Hardware Management Console Readme For use with Version 8 Release 8.5.0 Service Pack 3 Date: 22 March 2018 (C) Copyright International Business Machines Corp., 2017 All rights reserved. Contents <#ibm-content> The information in this Readme contains the fix list and other package information about the Hardware Management Console. * PTF MH01758 <#MH01758> * Package information <#package> * List of fixes <#fixes> * Installation <#install> PTF MH01758 This package includes fix for HMC V8 R8.5.0 or any subsequent service packs. You can also reference this package by PTF MH01758 and APAR MB04145. This image must be installed on top of HMC Version 8 Release 8.5.0 (PTF MH01616) with Service Pack 3 (PTF MH01689) with or without additional fixes. *Note*: This PTF supersedes MH01721. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01758.iso 1444921344 8f133a9a4cc01ea8b8789f04dd65ee6f5cdd2f50 MB04145 MH01758 Splash Panel information (or lshmc -V output) "version= Version: 8 ?Release: 8.5.0 ?Service Pack: 3 HMC Build level 20180223.1 MH01758: Fix for HMC V8R8.5.0 SP3 (02-23-2018) ","base_version=V8R8.5.0 " List of fixes *Security Fixes* * Addressed an issue where Webserver version is disclosed in response message. * Added X-XSS-Protection to response header of all the URI on exposed ports to prevent cross-site scripting attacks * Addressed Common Vulnerabilities and Exposures issue numbers CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754. Note: For vHMC, mitigation may require additional hypervisor and firmware updates; customers should consult their hypervisor and x86 system vendors for information * Fixed a security issue in hmc logging. *General fixes * * ** Allow the HMC local console session to start after the certificate has expired. * Fixed an issue where update customer information for call home results in a scheduled operation producing SRC E3D46FFF due to errors when attempting to fetch call home related CEC credentials. * Prevent the call home of SRC?E212E306. * Fixed high CPU usage by IBM.LparCmdRM process resulting in call home SRC E212E151. * Fixed an HMC performance issue with the PCM dashboard where if the user closes the window without using the "close button" (i.e. by closing or terminating the browser window instead) leads to symptoms such as: multiple reports of E332FFFF, hang of CLI commands, slow HMC response and eventual hang requiring a reboot. * * *Previously released fixes also included in this PTF: * * MH01721* 12/27/17 * Fixed?HTTPD vulnerabilities CVE-2017-9798, CVE-2017-12171, CVE-2017-9788, CVE-2017-7679, CVE-2017-3169 and CVE-2017-3167 * Fixed NSS vulnerabilities CVE-2017-7805 * Fixed Open SSH vulnerabilities CVE-2016-6210, CVE-2016-6515, CVE-2016-10009 and CVE-2016-10011 * Fixed OGNL Expression Injection vulnerability. * Fixed cross frame scripting vulnerability. * Allow the HMC local console session to start after the certificate has expired. * Fixed an issue where update customer information for call home results in a scheduled operation producing SRC E3D46FFF due to errors when attempting to fetch call home related CEC credentials. * Prevent the call home of SRC?E212E306. * Fixed high CPU usage by IBM.LparCmdRM process resulting in call home SRC E212E151. * Fixed an HMC performance issue with the PCM dashboard where if the user closes the window without using the "close button" (i.e. by closing or terminating the browser window instead) leads to symptoms such as: multiple reports of E332FFFF, hang of CLI commands, slow HMC response and eventual hang requiring a reboot. Installation Installation instructions for HMC Version 8 upgrades and corrective service can be found at these locations: Upgrading or restoring HMC Version 8 Installation methods for HMC Version 8 fixes Instructions and images for upgrading via a remote network install can be found here: HMC V8 network installation images and installation instructions