Hardware Management Console Readme For use withVersion 7 Release 7.9.0 Service Pack 3 Date: 28 November 2016 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01666 <#MH01666> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01666 This package includes fixes for HMC Version 7 Release 7.9.0 Service Pack 3. You can reference this package by APAR MB04054 and PTF MH01666. This image must be installed on top of HMC Version 7 Release 7.9.0 Service Pack 3 (MH01546) with or without additional PTFs installed. Note: This PTF supersedes MH01597, MH01605, MH01610, MH01622, MH01628, MH01644, and MH01659. /Package information / Package name Size Checksum (sha1sum) APAR# PTF# MH01666.iso 2132027392 dd4334ffe42661686923ec9f0f09b616e65c3325 MB04054 MH01666 Splash Panel information (or lshmc -V output) * *"version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20161102.1 MH01666: security updates (11-15-2016) ","base_version=V7R7.9.0 " Known Issues * A vterm console window cannot be opened by the GUI on the local HMC console. You can use the mkvterm or vtmenu command on the local HMC console or use the GUI remotely to open a vterm. A fix is planned for a future PTF. * After applying Service pack 3, discard any older backups and take a new backup. When taking a backup, specify the current fix level (lshmc -V output) in the backup description field to help identify the fix level the backup was taken from. Before restoring a backup, apply the same fix level (service pack and iFix) that the backup was taken on. If this is not followed the restore may produce unpredictable results. List of fixes *Security Fixes* * Fixed multiple OpenSSL vulnerabilities: CVE-2016-2180, CVE-2016-2182, and CVE-2016-6306 * TLS1.0 is re-enabled on port 443. **General Fixes* * * Added DST timezone changes for Turkey, leap second to 31 Dec 2016. * Changed the HMC install process to report the error SRC E3558801 when the installation of a service pack or iFix fails due to a rare RPM installation failure. Prior to this fix, the service pack or iFix installation appeared to finish successfully. * Fixed an issue causing ASM for POWER5 servers to launch a blank white screen and eventually a "Connection timed out". This only occurred if PTF MH01635 was not installed prior to MH01644 or MH01659. * Fixed a problem preventing users from being able to log in on the local HMC console, where after the Welcome page loads on the local console, clicking "Log on and Launch" results in the following error: /Problem loading page// //An error occurred during a connection to 127.0.0.1.// // //Cannot communicate securely with peer: no common encryption algorithm(s).// //(Error code: ssl_error_no_cypher_overlap) / This problem only occurs on HMCs that have PTF MH01659 installed. The fix is the reenablement of TLS1.0 on port 443. *Previously released fixes also included in this PTF: * * MH01659* 10/21/16 * Fixed IBM Websphere Application Server (WAS) vulnerabilities: CVE-2016-0378 and CVE-2016-5986. * Fixed Apache Tomcat vulnerability: CVE-2016-3092. * Fixed PAM vulnerabilities: CVE-2015-3238 and CVE-2013-7041. * Fixed DHCP vulnerabilities: CVE-2015-8605 and CVE-2016-2774. * Fixed Perl vulnerability: CVE-2016-1238. * Disabled TLS 1.0 for HMC ports 443, 9920 and 9960. * Fixed a problem causing the lshmcencr command to show no results when listing the current SSH encryption ciphers if the user has not modified the default list of SSH encryption ciphers. This problem only occurs after PTF MH01644 is installed. * Fixed a problem where some GUI views of system firmware levels such as the Updates, System Code Levels table incorrectly show a deferred level of none (or blank) when a deferred level exists. * Fixed a rare problem that caused a server to return to the Save Area Version Mismatch state immediately after the partition data for the server was successfully recovered. * Enhanced error handling to prevent a rare situation that can cause the HMC to hang or return unpredictable results due to a system wide "too many open files" issue. * Fixed rare issue where numerous managed system change events occurring in rapid succession could cause a system wide HMC performance issue or hang. * Prevent the generation and call home of SRC E3550925. This SRC is generated when creating a Kerberos user and no remote user ID is specified or the remote user ID specified is not valid. * MH01644* 08/16/16 * Using the lshmcencr command enhancements to list the current SSH encryptions will initially show no results (l*shmcencr -c ssh -t c*). This indicates the default list of all the supported SSH ciphers