Hardware Management Console Readme For use withVersion 7 Release 7.9.0 Service Pack 3 Updated: 7 November 2016 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01659 <#MH01659> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01659 This package includes fixes for HMC Version 7 Release 7.9.0 Service Pack 3. You can reference this package by APAR MB04044 and PTF MH01659. This image must be installed on top of HMC Version 7 Release 7.9.0 Service Pack 3 (MH01546) *_with_* MH01635 installed. Note: This PTF supersedes MH01597, MH01605, MH01610, MH01622, MH01628, and MH01644. /Package information / Package name Size Checksum (sha1sum) APAR# PTF# MH01659.iso 2123960320 ce26d023a28f74aa509adf9bc071738a4b47090c MB04044 MH01659 Splash Panel information (or lshmc -V output) * *"version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20161004.2 MH01644: security updates (08-25-2016) MH01659: security updates (10-04-2016) ","base_version=V7R7.9.0 " Known Issues * After installing PTF MH01659 and the Welcome page loads on the local console, clicking "Log on and Launch" results in the following error: /Problem loading page// //An error occurred during a connection to 127.0.0.1.// // //Cannot communicate securely with peer: no common encryption algorithm(s).// //(Error code: ssl_error_no_cypher_overlap) / This defect also impacts the Power Enterprise Pool GUI when launched remotely. Ensure remote access is enabled and the HMC is accessible remotely for management prior to installing this PTF. A fix is planned for a future PTF. *Circumvention*: From the HMC home page, Log on by clicking on the "Serviceable Events" link rather than the "Log on and launch the Hardware Management Console web application" link. The "System Status" and "Attention LEDs" links can also be used. Note that the Power Enterprise Pools (PEP) task will not be available from the local console. CLI or remote GUI can be used to perform PEP tasks. * A vterm console window cannot be opened by the GUI on the local HMC console. You can use the mkvterm or vtmenu command on the local HMC console or use the GUI remotely to open a vterm. A fix is planned for a future PTF. * ASM for POWER5 servers will launch a blank white screen and eventually a "Connection timed out" error if PTF MH01635 is not installed prior to MH01644 or MH01659. The install order and supersedes lists have been updated to include PTF MH01635 prior to installing either MH01644 or MH01659. List of fixes *Security Fixes* * Fixed IBM Websphere Application Server (WAS) vulnerabilities: CVE-2016-0378 and CVE-2016-5986. * Fixed Apache Tomcat vulnerability: CVE-2016-3092. * Fixed PAM vulnerabilities: CVE-2015-3238 and CVE-2013-7041. * Fixed DHCP vulnerabilities: CVE-2015-8605 and CVE-2016-2774. * Fixed Perl vulnerability: CVE-2016-1238. * Disabled TLS 1.0 for HMC ports 443, 9920 and 9960. **General Fixes* * * Fixed a problem causing the lshmcencr command to show no results when listing the current SSH encryption ciphers if the user has not modified the default list of SSH encryption ciphers. This problem only occurs after PTF MH01644 is installed. * Fixed a problem where some GUI views of system firmware levels such as the Updates, System Code Levels table incorrectly show a deferred level of none (or blank) when a deferred level exists. * Fixed a rare problem that caused a server to return to the Save Area Version Mismatch state immediately after the partition data for the server was successfully recovered. * Enhanced error handling to prevent a rare situation that can cause the HMC to hang or return unpredictable results due to a system wide "too many open files" issue. * Fixed rare issue where numerous managed system change events occurring in rapid succession could cause a system wide HMC performance issue or hang. * Prevent the generation and call home of SRC E3550925. This SRC is generated when creating a Kerberos user and no remote user ID is specified or the remote user ID specified is not valid. *Previously released fixes also included in this PTF: * * MH01644* 08/16/16 * Using the lshmcencr command enhancements to list the current SSH encryptions will initially show no results (l*shmcencr -c ssh -t c*). This indicates the default list of all the supported SSH ciphers is currently configured. Once a user modifies the defaults using the *chhmcencr -c ssh* command, the list command will correctly return the active ciphers. * This PTF has been rebuilt to resolve an issue that can cause one or