MH01677
1/30/17 |
- Fixed Apache Tomcat vulnerabilities CVE-2016-6816,
CVE-2016-6817 and CVE-2016-0762
- Removed support for all Triple DES ciphers from
the Web UI (HMC ports 443 and 12443) to address
vulnerability: CVE-2016-2183
- Fixed a problem where, on the local HMC console
session, the HMC Management > Open Restricted
Shell Terminal GUI task fails to open a terminal
window. No error is returned. This
problem only occurs after PTF MH01666 is installed.
- Fixed a problem preventing a vterm console window
from being opened by the GUI on the local HMC
console.
- Fixed an issue where HMC performance degrades over
time until the command server and/or web servers
hang requiring a reboot to resolve. Logs will
show a large number of blocked threads for the
unified JRE and may include an error of "too many
open files". The issue is typically seen on
HMCs where external scripts are running dozens or
hundreds of commands.
- Increased the maximum number threads threshold to
prevent the generation and call home of SRC E212E116
when there is no issue with the number of threads.
- Repair any duplicate user group IDs that exist on
the HMC. The repair will occur when this PTF
is installed on the HMC.
- Improved the performance of the Enhanced GUI, REST
API interface and HMC command line for non-hscroot
custom HMC users that have a task role of
hmcsuperadmin and a resource role of
AllSystemResources.
- Fixed a problem that caused the lpar_netboot
command to fail with the error "The system has no
more ptys. Ask your system administrator to
create more."
|
MH01666
11/28/16
|
- Fixed multiple OpenSSL vulnerabilities:
CVE-2016-2180, CVE-2016-2182, and CVE-2016-6306
- TLS1.0 is re-enabled on port 443.
- Added DST timezone changes for Turkey, leap second
to 31 Dec 2016.
- Changed the HMC install process to report the
error SRC E3558801 when the installation of a
service pack or iFix fails due to a rare RPM
installation failure. Prior to this fix, the
service pack or iFix installation appeared to finish
successfully.
- Fixed an issue causing ASM for POWER5 servers to
launch a blank white screen and eventually a
"Connection timed out". This only occurred if PTF
MH01635 was not installed prior to MH01644 or
MH01659.
- Fixed a problem preventing users from being able
to log in on the local HMC console, where after the
Welcome page loads on the local console, clicking
"Log on and Launch" results in the following error:
Problem loading page
An error occurred during a connection to
127.0.0.1.
Cannot communicate securely with peer: no
common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
This problem only occurs on HMCs that have PTF
MH01659 installed. The fix is the reenablement
of TLS1.0 on port 443.
|
MH01659
10/21/16
|
- Fixed IBM Websphere Application Server (WAS)
vulnerabilities: CVE-2016-0378 and CVE-2016-5986.
- Fixed Apache Tomcat vulnerability: CVE-2016-3092.
- Fixed PAM vulnerabilities: CVE-2015-3238 and
CVE-2013-7041.
- Fixed DHCP vulnerabilities: CVE-2015-8605 and
CVE-2016-2774.
- Fixed Perl vulnerability: CVE-2016-1238.
- Disabled TLS 1.0 for HMC ports 443, 9920 and 9960.
- Fixed a problem causing the lshmcencr command to
show no results when listing the current SSH
encryption ciphers if the user has not modified the
default list of SSH encryption ciphers. This
problem only occurs after PTF MH01644 is installed.
- Fixed a problem where some GUI views of system
firmware levels such as the Updates, System Code
Levels table incorrectly show a deferred level of
none (or blank) when a deferred level exists.
- Fixed a rare problem that caused a server to
return to the Save Area Version Mismatch state
immediately after the partition data for the server
was successfully recovered.
- Enhanced error handling to prevent a rare
situation that can cause the HMC to hang or return
unpredictable results due to a system wide "too many
open files" issue.
- Fixed rare issue where numerous managed system
change events occurring in rapid succession could
cause a system wide HMC performance issue or hang.
- Prevent the generation and call home of SRC
E3550925. This SRC is generated when creating
a Kerberos user and no remote user ID is specified
or the remote user ID specified is not valid.
|
MH01644
08/16/16
|
- Using the lshmcencr command enhancements to list
the current SSH encryptions will initially show no
results (lshmcencr -c ssh -t c).
This indicates the default list of all the supported
SSH ciphers is currently configured.
Once a user modifies the defaults using the chhmcencr
-c ssh command, the list command will
correctly return the active ciphers.
