Hardware Management Console Readme For use withVersion 7 Release 7.9.0 Service Pack 2 Last updated: 16 Dec 2015 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01571 <#MH01571> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01571 This package includes fixes for HMC Version 7 Release 7.9.0 Service Pack 2. You can reference this package by APAR# MB03966 and PTF MH01571. This image must be installed on top of HMC Version 7 Release 7.9.0 Service Pack 2 (MH01451) with or without additional fixes. This PTF supersedes MH01505, MH01519, MH01537, MH01549, and MH01557. _*NOTE*_: This PTF was removed due to an impact to mkauthkeys command. If this PTF is applied, the mkauthkeys command will fail with: "/An internal error occurred in PISSHKeyGen.generateSSHKeys() while trying to perform this command. Retry the command. If the error persists, contact your software support representative./" If MH01571 is already applied, apply MH01579 or a later supersede to resolve the issue. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01571.iso 1507620864 d8ca71250ca4b75e27cf8f59a44ca95510b1d6d5 MB03966 MH01571 Splash Panel information (or lshmc -V output) * *"version= Version: 7 Release: 7.9.0 Service Pack: 2 HMC Build level 20150929.1 MH01571: security updates (10-08-2015) ","base_version=V7R7.9.0 " Known Issues * After applying this PTF, the local restricted shell terminal task fails. The rshterm window does not open, no error is returned. This issue will be fixed in a future PTF. List of fixes *Security Fixes* * Fixed net-snmp vulnerability: CVE-2014-3565 * Fixed strongswan vulnerability: CVE-2015-4171 * Fixed glibc vulnerability: CVE-2014-8121 **General fixes* * * Fixed a problem where create system plan does not show the correct shared processor pool. * Fixed an issue that caused duplicate MAC addresses after the system went to Recovery and a Recover Partition Data -> Restore task was executed. * Fixed an issue in MH01557 where HMC tasks targeting a server or partitions on the server hang if there are one or more IBM i partitions on the sever with an active RMC connection. * Fixed an issue where incoming ssh connections may be slow or timeout due to name resolution (DNS) lookup delays. * Fixed an issue where the Power Enterprise Pool GUI hangs, specifically the Processor Resources and Memory Resources windows, on the non-master HMC, when the server is not connected to the master HMC. *Previously released fixes also included in this PTF: * * MH01549* 08/12/15 *Security Fixes* * Fixed multiple Java vulnerabilities: CVE-2015-4733, CVE-2015-4732, CVE-2015-2590, CVE-2015-4731, CVE-2015-4748, CVE-2015-2664, CVE-2015-2621, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, and CVE-2015-1931 * Fixed Kerberos vulnerabilities: CVE-2014-5353 and CVE-2014-5355 * Fixed multiple openssl vulnerability: CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, and CVE-2015-3216 * Fixed NTP vulnerabilities: CVE-2015-1799 and CVE-2015-3405 **General fixes* * * Fixed issue of bkconsdata over nfs to NFSv4 server fails. * Fixed issue of CEC going in recovery due to IOR lpar not defined in save area * MH01537* 07/14/15 **Known Issues: * * * The install may fail on HMCs that have a certificate signed with a weak signature algorithm. Users can verify the HMC Certificate Signature Algorithm and update the certificate if needed prior to installing this PTF. For further information and instructions on preventing or resolving the issue see: http://www.ibm.com/support/docview.wss?uid=nas8N1020801 * Beginning June 30, 2015, a new server is required for customers using Electronic Service Agent on the HMC to Call Home to IBM. Ensure any external firewall allows https connection to new server IP 129.42.50.224. For a list of all required IP addresses and ports see the whitepaper "/ESA for HMC Connectivity Security for IBM POWER6, POWER7 and POWER8 Processor-Based Systems and IBM Storage Systems DS8000/" available at: http://www-01.ibm.com/support/esa/security.htm *Security Fixes* * Fixed multiple Java vulnerabilities: CVE-2015-0480, CVE-2015-0486, CVE-2015-0488, CVE-2015-0478, CVE-2015-0477, CVE-2015-1916 * Fixed httpd and openssl "Logjam" vulnerability: CVE-2015-4000 * Fixed Multiple Heap Buffer Overflow, "Zero Day", Vulnerabilities: CVE-2014-8139 CVE-2014-8140 CVE-2014-8141, CVE-2014-9636 * Fixed a potential security issue with viosvrcmd. *General fixes* * Updated the code signing certificate for the vterm applet. * Fixed an issue where the server will go to an incomplete state if a user creates a new virtual network with a name that conflicts with auto-generated network names. * MH01519* 05/07/2015 *Security Fixes* * Fixed multiple vulnerabilities in OpenSSL: CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787 * Fixed multiple vulnerabilities in Tomcat: o CVE-2014-0075, CVE-2014-0095, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119 o CVE-2014-0230 o CVE-2013-4444 o CVE-2014-0227 * Fixed multiple vulnerabilities in glibc: CVE-2013-7423, CVE-2014-7817, CVE-2014-9402, CVE-2015-1472 * Fix for RC4 stream cipher "Bar Mitzvah" vulnerability: CVE-2015-2808 Includes CVEs fixed earlier: * CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205, CVE-2015-0206 *General fixes * * Fixed an issue with Leap Second, where HMC could encounter a system hang or performance degradation after the leap second is added at the end of June 30th 2015. * RC4 based ciphers have been disabled. * MH01505* 04/06/2015 *Security Fixes* * CVE-2015-0204 (Freak) Includes CVEs fixed earlier: * CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205, CVE-2015-0206 *General fixes* * Fixed a problem where HMC was enabling weak ciphers that were not in the lshmcencr enabled cipher list. Back to top <#ibm-content> Installation Installation instructions for HMC Version 7 upgrades, updates and corrective service can be found at these locations: Installation methods for HMC Version 7 updates and fixes Upgrading or restoring HMC Version 7 Instructions and images for upgrading via a remote network install can be found here (for all HMC releases): HMC network installation images Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>