security vulnerability with Strongswan: CVE-2015-8023 * Fixed a security issue with HMC restricted shell. * Fixed a Repair & Verify issue on systems utilizing the 24 inch frame with a power subsystem where users can experience a failure of concurrent service maintenance activities on power components within the CEC enclosure, the Power Subsystem enclosure, and any installed I/O devices within the frame. Servers impacted include the POWER 575, 590, 595, 795: Models 9125-F2A,F2B,F2C; 9118-575; 9119-590,595,FHA,FHB; 9406-595. Errors include: "/An internal error occurred when the management console // //attempted to validate the service network. Some or all of the // //required network resources may not be available. Contact your // //next level of support for problem determination/." and "/Redundancy status could not be determined for the FRU in // //location: // //U5791.001.XXXXXXX-Ex" (example) // // // //The FRU cannot be exchanged concurrently. The IO Drawer must be// //powered off and partitions may need to be shut down to continue// //the repair. /" ** * Fixed an issue where serviceable event E212E115 may be reported against rmcd during performance information transmission. * Fixed a rare deadlock issue that required a HMC reboot to recover. Symptoms include unable to login GUI remotely; CLI commands fail with "/command server failed/" errors; partition mobility failing with H/SCLA200 An unknown error occurred during the partition migration./ * MH01610* 03/15/16 * Fixed a Java security issue: CVE-2016-0448 * Fixed security vulnerabilities in glibc: CVE-2015-7547, CVE-2014-9761, CVE-2015-8776, CVE-2015-8777, and CVE-2015-8778 * Enabled all TLS protocols on vterm(9960), FCS(9920) and remote web access(12443) ports. * Fixed an issue during Remote Restart to prevent the lpars going into open firmware state on the target managed system because storage mappings/adapters were missing. The HMC will now report a valid error when an exception is hit and will display the correct Remote Restart status. * MH01605* 02/17/16 * Fixed multiple OpenSSH vulnerabilities involving the ssh client "Roaming" feature: CVE-2016-0777 and CVE-2016-0778 * Fixed multiple Vulnerabilities in NTP : CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and CVE-2015-7871 * Fixed an issue where the managed servers go to an Incomplete state when the RMC interface has a blank (null) ipv4 or ipv6 value. * Fixed an issue where /var may fill up with core dumps when Pegasus server is enabled and in use by a remote client. * MH01597* 1/25/16 * Fixed multiple OpenSSL Vulnerabilities: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794 * Fixed multiple Java Vulnerabilities: CVE-2015-4843, CVE-2015-4868, CVE-2015-4806, CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4842, and CVE-2015-4803 * Fixed an issue where the HMC web server may intermittently deadlock. Symptoms include one or more of the following: unable to connect using a browser; browser error "Service Temporarily Unavailable"'; multiple serviceable events for E35A0016 and/or E35A0017; unable to restart due to / file system full from repeated diagnostic dumps. Back to top <#ibm-content> Installation Installation instructions for HMC Version 7 upgrades, updates and corrective service can be found at these locations: Installation methods for HMC Version 7 updates and fixes Upgrading or restoring HMC Version 7 Instructions and images for upgrading via a remote network install can be found here (for all HMC releases): HMC network installation images Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>