- This PTF has been rebuilt to resolve an issue that
can cause one or more managed servers to go to an
"incomplete" state. The impacted PTF has a build
date of 08-16-2016. Users that have already applied
the 08-16 build of MH01687 should download the new
build and re-apply the PTF, even if they are
currently not encountering any symptoms.
Impacted build:
"version= Version: 7
Release: 7.9.0
Service Pack: 3
HMC Build level 20160816.1
MH01687: security updates (08-16-2016)
","base_version=V7R7.9.0
"
- Enhanced the chhmcencr and lshmcencr commands to
support user configuration of the encryption ciphers
and Message Authentication Code (MAC) algorithms
used by the HMC Secure Shell (SSH) interface.
- Fixed Apache Tomcat Vulnerability: CVE-2016-3092.
- Fixed multiple NTP vulnerabilities: CVE-2015-7703,
CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, and
CVE-2016-2518.
- Fixed multiple OpenSSH vulnerabilities:
CVE-2015-6563, CVE-2015-6564, CVE-2016-3115, and
CVE-2016-1908.
- Fixed IBM Websphere Application Server (WAS)
vulnerability: CVE-2016-2923.
- Updated the expiration date for the vterm
applet. The current certificate expires August
25th 2016.
- Fixed an issue where, after successfully applying
a concurrent server firmware update, the HMC
Change Licensed Internal Code panel could show an
incorrect pending deferred firmware level. The
problem does not impact the GUI view levels task or
lslic command. This issue is only exposed by a
rare type of concurrent server firmware update which
has never been released in the field but could occur
in the future.
- Fixed an issue where HMC backups to a remote
server may fail with rc=26 permission denied
when the remote user has write access to the
target. The problem only occurs when a
previous backup was done and the remote user does
not have the permissions to overwrite an existing
RemoteAccessFile.Test file.
- Fixed a problem where HMC to HMC communication
intermittently fails resulting in serviceable event
B3036620. Other symptoms include failure to
negotiate a primary HMC for problem analysis which
can result in failure to report a server serviceable
event or calling home the same event twice.
Repeated occurrences of the B3036620 without a HMC
reboot can eventually lead to a hang of the HMC
where users are unable to login via the GUI or run
commands via ssh.
- No longer initialize the OS version the HMC shows
for VIOS partitions with the underlying OS kernel
version information. This practice sometimes
caused the OS version shown for VIOS partitions to
be the base AIX version, or to be the VIOS OS
version appended with the AIX OS version
distribution number. After this fix, if the
HMC is unable to query the OS version information
from the VIOS, the OS version shown will be blank.
- Changed the backup critical console data function
to no longer fail when the backup of performance
monitoring data fails. With this fix, a
warning is reported if the performance monitoring
data is not successfully backed up and the backup
function continues. Prior to this fix, the
backup function failed with the wrong error.
- Fixed a rare timing issue where attempting to view
properties on a powered off server can cause the HMC
to lose connection to all managed servers until the
next HMC reboot. SRC E23D040A may be reported
due to the core dump of the hdwr_svr process.
- Fixed a problem where, on the local HMC console
session, the HMC Management > Open
Restricted Shell Terminal GUI task is not displayed
for any HMC user except hscroot.
- Fixed an issue where a managed system may go into
an Incomplete state after removing I/O hardware due
to stale data in the hardware discovery cache
causing an unhandled NullPointerException.
- Fixed an issue that impacts partition profiles
that contain SR-IOV logical ports and also contain
virtual Ethernet adapters that use non-default
vSwitches. After the first activation of the
profile, any non-default vSwitches used by virtual
Ethernet adapters in the profile will be changed to
the default vSwitch. The user must edit all
affected profiles to restore the original vSwitch
names
|
MH01635
6/23/16
|
- Added functionality to the chhmc command to allow
an admin to set a grub password at bootup.
- Removed support for all the Ciphers which are less
than or equal to 1024 bits for port 443.
- Fixed openSSL vulnerabilities:
CVE-2016-2105, CVE-2016-2106, CVE-2016-2107,
CVE-2016-2108, and CVE-2016-2109
- Fixed Java vulnerability: CVE-2016-3426
- Fixed Power Hardware Management Console:
CVE-2016-0230
- Fix gnutls security vulnerabilities: CVE-2015-2806
and CVE-2015-8313
- Fixed an issue with the "mu" key not working when
using an IBM spacesaver keyboard with the Japanese
keyboard layout.
