Hardware Management Console Readme For use with Version 8 Release 8.4.0 Service Pack 1 Updated: 28 June 2016 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01648 <#MH01648> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01648 This package includes fixes for HMC Version 8 Release 8.4.0 Service Pack 1. You can reference this package by APAR MB04033 and PTF MH01648. This image must be installed on top of HMC Version 8 Release 8.4.0 Service Pack 1 (PTF MH01576) with or without additional fixes. *Note*: This PTF supersedes PTF MH01626, MH01632, and MH01639. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01648.iso 1550268416 752d4e96e14f46058f120a9a3a60bada2142c392 MB04033 MH01648 Splash Panel information (or lshmc -V output) "version= Version: 8 Release: 8.4.0 Service Pack: 1 HMC Build level 20160809.1 MH01648: Fix for HMC V8R8.4.0 SP1 (08-09-2016) ","base_version=V8R8.4.0 " Known Issues 1. *Special Install Instructions*: a. The enhanced GUI is not supported for install. Installing this PTF using the Enhanced+ interface may hang. b. Classic GUI install from USB requires Service Pack 0 fix level MH01588 or later. To install from USB at earlier levels use CLI updhmc command. See the updhmc "man" page (e.g. man updhmc) for further information and examples on using the command. To use the classic GUI install: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced GUI, log off the HMC. 3. Install using the normal installation instructions. 2. *If two HMCs manage the same server, both HMCs must be at V8R840 Service Pack 1 or later.* Service Pack 1 and later updates the managed server's partition configuration information to a new format. HMCs at earlier releases or fix levels will not be able to manage servers with the new format. If only one HMC is updated to V8R840 SP1 or later, the downlevel HMC will show the system in state of “Version Mismatch" with reference code "Save Area Version Mismatch" until it is updated. Command line changes * Enhanced the chhmcencr and lshmcencr commands to support user configuration of which encryption ciphers and Message Authentication Code (MAC) algorithms can be used by the HMC Secure Shell (SSH) interface. List of fixes *Security Fixes* * Fixed Apache Tomcat vulnerability: CVE-2016-3092 * Fixed multiple NTP vulnerabilities: CVE-2015-7703, CVE-2016-1547,CVE-2016-1548, CVE-2016-1550, and CVE-2016-2518 * Fixed IBM Websphere Application Server (WAS) vulnerability: CVE-2016-2923 * Fixed multiple OpenSSH vulnerabilities: CVE-2015-6563, CVE-2015-6564, CVE-2016-3115, and CVE-2016-1908 *General Fixes* * Updated the expiration date for the vterm applet. The current certificate expires August 25th 2016. * Fixed an issue where, after successfully applying a concurrent server firmware update, the HMC Change Licensed Internal Code panel could show an incorrect pending deferred firmware level. The problem does not impact the GUI view levels task or lslic command. This issue is only exposed by a rare type of concurrent server firmware update which has never been released in the field but could occur in the future.. * Fixed an issue where HMC backups to a remote server may fail with /rc=26 permission denied/ when the remote user has write access to the target. The problem only occurs when a previous backup was done and the remote user does not have the permissions to overwrite an existing RemoteAccessFile.Test file * Fixed a problem causing the WLP server not to start after the HMC is rebooted, causing the REST API functions to not be available. This impacts the enhanced GUI login, PowerVC, PCM and any other function that utilizes the REST API on the HMC. This problem only occurs if the user runs the save upgrade data task and subsequently reboots the HMC without actually performing an HMC upgrade. This fix prevents the problem from occuring again and also repairs HMCs previously impacted. * Fixed an issue where after installing a PTF the security mode could not be changed due to an "Invalid Parameter" error from chhmc command. * Fixed an issue with the Wake-on-LAN feature with HMC model 7042-CR9. The fix requires the Wake-on-LAN feature to be disabled in the system settings for the Ethernet adapter that will be used to receive the wake on magic packet. *Previously released fixes also included in this PTF: * * MH01639* 06/23/16 * Added functionality to the chhmc command to allow an admin to set a grub password at bootup. * Fixed openSSL vulnerabilities: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109 * Fixed security scan vulnerability by enabling TLSv1.2 by default for HMC vterm port (9960) when HMC is in Legacy mode. * Fixed Java vulnerability: CVE-2016-3426. * Fixed an issue where a user was unable to connect to enhanced GUI in NIST mode because of the following