FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8124 Version 7.9.23.0 (Released October 2018) ** Changes since the 7.9.22.0 release ** Enhancements: none Changes: none Fixes: - A crash could occur when the switch were scanned by the Rapid 7 security tool or nessus scan for vulnerabilities or when the CLI commands "no ssh enable" or "no access netconf ssh enable" were executed after the scan. (133904/138760) - Fixed vulnerabilities in the TLS protocol as reported in the CVE Advisories CVE-2014-8730. (80866) - Switch no longer supports the Diffie-Hellman key exchange algorithm in strict security mode. (143643) - Enhance BBI session default user password reset framework. (135949/135951) ================================================================================ IBM RackSwitch G8124 Version 7.9.22.0 (Released June 2018) ** Changes since the 7.9.21.0 release ** Enhancements: none Changes: none Fixes: - Fixed Libxml2 vulnerabilities as reported in the Advisories CVE-2016-5131, CVE-2017-15412, CVE-2017-16932, CVE-2017-5130. (124059) ================================================================================ IBM RackSwitch G8124 Version 7.9.21.0 (Released November 2017) ** Changes since the 7.9.20.0 release ** Enhancements: none Changes: none Fixes: - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2017-8872, CVE-2017-9049 and CVE-2017-9050. (104768) - Address issue in login credential mechanism. (107614) - Support for the weak ciphers TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA has been removed. (109956/111620) - Fixed TCP vulnerabilities as reported in the CVE Advisory CVE-2017-6214. (113078) - Address non-configured community strings. (115054) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities cross-site scripting (XSS) and stored cross-site scripting as reported by the IBM security tool Appscan. (116507) - Switch would crash when the command “show mp thread” is executed, before any syslogs were logged by the switch or if logging were completely disabled on the switch. (117304) ================================================================================ IBM RackSwitch G8124 Version 7.9.20.0 (Released May 2017) ** Changes since the 7.9.19.0 release ** Enhancements: none Changes: - The support for TLS versions 1.1 and 1.0 has been deprecated. TLS version 1.2 is now supported by default. (PSIRT ALIRT 10820) (72679) Fixes: - The MTU value for a port in the output of “show lldp info” command is incorrectly reported as 1522 instead of 9216. (73928) - The switch’s browser based interface (BBI) was reported to be missing the "Content-Security-Policy", "X-Content-Type-Option" and "X-XSS-Protection" headers in the HTTP response when scanned by the web security tool IBM Appscan. (68381/75827) - In a multicast environment, switch acting simultaneously as a "Last Hop Router" (LHR) and an "Intermediate Router" (IR) would cause the switch to be unable to send traffic to LHR clients for a specific group. This happens when the switch has already received IR PIM joins for the same group, started forwarding traffic towards the IR clients and then receives LHR IGMP joins for that group. (78192) - A crash would occur when scanned by the web security tool IBM Appscan, while running a Recorded Login option. (90107) - HTTP requests sent by LXCA with a “/” URL would erroneously be rejected causing the switch’s GUI to fail to launch in LXCA (92267) - Fixed zlib vulnerabilities as reported in the CVE Advisories CVE-2016-9840, CVE-2016-9841, CVE-2016-9842 and CVE-2016-9843. (86800) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2016-4658 and CVE-2016-9318. (86808) - A switch upon receiving a rogue OSPF LSA containing its own router ID with a maximum sequence number (0x7fffffff), would incorrectly respond with a fight-back LSA of its own database, as opposed to the rogue's LSA database. (92346) ================================================================================ IBM RackSwitch G8124 Version 7.9.19.0 (Released January 2017) ** Changes since the 7.9.18.0 release ** Enhancements: none Changes: none Fixes: - The switch’s browser based interface (BBI) was reported to be susceptible to the security vulnerability CSRF (cross-site request forgery) when scanned by the web security tool IBM Appscan. (68381) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2183(SWEET32) and CVE-2016-6329. The ciphers DES,3DES and Blowfish are no longer supported. (66395) ================================================================================ IBM RackSwitch G8124 Version 7.9.18.0 (Released September 2016) ** Changes since the 7.9.17.0 release ** Enhancements: none Changes: none Fixes: - Switch could crash when processing SSL traffic received on the management interface. (50705) - Password for tacacs users could not be changed from the switch using the "primary-password" command when the "tacacs-server password-change" feature is enabled. (63530) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2108.