- Fixed an issue with pedbg failing to collect all
the necessary data when the zip file exceeded 2GB.
- Fixed an issue where the event log showed HSCL05E9
when activating new partitions.
- Fixed a backup issue where PCM data was included
even though the user did not select to include PCM
data.
|
MH01628
05/16/16
|
- Disabled DHE ciphers with private key less than or
equal to 1024 bits.
- Enhanced logging for serviceable event E212E122
logged against /dev.
|
MH01622
04/22/16
|
- Fixed the following openssl security
vulnerabilities: CVE-2015-3197, CVE-2016-0702,
CVE-2016-0705, CVE-2016-0797
- Fixed Tomcat vulnerabilities: CVE
2015-5174,CVE-2015-5345, CVE-2015-5346,
CVE-2015-5351, CVE-2016-0706, CVE-2016-0714,
CVE-2016-0763
- Fixed Vulnerabilities in bind: CVE-2016-1285 and
CVE-2016-1286
- Fixed security vulnerability with Strongswan:
CVE-2015-8023
- Fixed a security issue with HMC restricted shell.
- Fixed a Repair & Verify issue on systems
utilizing the 24 inch frame with a power
subsystem where users can experience a failure of
concurrent service maintenance activities on
power components within the CEC enclosure, the Power
Subsystem enclosure, and any installed I/O devices
within the frame. Servers impacted include
the POWER 575, 590, 595, 795: Models
9125-F2A,F2B,F2C; 9118-575; 9119-590,595,FHA,FHB;
9406-595.
Errors include:
"An internal error occurred when the management
console
attempted to validate the service network.
Some or all of the
required network resources may not be
available. Contact your
next level of support for problem
determination."
and
"Redundancy status could not be determined for
the FRU in
location:
U5791.001.XXXXXXX-Ex"
(example)
The FRU cannot be exchanged concurrently. The
IO Drawer must be
powered off and partitions may need to be
shut down to continue
the repair. "
- Fixed an issue where serviceable event E212E115
may be reported against rmcd during performance
information transmission.
- Fixed a rare deadlock issue that required a HMC
reboot to recover. Symptoms include unable to
login GUI remotely; CLI commands fail with "command
server failed" errors; partition
mobility failing with HSCLA200 An unknown error
occurred during the partition migration.
|
MH01610
03/15/16
|
- Fixed a Java security issue: CVE-2016-0448
- Fixed security vulnerabilities in glibc:
CVE-2015-7547, CVE-2014-9761, CVE-2015-8776,
CVE-2015-8777, and CVE-2015-8778
- Enabled all TLS protocols on vterm(9960),
FCS(9920) and remote web access(12443) ports.
- Fixed an issue during Remote Restart to prevent
the lpars going into open firmware state on the
target managed system because storage
mappings/adapters were missing. The HMC will now
report a valid error when an exception is hit and
will display the correct Remote Restart status.
|
MH01605
02/17/16
|
- Fixed multiple OpenSSH vulnerabilities involving
the ssh client "Roaming" feature: CVE-2016-0777 and
CVE-2016-0778
- Fixed multiple Vulnerabilities in NTP :
CVE-2015-7691, CVE-2015-7692, CVE-2015-7701,
CVE-2015-7702, CVE-2015-7703, CVE-2015-7704,
CVE-2015-7705, CVE-2015-7848, CVE-2015-7849,
CVE-2015-7850, CVE-2015-7851, CVE-2015-7852,
CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and
CVE-2015-7871
- Fixed an issue where the managed servers go to an
Incomplete state when the RMC interface has a blank
(null) ipv4 or ipv6 value.
- Fixed an issue where /var may fill up with core
dumps when Pegasus server is enabled and in use by a
remote client.
|
MH01597
1/25/16
|
- Fixed multiple OpenSSL Vulnerabilities:
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195,
CVE-2015-3196, and CVE-2015-1794
- Fixed multiple Java Vulnerabilities:
CVE-2015-4843, CVE-2015-4868, CVE-2015-4806,
CVE-2015-4872, CVE-2015-4911, CVE-2015-4893,
CVE-2015-4842, and CVE-2015-4803
- Fixed an issue where the HMC web server may
intermittently deadlock. Symptoms include one
or more of the following: unable to connect using a
browser; browser error "Service Temporarily
Unavailable"'; multiple serviceable events for
E35A0016 and/or E35A0017; unable to restart
due to / file system full from repeated diagnostic
dumps.
|