Hardware Management Console Readme For use with Version 8 Release 8.3.0 Service Pack 2 Date: 20 October 2016 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01661 <#MH01661> * Package information <#package> * List of fixes <#fixes> * Installation (Please read special instructions.) <#install> * Additional information <#additional> PTF MH01661 This package includes a fix for HMC Version 8 Release 8.3.0 Service Pack 2. You can reference this package by APAR MB04048 and PTF MH01661. This image must be installed on top of HMC Version 8 Release 8.3.0 Service Pack 2 (PTF MH01540) with or without additional fixes. Note: This PTF supersedes PTF MH01625, MH01631, MH01638 and MH01647. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01661.iso 1344118784 2fca4cecb3281bc08db92f2bb5bdc06df32649c5 MB04048 MH01661 Splash Panel information (or lshmc -V output) "version= Version: 8 Release: 8.3.0 Service Pack: 2 HMC Build level 20161014.1 MH01661: Fix for HMC V8R8.3.0 SP2 (10-14-2016) ","base_version=V8R8.3.0 " Known Issues:* * 1*._Special Install Instructions_* Installing this PTF using the Enhanced+ interface may hang. Prior to installing this PTF using the web browser graphical interface perform the following: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced+ GUI, log off the HMC. 3. Install using the normal installation instructions. Alternatively, install this PTF using CLI. 2. A vterm console window cannot be opened by the GUI on the local HMC console when the HMC is in legacy security mode. You can use the mkvterm or vtmenu command on the local HMC console or use the GUI remotely to open a vterm. A fix is planned for a future PTF. List of fixes *Security Fixes* * Fixed IBM Websphere Application Server (WAS) vulnerabilities: CVE-2016-0378 and CVE-2016-5986. * Fixed Apache Tomcat vulnerability: CVE-2016-3092. * Set the X-Frame-Options HTTP response header from all HMC /dashboard URLs to instruct the browser to not allow framing from other domains. This change is intended to prevent Clickjacking attacks. * Disabled TLS 1.0 for HMC ports 443, 9920 and 9960 in legacy security mode. *General **Fixes* * Fixed a problem with backup and restore tasks where after restoring a backup and rebooting the HMC users may not be able to login to the HMC GUI and all REST API connection requests are rejected. After applying this fix, perform a new HMC backup and discard any older backups. After a scratch install of the HMC, this PTF should be applied prior to restoring the backup. * Fixed a problem where some GUI views of system firmware levels such as the Updates, System Code Levels table incorrectly show a deferred level of none (or blank) when a deferred level exists. * Fixed an issue where applying a fix or service pack could cause a user that launches vterm or other applets remotely to encounter a security error. The java console log will show error "javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name" even though the host name is correct. * Fixed a problem that resulted in a false report of SRC E2FF1801 and SRC E2FF1800. These SRCs typically occur when running the software or performance inventory tasks on an HMC that is managing a large number of servers even though the inventory tasks complete successfully. *Previously released fixes also included in this PTF: * * MH01647* 08/18/16 * Fixed Apache Tomcat Vulnerability: CVE-2016-3092. * Fixed multiple NTP vulnerabilities: CVE-2015-7703, CVE-2016-1547,CVE-2016-1548, CVE-2016-1550, and CVE-2016-2518. * Fixed multiple OpenSSH vulnerabilities: CVE-2015-5352, CVE-2015-6563, CVE-2015-6564, CVE-2016-3115 and CVE-2016-1908. * Fixed IBM Websphere Application Server (WAS) vulnerability: CVE-2016-2923. * Updated the expiration date for the vterm applet. * Fixed an issue where, after successfully applying a concurrent server firmware update, the HMC Change Licensed Internal Code panel could show an incorrect pending deferred firmware level. The problem does not impact the GUI view levels task or lslic command. This issue is only exposed by a rare type of concurrent server firmware update which has never been released in the field but could occur in the future. * Fixed an issue where HMC backups to a remote server may fail with /rc=26 permission denied/ when the remote user has write access to the target. The problem only occurs when a previous backup was done and the remote user does not have the permissions to overwrite an existing RemoteAccessFile.Test file. * Fixed an issue that caused the HMC to repeatedly call home SRC E35A0021 to report that the Solid DB size exceeded the threshold limit of 80% even though the threshold limit had not actually been exceeded. * Fixed an issue where after installing a PTF the security mode could not be changed due to an "/Invalid