(ALIRT LEN-7502). (55174) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2016-3705, CVE-2016-3627, CVE-2015-8806, CVE-2016-4447, CVE-2016-4449, CVE-2016-4448 (libxml2). (57176, 55781, 58942, 58943) ================================================================================ IBM RackSwitch G8124 Version 7.9.17.0 (Released June 2016) ** Changes since the 7.9.16.0 release ** Enhancements: none Changes: none Fixes: - Fixed security vulnerabilities as reported in CVE Advisories CVE-2015-8710 (libxml2). (49214) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities XSS (stored cross-site scripting) and CSRF (cross-site request forgery). The web security policy mechanism HSTS (HTTP Strict Transport Security) has been implemented on BBI. (49409, 49427, 49471) - The switch’s browser based interface (BBI) would fail to honor the “cache-control=no-cache” directive and still cache the pages. The value of the “cache-control” directive has been changed from “no-cache” to “no-store”. (49475) - Switch could crash when enabling HTTPS protocol, while the switch were trying to connect to the VSI Manager. (50435) ================================================================================ IBM RackSwitch G8124 Version 7.9.16.0 (Released February 2016) ** Changes since the 7.9.15.0 release ** Enhancements: none Changes: - The output of “show tech-support” now includes the isCLI commands as headers before their respective output. (38125) Fixes: - Using Cisco ACS, version 5.3 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-7575 (SLOTH). (47856) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-3194, CVE-2015-3195. (46801) ================================================================================ IBM RackSwitch G8124 Version 7.9.15.0 (Released October 2015) ** Changes since the 7.9.14.0 release ** Enhancements: none Changes: - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use these commands has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) Fixes: - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv), CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) ================================================================================ IBM RackSwitch G8124 Version 7.9.14.0 (Released July 2015) ** Changes since the 7.9.13.0 release ** Enhancements: none Changes: - Addiitonal Debugs have been added to the get more information about system queues and threads under maitenace mode.The output of the "show mp thread" now includes information about the last command processed by each STEM thread. (LV311825) Fixes: - Vlag failover due to primary switch being reloaded may incorrectly cause the secondary switch to error disable its vlag ports. This may happen when the healthcheck interface port number is higher than that of the ISL interface port number. (LV308603) - A high CPU utilization could occur during Topology Changes when running MSTP protocol in a multi tier VLAG setup. (LV310542) - Switch could hang after deleting an IP interface that is associated with OSPF. (LV311901) - An SNMP MIB walk on both the peers of a VLAG domain could result in the flap of VRRP Protocol. (XB251897/XB253845) - Fixed GLIBC vulnerabilities as reported in CVE Advisories CVE-2013-7424 (getaddrinfo()) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-0286 (ASN1_TYPE_cmp). ================================================================================ IBM RackSwitch G8124 Version 7.9.13.0 (Released April 2015) ** Changes since the 7.9.11.0 release ** Enhancements: none Fixes: - FCoE sessions could flap due to the High CPU Utilization caused by the software flooding of Clear Virtual Links packets with an unknown destination MAC in the FCoE VLAN. (LV296464) - All packets received with a certain MAC address are flooded subsequent to receiving an IGMP Join/Leave on the stack member with the same MAC address as source MAC. (XB271036) - A crash would occur when uploading a configuration to the switch, where the configuration file was edited to remove the leading Tab from the commands under "vlan dot1q" menu. (LV299681) - Syslog messages would be lost after a reboot, when setting the facility using “logging host <1/2> facility “ to an odd number (LV299860) - Switch could fail to install an ARP Entry for the static route or gateway leading to ARP packets getting flooded in the