more managed servers to go to an "incomplete" state. The impacted PTF has a build date of 08-16-2016. Users that have already applied the 08-16 build of MH01659 should download the new build and re-apply the PTF, even if they are currently not encountering any symptoms. Impacted build: "version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20160816.1 MH01659: security updates (08-16-2016) ","base_version=V7R7.9.0 " * Enhanced the chhmcencr and lshmcencr commands to support user configuration of the encryption ciphers and Message Authentication Code (MAC) algorithms used by the HMC Secure Shell (SSH) interface. * Fixed Apache Tomcat Vulnerability: CVE-2016-3092. * Fixed multiple NTP vulnerabilities: CVE-2015-7703, CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, and CVE-2016-2518. * Fixed multiple OpenSSH vulnerabilities: CVE-2015-6563, CVE-2015-6564, CVE-2016-3115, and CVE-2016-1908. * Fixed IBM Websphere Application Server (WAS) vulnerability: CVE-2016-2923. * Updated the expiration date for the vterm applet. The current certificate expires August 25th 2016. * Fixed an issue where, after successfully applying a concurrent server firmware update, the HMC Change Licensed Internal Code panel could show an incorrect pending deferred firmware level. The problem does not impact the GUI view levels task or lslic command. This issue is only exposed by a rare type of concurrent server firmware update which has never been released in the field but could occur in the future. * Fixed an issue where HMC backups to a remote server may fail with /rc=26 permission denied/ when the remote user has write access to the target. The problem only occurs when a previous backup was done and the remote user does not have the permissions to overwrite an existing RemoteAccessFile.Test file. * Fixed a problem where HMC to HMC communication intermittently fails resulting in serviceable event B3036620. Other symptoms include failure to negotiate a primary HMC for problem analysis which can result in failure to report a server serviceable event or calling home the same event twice. Repeated occurrences of the B3036620 without a HMC reboot can eventually lead to a hang of the HMC where users are unable to login via the GUI or run commands via ssh. * No longer initialize the OS version the HMC shows for VIOS partitions with the underlying OS kernel version information. This practice sometimes caused the OS version shown for VIOS partitions to be the base AIX version, or to be the VIOS OS version appended with the AIX OS version distribution number. After this fix, if the HMC is unable to query the OS version information from the VIOS, the OS version shown will be blank. * Changed the backup critical console data function to no longer fail when the backup of performance monitoring data fails. With this fix, a warning is reported if the performance monitoring data is not successfully backed up and the backup function continues. Prior to this fix, the backup function failed with the wrong error. * Fixed a rare timing issue where attempting to view properties on a powered off server can cause the HMC to lose connection to all managed servers until the next HMC reboot. SRC E23D040A may be reported due to the core dump of the hdwr_svr process. * Fixed a problem where, on the local HMC console session, the HMC Management > Open Restricted Shell Terminal GUI task is not displayed for any HMC user except hscroot. * Fixed an issue where a managed system may go into an Incomplete state after removing I/O hardware due to stale data in the hardware discovery cache causing an unhandled NullPointerException. * Fixed an issue that impacts partition profiles that contain SR-IOV logical ports and also contain virtual Ethernet adapters that use non-default vSwitches. After the first activation of the profile, any non-default vSwitches used by virtual Ethernet adapters in the profile will be changed to the default vSwitch. The user must edit all affected profiles to restore the original vSwitch names/ / * MH01635* 6/23/16 * Added functionality to the chhmc command to allow an admin to set a grub password at bootup. * Removed support for all the Ciphers which are less than or equal to 1024 bits for port 443. * Fixed openSSL vulnerabilities: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109 * Fixed Java vulnerability: CVE-2016-3426 * Fixed Power Hardware Management Console: CVE-2016-0230 * Fix gnutls security vulnerabilities: CVE-2015-2806 and