cipher in cipher list: TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA * Fixed Power Hardware Management Console: CVE-2016-0230 * Fixed an issue where backing up the HMC included PCM data even though the user did not select to include PCM data. * Fixed an issue where the Console Window > Open Terminal Window task may fail with "/javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name/" in Java console output. * Fixed an issue where a newly added usb device did not get an entry in the /etc/fstab table impacting lshw calls. * Fixed an issue where the call home from the Manage Dumps panel was uploading incomplete data. * Disabled keyboard shortcut feature for all GUI panels. * Fixed an error seen after restoring a critical console data backup, error after login is "/Not Found. //The application or context root for this request has not been found:/rest/ui/static/RedirectCCFWLogon/". * Fixed a chatlet exception to prevent call home SRC E3550046. * Added a fix to check for potential X configuration failures and to subsequently reset display configs to defaults in order to avoid "/out of range/" failures. * Fixed an issue with the TF4 display which extended outside of the viewable pane. * Fixed an issue with dynamically removing adapters that may result in error "/Error Rendering Task Panel. //An unrecoverable error has occurred while rendering a task's graphical output. An attempt has been made to terminate the task. Any operation in progress may have been interrupted prematurely. An entry in the error log has been created so this problem can be reported automatically./" * Fixed an issue to prevent call home of SRCs E355104B and E355104D. * Fixed an issue with chhmc where adding a nameserver failed silently. * MH01632* 05/15/16 * Enhanced logging for serviceable event E212E122 logged against /dev. * Fixed an issue where the Console Window > Open Terminal Window task fails to open a vterm window when launched from the local HMC and the HMC does not have internet access. * Fixed an issue where call home of serviceable events could try to use the legacy (pre-V8R8.3.0) callhome servers if an error is returned contacting the new call home servers. * Fixed an issue where the Console Window > Open Terminal Window may fail with "/javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name/" in Java console output. * MH01626* 04/25/16 * Fixed the following OpenSSL security vulnerabilities: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797 * Fixed Tomcat vulnerabilities: CVE 2015-5174,CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763 * Fixed vulnerabilities in bind: CVE-2016-1285 and CVE-2016-1286 * Fixed security vulnerability with Strongswan; CVE-2015-8023 * Fixed the following Httpd security vulnerabilities; CVE-2013-5704 CVE-2015-3183 * Fixed libssh2 security vulnerability: CVE-2016-0787 * Fixed NTP security vulnerabilities: CVE-2015-5300, CVE-2015-7704, CVE-2015-8138 * Fixed a problem where port 12443 may allow ciphers outside the list of current ciphers as defined by lshmcencr/chhmcencr. * Fixed a security issue with HMC restricted shell. * Fixed a performance issue where the Format media panel can take 30 seconds or more to list USB devices. * Fixed a rare issue where Serviceable Events E35A0017 and E35A0016 may be reported due to a deadlock related to HMC data replication services. * Fixed an issue where call home was attempting to establish a connection to the old (pre HMC V8R8.3.0) callhome servers even when not using legacy callhome. If the legacy callhome addresses were blocked by a firewall, call home may fail. * Fixed a problem where scheduled HMC backups configured for FTP failed with rc=23 if the remote FTP server did not also support SFTP. * Fixed an error obtaining credentials that resulted in call home SRC E3D4310A. Installation *Special Install Instructions*: a. The enhanced GUI is not supported for install. Installing this PTF using the Enhanced+ interface may hang. b. Classic GUI install from USB requires Service Pack 0 fix level MH01588 or later. To install from USB at earlier levels use CLI updhmc command. See the updhmc "man" page (e.g. man updhmc) for further information and examples on using the command. To use the classic GUI install: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced GUI, log off the HMC. 3. Install using the normal installation instructions. Installation instructions for HMC Version 8 upgrades and corrective service can be found at these locations: Upgrading or restoring HMC Version 8 Installation methods for HMC Version 8 fixes Instructions and images for upgrading via a remote network install can be found here: HMC V8 network installation images and installation instructions Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>