network. (LV301211) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3572, CVE-2015-0204, CVE-2014-8275, CVE-2014-3570, CVE-2015-2808 (BarMitzvah), CVE-2014-3505, CVE-2014-3506 (openssl), CVE-2014-3507(same as 3506, d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb), CVE-2014-3508 (openssl), CVE-2014-3509 (race condition in t1_lib.c), CVE-2014-3510 (openssl), CVE-2014-3511 (openssl). (LV304231, LV308279, XB293143) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2014-0191 (libxml2) ,CVE-2013-2877(libxml2), CVE-2014-3660 (libxml2), CVE-2013-2566(RC4 algo, TLS protocol), CVE-2015-0235 (GHOST/glibc) Changes: - In a vlag setup with VRRP, ICMP replies will use the Physical switch's MAC as source MAC, as opposed to the VRRP MAC. (XB292827) - Extend the ability of the command "[no] snmp-server link-trap port enable" to enable/disable link-traps for multiple interfaces. (LV302420) =============================================================================== IBM RackSwitch G8124 Version 7.9.11.0 (Released October 2014) ** Changes since the 7.9.10.0 release ** Enhancements: None Changes: - A security vulnerability existed in the OpenSSL Protocol that is used in IBM System Networking Ethernet Switches. (CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510) Fixes: None Special software udpate issues: - upgrading from software release prior to 6.8.18.11, please upgrad to 6.8.18.11 first and then upgrade to the desired relase =============================================================================== IBM RackSwitch G8124 Version 7.9.10.0 (Released July 2014) ** Changes since the 7.9.1.0 release ** Enhancements: None Changes: - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes: None ================================================================================ IBM RackSwitch G8124 Version 7.9.1.0 (Released June 2014) ---------------------------------------------------------- LACP Individual Mode -------------------- When this feature is enabled on an LACP port-channel, if a member port of the port-channel does not receive any LACPDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. VLAG-MSTP Enhancement --------------------- This enhancement removes STP configuration restrictions, such as changing the MSTP instance and VLAN associations, that were enforced in previous releases when vLAG and MSTP are both enabled. The vLAG interswitch link ports are no longer error-disabled when there's an MSTP region mismatch between the vLAG switches, instead a recurring warning message is generated during the duration of the configuration mismatch. STP Range enhancement --------------------- This feature is an enhancement for existing STP commands to support configuration of a range of STP groups at a time. Decoupling active VLANs from MSTP configuration: ------------------------------------------------ This feature enables the decoupling of the VLAN(s) configuration from MSTP configuration and changes the MSTP configuration menu to a more simplified one. By doing so, specifying a mapping between VLAN(s) and MSTI will not create any VLAN(s) and the participation of the VLAN(s) in MSTP will not depend on the VLAN(s) creation. IBM-NOS CLI removal ------------------- The IBM-NOS CLI will not be supported as of this release. All switches will boot up with ISCLI. The existing NOS CLI configuration still can be recognized and correctly converted to provide smooth migration for customers who have NOS CLI configuration. IPv6 Counter enhancement ------------------------ This release adds CLI and corresponding SNMP MIB objects for IPv6 counters. The feature provides support for IPv6 neighbor cache table statistics like: Current number of installed entries. Maximum number of entries supported by router. High Water of the ipv6 neighbor cache table. Clear statistics BGP Community Lite ------------------ This feature provides support for BGP community strings to be advertised in updates to neighbors.The switch will be configured to attach a community string to the route updates it sends to peers.In this release, the IBM switch will not make any routing changes or alterations to the community string when receiving updates with a community string attached. Display BGP Routes ------------------- This feature provides an option to display BGP advertised routes that have been advertised to a specific neighbor. Host-Resources MIB (RFC1514) ------------------------------------------- The Host Resources MIB (RFC 2790) defines objects which are common across many computer system architectures. SNMP ACL --------- This feature is an enhancement to add access control for SNMP requests. SNMP Trap Host --------------- This feature implements the SNMP interface for getting and setting SNMP host configuration