Hardware Management Console Readme For use with Version 8 Release 8.1.0 Service Pack 1 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01520 <#MH01520> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01520 This package includes fixes for HMC Version 8 Release 8.1.0 Service Pack 1. You can reference this package by APAR# MB03908 and PTF MH01520. This image must be installed on top of HMC Version 8 Release 8.1.0 SP1 (MH01420) with or without additional fixes. *NOTE:* This PTF is cumulative and supersedes MH01474, MH01465, MH01468, MH01481, MH01492, MH01494, MH01498 and MH01506. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01520.iso 1256368128 72e7db08cfb3391295abca98e59f84cb24e46ead MB03908 MH01520 Splash Panel information (or lshmc -V output) "version= Version: 8 Release: 8.1.0 Service Pack: 1 HMC Build level 20150504.1 MH01520: Fix for various updates (05-07-2015) ","base_version=V8R8.1.0 " List of fixes *Security Fixes* This PTF includes fixes for the following security vulnerabilities: * Fixed multiple vulnerabilities in OpenSSL: CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787 * Fix for RC4 stream cipher “Bar Mitzvah” vulnerability: CVE-2015-2808 *General fixes* * RC4 based ciphers have been disabled. *Previously released fixes also included in this PTF: * * MH01506* 04/06/2015 *Security Fixes* * CVE-2015-0204, CVE-2015-0138 (Freak), * CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423, CVE-2013-1418, CVE-2013-6800, CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344, CVE-2014-4345 *General Fixes* * Fixed a problem where HMC was enabling weak ciphers that were not in the lshmcencr enabled cipher list. *MH01498* 03/17/2015 *Security Fixes* * Fixed multiple vulnerabilities in IBM Java SDK: CVE-2015-0410 and CVE-2014-6593 * NTP security fix for CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296 * MH01494* 02/10/15 *Enhancements* * This PTF disables SSLv3 protocol on HMC user interfaces. It uses only TLSv1.2 for HMC/FSP connections for server firmware levels that support TLSv1.2. After applying this PTF, remote access to the HMC (Browser, ASM, vterm, 5250 console) will require clients that support TLSv1.0 or TLSv1.2. *Security Fixes* * Fix for GNU C library (glibc) vulnerability that has been referred to as GHOST: CVE-2015-0235 * openssl security fixes for: CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2014-3569, CVE-2015-0205, CVE-2015-0206 *General fixes* * Fixed an issue where after an HMC upgrade, lshmcencr may list no active ciphers with weak ciphers enabled on the web GUI. * Fixed a problem where the GUI and lshmc -V output may not show PTF information correctly for all applied PTFs. * Fixed a problem where serviceable events E35A0017 and E35A0016 are reported. * Fixed a problem where intermittently, a POWER8 server with firmware EC level 01AF820 may go to a No Connection state with connection_error_code of 02FF-0003-008087E9 after a FSP restart. *Restrictions : * * Currently in legacy security mode of HMC, it supports only TLSv1.0 Protocol only, not TLSv1.1 nor TLSv1.2. When moved to NIST SP800-131a security mode, it supports only TLSv1.2. *MH01492* 01/23/15 * Fixed an issue where pressing F10 in the vterm console Java window hangs the HMC GUI. * MH01481* 12/17/14 *Enhancements* * This PTF disables SSLv3 on the HMC user interfaces. After applying this PTF, remote access to the HMC (Browser, ASM, GUI vterm, and pegasus) will require clients that support TLSv1.0 IBM i secure remote 5250 console will require TLSv1.1 or higher. The PTF also disables all ciphers except TLSv1.2 on HMC/FSP connections where the server firmware level supports it. * For HMCs set to security mode nist_sp800_131a, this PTF changes the HMC-Server FSP encryption mode to enforce TLS1.2. This implies that all POWER6 and POWER7 servers must be upgraded to a firmware level that supports TLS1.2 prior to apply of this PTF when using nist_sp800_131a security mode. *Security Fixes* * CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568, CVE-2014-6512, CVE-2014-3566, CVE-2014-6457, CVE-2014-6558 * Fixed a problem where the HMC local login’s browser session attempts to connect to external, non-IBM IP addresses. *General fixes* * Reduced the amount of memory used. This may correct “out of memory” errors such as serviceable event E355004C as well as /var full on some HMCs; particularly on HMCs with the minimum amount of memory. * Fixed a problem where the SRIOVLogicalPort configured on any Physical Port shows the location as associated with Physical Port T1 always. * Fixed a problem where activation of Partition Firmware (PFW) may fail during a concurrent server firmware update. * Fixed problem where HMC boot process can hang for hours during rotation of corrupted log file * Fixed a problem where creating or deploying a new partition as a user other than hscroot fails. Errors include HSCL350B on the HMC and “/Error creating instance: HTTP error for PUT /rest/api/uom/ManagedSystem/fbd55c40-4802-3d95-b165-b6111e47a3d2/LogicalParition: 500 (Internal Server Error)/” from PowerVC. * MH01468* 10/21/14 * Fixed an issue where restore critical console data from USB flash drive fails. * Fixed an issue where after applying Service Pack 1, some PowerVC and “enhanced” GUI tasks fail with the error "/3003c 2610-366 The action array contains an undefined action name at index 0: VioService./" *MH01465* 10/09/14 * Fix for Russian Time Zone changes *MH01474* 10/01/14 * Fix for the following bash security vulnerabilities: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 Back to top <#ibm-content> Installation Installation instructions for HMC Version 8 upgrades and corrective service can be found at these locations: Upgrading or restoring HMC Version 8 Installation methods for HMC Version 8 fixes Instructions and images for upgrading via a remote network install can be found here: HMC V8 network installation images and installation instructions Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>