CVE-2015-8313 * Fixed an issue with the "mu" key not working when using an IBM spacesaver keyboard with the Japanese keyboard layout. * Fixed an issue with pedbg failing to collect all the necessary data when the zip file exceeded 2GB. * Fixed an issue where the event log showed HSCL05E9 when activating new partitions. * Fixed a backup issue where PCM data was included even though the user did not select to include PCM data./ / * MH01628* 05/16/16 * Disabled DHE ciphers with private key less than or equal to 1024 bits. * Enhanced logging for serviceable event E212E122 logged against /dev./ / * MH01622* 04/22/16 * Fixed the following openssl security vulnerabilities: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797 * Fixed Tomcat vulnerabilities: CVE 2015-5174,CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763 * Fixed Vulnerabilities in bind: CVE-2016-1285 and CVE-2016-1286 * Fixed security vulnerability with Strongswan: CVE-2015-8023 * Fixed a security issue with HMC restricted shell. * Fixed a Repair & Verify issue on systems utilizing the 24 inch frame with a power subsystem where users can experience a failure of concurrent service maintenance activities on power components within the CEC enclosure, the Power Subsystem enclosure, and any installed I/O devices within the frame. Servers impacted include the POWER 575, 590, 595, 795: Models 9125-F2A,F2B,F2C; 9118-575; 9119-590,595,FHA,FHB; 9406-595. Errors include: "/An internal error occurred when the management console // //attempted to validate the service network. Some or all of the // //required network resources may not be available. Contact your // //next level of support for problem determination/." and "/Redundancy status could not be determined for the FRU in // //location: // //U5791.001.XXXXXXX-Ex" (example) // // // //The FRU cannot be exchanged concurrently. The IO Drawer must be// //powered off and partitions may need to be shut down to continue// //the repair. /" ** * Fixed an issue where serviceable event E212E115 may be reported against rmcd during performance information transmission. * Fixed a rare deadlock issue that required a HMC reboot to recover. Symptoms include unable to login GUI remotely; CLI commands fail with "/command server failed/" errors; partition mobility failing with H/SCLA200 An unknown error occurred during the partition migration./ * MH01610* 03/15/16 * Fixed a Java security issue: CVE-2016-0448 * Fixed security vulnerabilities in glibc: CVE-2015-7547, CVE-2014-9761, CVE-2015-8776, CVE-2015-8777, and CVE-2015-8778 * Enabled all TLS protocols on vterm(9960), FCS(9920) and remote web access(12443) ports. * Fixed an issue during Remote Restart to prevent the lpars going into open firmware state on the target managed system because storage mappings/adapters were missing. The HMC will now report a valid error when an exception is hit and will display the correct Remote Restart status. * MH01605* 02/17/16 * Fixed multiple OpenSSH vulnerabilities involving the ssh client "Roaming" feature: CVE-2016-0777 and CVE-2016-0778 * Fixed multiple Vulnerabilities in NTP : CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and CVE-2015-7871 * Fixed an issue where the managed servers go to an Incomplete state when the RMC interface has a blank (null) ipv4 or ipv6 value. * Fixed an issue where /var may fill up with core dumps when Pegasus server is enabled and in use by a remote client. * MH01597* 1/25/16 * Fixed multiple OpenSSL Vulnerabilities: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794 * Fixed multiple Java Vulnerabilities: CVE-2015-4843, CVE-2015-4868, CVE-2015-4806, CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4842, and CVE-2015-4803 * Fixed an issue where the HMC web server may intermittently deadlock. Symptoms include one or more of the following: unable to connect using a browser; browser error "Service Temporarily Unavailable"'; multiple serviceable events for E35A0016 and/or E35A0017; unable to restart due to / file system full from repeated diagnostic dumps. Back to top <#ibm-content> Installation Installation instructions for HMC Version 7 upgrades, updates and corrective service can be found at these locations: Installation methods for HMC Version 7 updates and fixes Upgrading or restoring HMC Version 7 Instructions and images for upgrading via a remote network install can be found here (for all HMC releases): HMC network installation images Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>