for traps. ESN to SNMP ------------ This feature enables SNMP access to Electronic Serial Number of the switch. Compliance to NIST-800 131A ---------------------------- This release enables compliance to NIST SP800-131a. PSIRT - SSL Vulnerability [CVE-2011-3389] ----------------------------------------- This release addresses the SSL vulnerability as described in CVE-2011-3389. It allows the customer to configure the switch to explicitly restrict negotiated versions to a “minimum version” of ssl to force the switch to ensure that only “safe” versions are negotiated. Security vulnerability: Remove switch type from login display ------------------------------------------------------------- Removed the switch type prompt since this is a security vulnerability. Secure FTP ---------- This release adds support for Secure FTP (sFTP). Use SHA-256 as default: ----------------------- Set SHA-256 as the default and preferred hashing algorithm for all secured network operations where applicable. This includes TLS certificates and cipher suites with HMAC SHA-256 in TLS. IPSec over Virtual links ------------------------ OSPFv3 over IPSec on Virtual Links is needed to complete NIST IPSec certification for OSPFv3 traffic. IPSec is needed to secure IPv6 traffic. The feature will use IPv6 Authentication Header (AH) to provide authentication and IPv6 Encapsulating Security Payload (ESP) to provide authentication and confidentiality to virtual link packets. Password Fix-Up Mode --------------------- Password Fix-Up Mode enables admin user account recovery if administrator access is lost. This release adds the option to disable password fix-up functionality to let the administrator of the switch decide whether the Fix-Up mode should be enabled or not to cover security concerns. IPv6 Health Check ----------------- The release supports the use of IPv6 address for vLAG health check. RMON Support (RFC1757,RFC2819) --------------------------------- Remote network monitoring devices, often called monitors or probes, are instruments that exist for the purpose of managing a network. This release supports RMON for Ethernet statistics, Ethernet History as well as Alarm and Event groups. Layer 3 ARP Table full ----------------------- When the L3 ARP table is full, the switch will generate a new trap message in addition to the existing syslog message. Use SSH public keys for up to 20 local switch users/admins ----------------------------------------------------------- The feature allows users to login to switch via SSH using public key authentication instead of password authentication.When SSH is enabled the switch should support both password and public key authentication. The switch shall support up to 20 SSH public key users. ================================================================================ IBM RackSwitch G8124 Version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: SNMP ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A crash would occur when issuing the "show ufp info vport" command without explicitly specifying a vport number. (71951) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash would occur while handling an SNMP ?Get? Request for the Object that contains UFP information pertaining the switch (OID 1.0.8802.1.1.2.1.4.1.1.12.2700.65.4). (XB194463, XB202919) - A crash could occur if an FCoE-related CLI command was issued while the external management port was being flooded with packets. (XB199890) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) =========================================================================== IBM RackSwitch G8124E 7.7.3.0 (Released, June 2013) ------- Enhancements: LACP Suspend Port ----------------- This feature provides the capability to allocate an assigned trunk to LACP ports by LACP key, which avoids a potential traffic loop caused by mis-connection or error configuration. FCoE with LAG support in standalone mode solution ------------------------------------------------- Link Aggregration Group (LAG) also know as trunk, allows multiple ports on a switch to be combined together as a single link. To support the increasing demand of higher bandwidth to the uplink FCF in an FCoE environment, we added LAG support for our FCoE solution in this release. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. Hotlinks + STP -------------- In prior releases, STP needs to be disabled globally when Hotlinks feature is configured. This feature removed this limitation of having to globally disable STP. BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. vLAG+PIM Dense Mode ------------------- Enable the PIM protocol over the vLAG topology in dense mode for efficient multicast forwarding.