Parameter/" error from chhmc command. *MH01638* 06/26/16 * Added functionality to the chhmc command to allow an admin to set a grub password at bootup. * Fixed openSSL vulnerabilities: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109 * Fixed security scan vulnerability by enabling TLSv1.2 by default for HMC vterm port (9960) when HMC is in Legacy mode. * Fixed Java vulnerability: CVE-2016-3426 * Fixed Power Hardware Management Console: CVE-2016-0230 * Fixed an issue where backing up the HMC included PCM data even though the user did not select to include PCM data. * Fixed an issue where a newly added usb device did not get an entry in the /etc/fstab table impacting lshw calls. * Implemented associations between CEC and Lpars during heartbeat reporting for the Entity ID (e.g., EPS/RCHR00000001) of Lpar and id if CEC have a relationship of "containedIn" in the associations table. * Included Entity ID in the email notifications sent to the customer after call home transactions. * Fixed an issue where the call home from the Manage Dumps panel was uploading incomplete data. * Fixed an issue with chhmc where adding a name server failed silently. * MH01631* 05/15/16 * Fixed a Repair & Verify issue on systems utilizing the 24 inch frame with a power subsystem where users can experience a failure of concurrent service maintenance activities on power components within the CEC enclosure, the Power Subsystem enclosure, and any installed I/O devices within the frame. Servers impacted include the POWER 575, 590, 595, 795: models 9125-F2A,F2B,F2C; 9118-575; 9119-590,595,FHA,FHB; 9406-595. Errors include: "/An internal error occurred when the management console attempted to validate the service network. Some or all of the required network resources may not be available. Contact your next level of support for problem determination/." and "/Redundancy status could not be determined for the FRU in location: U5791.001.XXXXXXX-Ex"(example) The FRU cannot be exchanged concurrently. The IO Drawer must be powered off and partitions may need to be shut down to continue the repair./ " * Fixed an issue where call home was attempting to establish a connection to the old (pre HMC V8R8.3) callhome servers even when not using legacy callhome. If the legacy callhome addresses were blocked by a firewall, call home may fail. * MH01625* 04/25/16 * Fixed OpenSSL security vulnerabilities; CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797 * Fixed Tomcat vulnerabilities: CVE 2015-5174,CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763 * Fixed vulnerabilities in bind: CVE-2016-1285 and CVE-2016-1286 * Fixed security vulnerability with Strongswan: CVE-2015-8023 * Fixed the following Httpd security vulnerabilities: CVE-2013-5704 CVE-2015-3183 * Fixed libssh2 security vulnerability CVE-2016-0787 * Fixed ntp security vulnerabilities; CVE-2015-5300, CVE-2015-7704, CVE-2015-8138 * Fixed a security issue with HMC restricted shell. * Fixed issue where lshmc -r command returned incorrect results when displaying the altdiskboot setting. * Fixed a rare deadlock condition that can cause the HMC to hang within several days of encountering the deadlock. Symptoms include HMC no longer allowing GUI logins, CLI failing with "/command server failed/" errors. * Fixed a problem where serviceable event E3690102 may be incorrectly reported during the install of a HMC PTF. * Fixed a problem where attempting to restore a HMC backup from USB flash will fail with error "/The media device is not functioning correctly. Contact your service representative./" if the backup is less than 3GB in size. * Fixed a problem where attempting to deploy an AIX image using PowerVC to a HMC that manages multiple servers, some of which support only linux only, may fail due to the Linux only server being selected for deploy. * Fixed a rare issue where serviceable event E355092F may be incorrectly reported. * Fixed an error obtaining credentials that resulted in call home SRC E3D4310A. Back to top <#ibm-content> Installation *_Special Install Instructions_* Installing this PTF using the Enhanced+ interface may hang. Prior to installing this PTF using the web browser graphical interface perform the following: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced+ GUI, log off the HMC. 3. Install using the normal installation instructions. Alternatively, install this PTF using CLI. Installation instructions for HMC Version 8 upgrades and corrective service can be found at these locations: Upgrading or restoring HMC Version 8 Installation methods for HMC Version 8 fixes Instructions and images for upgrading via a remote network install can be found here: HMC V8 network installation images and installation instructions Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>