Hardware Management Console Readme For use withVersion 7 Release 7.9.0 Service Pack 3 Last updated: 13 July 2016 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01635 <#MH01635> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01635 This package includes fixes for HMC Version 7 Release 7.9.0 Service Pack 3. You can reference this package by APAR MB04022 and PTF MH01635. This image must be installed on top of HMC Version 7 Release 7.9.0 Service Pack 3 (MH01546) with or without additional PTFs installed. Note: This PTF supersedes MH01597, MH01605, MH01610, MH01622, and MH01628. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01635.iso 2056886272 ed8ba7beb77707ef1f29c4ed357f5f69b967b32f MB04022 MH01635 Splash Panel information (or lshmc -V output) * *"version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20160612.1 MH01622: security updates (04-16-2016) MH01628: security updates (05-09-2016) MH01635: security updates (06-12-2016) ","base_version=V7R7.9.0 " Command line changes This PTF adds a new option to the chhmc command to allow an admin to set a grub password at bootup. To resolve this security vulnerability, users apply the PTF (with mandatory reboot) then set a password. Syntax: *chhmc -c grubpasswd* *-s* {*enable *|*disable *|*modify*} [*--passwd* _password_] * To enable and set the password *chhmc -c grubpasswd -s enable --passwd *_password_ * To disable the grub password c*hhmc -c grubpasswd -s disable* * To modify the grub password *c**hmc -c grubpasswd -s modify --passwd *_password_ List of fixes *Security Fixes* * Added functionality to the chhmc command to allow an admin to set a grub password at bootup. * Removed support for all the Ciphers which are less than or equal to 1024 bits for port 443. * Fixed openSSL vulnerabilities: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109 * Fixed Java vulnerability: CVE-2016-3426 * Fixed Power Hardware Management Console: CVE-2016-0230 * Fix gnutls security vulnerabilities: CVE-2015-2806 and CVE-2015-8313. **General Fixes* * * Fixed an issue with the "mu" key not working when using an IBM spacesaver keyboard with the Japanese keyboard layout. * Fixed an issue with pedbg failing to collect all the necessary data when the zip file exceeded 2GB. * Fixed an issue where the event log showed HSCL05E9 when activating new partitions. * Fixed a backup issue where PCM data was included even though the user did not select to include PCM data./ / *Previously released fixes also included in this PTF: * * MH01628* 05/16/16 * Disabled DHE ciphers with private key less than or equal to 1024 bits. * Enhanced logging for serviceable event E212E122 logged against /dev./ / * MH01622* 04/22/16 * Fixed the following openssl security vulnerabilities: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797 * Fixed Tomcat vulnerabilities: CVE 2015-5174,CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763 * Fixed Vulnerabilities in bind: CVE-2016-1285 and CVE-2016-1286 * Fixed security vulnerability with Strongswan: CVE-2015-8023 * Fixed a security issue with HMC restricted shell. * Fixed a Repair & Verify issue on systems utilizing the 24 inch frame with a power subsystem where users can experience a failure of concurrent service maintenance activities on power components within the CEC enclosure, the Power Subsystem enclosure, and any installed I/O devices within the frame. Servers impacted include the POWER 575, 590, 595, 795: Models 9125-F2A,F2B,F2C; 9118-575; 9119-590,595,FHA,FHB; 9406-595. Errors include: "/An internal error occurred when the management console // //attempted to validate the service network. Some or all of the // //required network resources may not be available. Contact your // //next level of support for problem determination/." and "/Redundancy status could not be determined for the FRU in // //location: // //U5791.001.XXXXXXX-Ex" (example) // // // //The FRU cannot be exchanged concurrently. The IO Drawer must be// //powered off and partitions may need to be shut down to continue// //the repair. /" ** * Fixed an issue where serviceable event E212E115 may be reported against rmcd during performance information transmission. * Fixed a rare deadlock issue that required a HMC reboot to recover. Symptoms include unable to login GUI remotely; CLI commands fail with "/command server failed/" errors; partition mobility failing with H/SCLA200 An unknown error occurred during the partition migration./ * MH01610* 03/15/16 * Fixed a Java security issue: CVE-2016-0448 * Fixed security vulnerabilities in glibc: CVE-2015-7547, CVE-2014-9761, CVE-2015-8776, CVE-2015-8777, CVE-2015-8778 and CVE-2015-8779 * Enabled all TLS protocols on vterm(9960), FCS(9920) and remote web access(12443) ports. * Fixed an issue during Remote Restart to prevent the lpars going into open firmware state on the target managed system because storage mappings/adapters were missing. The HMC will now report a valid error when an exception is hit and will display the correct Remote Restart status. * MH01605* 02/17/16 * Fixed multiple OpenSSH vulnerabilities involving the ssh client "Roaming" feature: CVE-2016-0777 and CVE-2016-0778 * Fixed multiple Vulnerabilities in NTP : CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and CVE-2015-7871 * Fixed an issue where the managed servers go to an Incomplete state when the RMC interface has a blank (null) ipv4 or ipv6 value. * Fixed an issue where /var may fill up with core dumps when Pegasus server is enabled and in use by a remote client. * MH01597* 1/25/16 * Fixed multiple OpenSSL Vulnerabilities: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794 * Fixed multiple Java Vulnerabilities: CVE-2015-4843, CVE-2015-4868, CVE-2015-4806, CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4842, and CVE-2015-4803 * Fixed an issue where the HMC web server may intermittently deadlock. Symptoms include one or more of the following: unable to connect using a browser; browser error "Service Temporarily Unavailable"'; multiple serviceable events for E35A0016 and/or E35A0017; unable to restart due to / file system full from repeated diagnostic dumps. Back to top <#ibm-content> Installation Installation instructions for HMC Version 7 upgrades, updates and corrective service can be found at these locations: Installation methods for HMC Version 7 updates and fixes Upgrading or restoring HMC Version 7 Instructions and images for upgrading via a remote network install can be found here (for all HMC releases): HMC network installation images Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>