is currently configured. Once a user modifies the defaults using the *chhmcencr -c ssh* command, the list command will correctly return the active ciphers. * This PTF has been rebuilt to resolve an issue that can cause one or more managed servers to go to an "incomplete" state. The impacted PTF has a build date of 08-16-2016. Users that have already applied the 08-16 build of MH01666 should download the new build and re-apply the PTF, even if they are currently not encountering any symptoms. Impacted build: "version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20160816.1 MH01666: security updates (08-16-2016) ","base_version=V7R7.9.0 " * Enhanced the chhmcencr and lshmcencr commands to support user configuration of the encryption ciphers and Message Authentication Code (MAC) algorithms used by the HMC Secure Shell (SSH) interface. * Fixed Apache Tomcat Vulnerability: CVE-2016-3092. * Fixed multiple NTP vulnerabilities: CVE-2015-7703, CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, and CVE-2016-2518. * Fixed multiple OpenSSH vulnerabilities: CVE-2015-6563, CVE-2015-6564, CVE-2016-3115, and CVE-2016-1908. * Fixed IBM Websphere Application Server (WAS) vulnerability: CVE-2016-2923. * Updated the expiration date for the vterm applet. The current certificate expires August 25th 2016. * Fixed an issue where, after successfully applying a concurrent server firmware update, the HMC Change Licensed Internal Code panel could show an incorrect pending deferred firmware level. The problem does not impact the GUI view levels task or lslic command. This issue is only exposed by a rare type of concurrent server firmware update which has never been released in the field but could occur in the future. * Fixed an issue where HMC backups to a remote server may fail with /rc=26 permission denied/ when the remote user has write access to the target. The problem only occurs when a previous backup was done and the remote user does not have the permissions to overwrite an existing RemoteAccessFile.Test file. * Fixed a problem where HMC to HMC communication intermittently fails resulting in serviceable event B3036620. Other symptoms include failure to negotiate a primary HMC for problem analysis which can result in failure to report a server serviceable event or calling home the same event twice. Repeated occurrences of the B3036620 without a HMC reboot can eventually lead to a hang of the HMC where users are unable to login via the GUI or run commands via ssh. * No longer initialize the OS version the HMC shows for VIOS partitions with the underlying OS kernel version information. This practice sometimes caused the OS version shown for VIOS partitions to be the base AIX version, or to be the VIOS OS version appended with the AIX OS version distribution number. After this fix, if the HMC is unable to query the OS version information from the VIOS, the OS version shown will be blank. * Changed the backup critical console data function to no longer fail when the backup of performance monitoring data fails. With this fix, a warning is reported if the performance monitoring data is not successfully backed up and the backup function continues. Prior to this fix, the backup function failed with the wrong error. * Fixed a rare timing issue where attempting to view properties on a powered off server can cause the HMC to lose connection to all managed servers until the next HMC reboot. SRC E23D040A may be reported due to the core dump of the hdwr_svr process. * Fixed a problem where, on the local HMC console session, the HMC Management > Open Restricted Shell Terminal GUI task is not displayed for any HMC user except hscroot. * Fixed an issue where a managed system may go into an Incomplete state after removing I/O hardware due to stale data in the hardware discovery cache causing an unhandled NullPointerException. * Fixed an issue that impacts partition profiles that contain SR-IOV logical ports and also contain virtual Ethernet adapters that use non-default vSwitches. After the first activation of the profile, any non-default vSwitches used by virtual Ethernet adapters in the profile will be changed to the default vSwitch. The user must edit all affected profiles to restore the original vSwitch names/ / * MH01635* 6/23/16 * Added functionality to the chhmc command to allow an admin to set a grub password at bootup. * Removed support for all the Ciphers which are less than or equal to 1024 bits for port 443. * Fixed openSSL vulnerabilities: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109 * Fixed Java vulnerability: CVE-2016-3426 * Fixed Power Hardware Management Console: CVE-2016-0230 * Fix gnutls security vulnerabilities: CVE-2015-2806 and CVE-2015-8313 * Fixed an issue with the "mu" key not working when using an IBM spacesaver keyboard with the Japanese keyboard layout. * Fixed an issue with pedbg failing to collect all the necessary data when the zip file exceeded 2GB. * Fixed an issue where the event log showed HSCL05E9 when activating new partitions. * Fixed a backup issue where PCM data was included even though the user did not select to include PCM data./ / * MH01628* 05/16/16 * Disabled DHE ciphers with private key less than or equal to 1024 bits. * Enhanced logging for serviceable event E212E122 logged against /dev./ / * MH01622* 04/22/16 * Fixed the following openssl security vulnerabilities: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797 * Fixed Tomcat vulnerabilities: CVE 2015-5174,CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763 * Fixed Vulnerabilities in bind: CVE-2016-1285 and CVE-2016-1286 * Fixed security vulnerability with Strongswan: CVE-2015-8023 * Fixed a security issue with HMC restricted shell. * Fixed a Repair & Verify issue on systems utilizing the 24 inch frame with a power subsystem where users can experience a failure of concurrent service maintenance activities on power components within the CEC enclosure, the Power Subsystem enclosure, and any installed I/O devices within the frame. Servers impacted include the POWER 575, 590, 595, 795: Models 9125-F2A,F2B,F2C; 9118-575; 9119-590,595,FHA,FHB; 9406-595. Errors include: "/An internal error occurred when the management console // //attempted to validate the service network. Some or all of the // //required network resources may not be available. Contact your // //next level of support for problem determination/." and "/Redundancy status could not be determined for the FRU in // //location: // //U5791.001.XXXXXXX-Ex" (example) // // // //The FRU cannot be exchanged concurrently. The IO Drawer must be// //powered off and partitions may need to be shut down to continue// //the repair. /" ** * Fixed an issue where serviceable event E212E115 may be reported against rmcd during performance information transmission. * Fixed a rare deadlock issue that required a HMC reboot to recover. Symptoms include unable to login GUI remotely; CLI commands fail with "/command server failed/" errors; partition mobility failing with H/SCLA200 An unknown error occurred during the partition migration./ * MH01610* 03/15/16 * Fixed a Java security issue: CVE-2016-0448 * Fixed security vulnerabilities in glibc: CVE-2015-7547, CVE-2014-9761, CVE-2015-8776, CVE-2015-8777, and CVE-2015-8778 * Enabled all TLS protocols on vterm(9960), FCS(9920) and remote web access(12443) ports. * Fixed an issue during Remote Restart to prevent the lpars going into open firmware state on the target managed system because storage mappings/adapters were missing. The HMC will now report a valid error when an exception is hit and will display the correct Remote Restart status. * MH01605* 02/17/16 * Fixed multiple OpenSSH vulnerabilities involving the ssh client "Roaming" feature: CVE-2016-0777 and CVE-2016-0778 * Fixed multiple Vulnerabilities in NTP : CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and CVE-2015-7871 * Fixed an issue where the managed servers go to an Incomplete state when the RMC interface has a blank (null) ipv4 or ipv6 value. * Fixed an issue where /var may fill up with core dumps when Pegasus server is enabled and in use by a remote client. * MH01597* 1/25/16 * Fixed multiple OpenSSL Vulnerabilities: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794 * Fixed multiple Java Vulnerabilities: CVE-2015-4843, CVE-2015-4868, CVE-2015-4806, CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4842, and CVE-2015-4803 * Fixed an issue where the HMC web server may intermittently deadlock. Symptoms include one or more of the following: unable to connect using a browser; browser error "Service Temporarily Unavailable"'; multiple serviceable events for E35A0016 and/or E35A0017; unable to restart due to / file system full from repeated diagnostic dumps. Back to top <#ibm-content> Installation Installation instructions for HMC Version 7 upgrades, updates and corrective service can be found at these locations: Installation methods for HMC Version 7 updates and fixes Upgrading or restoring HMC Version 7 Instructions and images for upgrading via a remote network install can be found here (for all HMC releases): HMC network installation images Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>