Hardware Management Console Readme For use withVersion 7 Release 7.9.0 Service Pack 3 Dated: 16 February 2017 Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01687 <#MH01687> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01687 This package includes a fix for HMC Version 7 Release 7.9.0 Service Pack 3. You can reference this package by APAR MB04076 and PTF MH01687. This image must be installed on top of HMC Version 7 Release 7.9.0 Service Pack 3 (MH01546) with or without additional PTFs installed. Note: This PTF supersedes MH01597, MH01605, MH01610, MH01622, MH01628, MH01644, MH01659, MH01666 and MH01677. /Package information / Package name Size Checksum (sha1sum) APAR# PTF# MH01687.iso 2160140288 3e9f325c699da3a17f1451e51c83dbcba8147e57 MB04076 MH01687 Splash Panel information (or lshmc -V output) * *"version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20170207.1 MH01666: security updates (11-15-2016) MH01687: security updates (02-07-2017) ","base_version=V7R7.9.0 " Known Issues * After applying Service pack 3, discard any older backups and take a new backup. When taking a backup, specify the current fix level (lshmc -V output) in the backup description field to help identify the fix level the backup was taken from. Before restoring a backup, apply the same fix level (service pack and iFix) that the backup was taken on. If this is not followed the restore may produce unpredictable results. List of fixes *General fixes* * Fixed an issue that caused the following problems to occur after installing PTF MH01677: o Custom HMC users are unable to log in to the HMC GUI and receive "/Console Internal Error. Details: HTTP status code: 500 The server encountered an internal error that prevented it from fulfilling this request./" The user can log in via ssh however attempting to run most commands fails with "/HSCL8016 An unknown error occurred while trying to perform this command. Retry the command. If the error persists, contact your software support representative/." o All custom users lose their task role assignment and any custom managed resource role assignment. Users hscroot, root, and hscpe (if created) are not impacted. o One or more custom task roles may be deleted. Recovery Instructions if MH01677 is already applied. These instructions apply _only_ if MH01677 was installed prior to MH01687. If an HMC backup management console data exists at a known fix level of Service Pack 3 prior to iFix MH01677, then the backup can be restored. Perform a clean install of the HMC, apply Service Pack 3 with the same iFix PTF that the backup was taken with, restore the backup, then apply MH01687. Otherwise, to recover from the issue with MH01677 already applied: 1. Log in to the HMC as hscroot. 2. (optional) Record the existing custom HMC users. The command "*lshmcusr --script | grep "taskrole=Undefined"*" can be used to record the existing users and their settings in a format that can be used on the create user command. 3. Remove all custom users. To delete all the custom users run the command: *rmhmcusr –t all* 4. Update the HMC to PTF MH01687. 5. Recreate the custom task roles (if impacted) If the roles exist on another HMC, HMC replication can be used to recreate the roles. 6. Recreate the custom users. If the users exist on another HMC, HMC replication can be used to recreate the users. Another option is to use the output of the *lshmcusr –script* command from step 2. Edit and correct the taskrole and resourcerole fields, optionally add a passwd field to avoid the password prompt, then create the user. _Example_: mkhmcusr -i "name=cs2,taskrole=hmcsuperadmin,description=CS2 HMC user,pwage=99999,resourcerole=ALL:,authentication_type=local,remote_webui_access=1,remote_ssh_access=1,min_pwage=0,session_timeout=0,verify_timeout=15,idle_timeout=0,inactivity_expiration=0,passwd=abc1234" Note: If the users are deleted after apply of MH01688 an additional reboot may be required. *Previously released fixes also included in this PTF: * * MH01677* 1/30/17 * Fixed Apache Tomcat vulnerabilities CVE-2016-6816, CVE-2016-6817 and CVE-2016-0762 * Removed support for all Triple DES ciphers from the Web UI (HMC ports 443 and 12443) to address vulnerability: CVE-2016-2183 * Fixed a problem where, on the local HMC console session, the HMC Management > Open Restricted Shell Terminal GUI task fails to open a terminal window. No error is returned. This problem only occurs after PTF MH01666 is installed. * Fixed a problem preventing a vterm console window from being opened by the GUI on the local HMC console. * Fixed an issue where HMC performance degrades over time until the command server and/or web servers hang requiring a reboot to resolve. Logs will show a large number of blocked threads for the unified JRE and may include an error of "too many open files". The issue is typically seen on HMCs where external scripts are running dozens or hundreds of commands. * Increased the maximum number threads threshold to prevent the generation and call home of SRC E212E116 when there is no issue with the number of threads. * Repair any duplicate user group IDs that exist on the HMC. The repair will occur when this PTF is installed on the HMC. * Improved the performance of the Enhanced GUI, REST API interface and HMC command line for non-hscroot custom HMC users that have a task role of hmcsuperadmin and a resource role of AllSystemResources. * Fixed a problem that caused the lpar_netboot command to fail with the error "/The system has no more ptys. Ask your system administrator to create more./" * MH01666* 11/28/16 * Fixed multiple OpenSSL vulnerabilities: CVE-2016-2180, CVE-2016-2182, and CVE-2016-6306 * TLS1.0 is re-enabled on port 443. * Added DST timezone changes for Turkey, leap second to 31 Dec 2016. * Changed the HMC install process to report the error SRC E3558801 when the installation of a service pack or iFix fails due to a rare RPM installation failure. Prior to this fix, the service pack or iFix installation appeared to finish successfully. * Fixed an issue causing ASM for POWER5 servers to launch a blank white screen and eventually a "Connection timed out". This only occurred if PTF MH01635 was not installed prior to MH01644 or MH01659. * Fixed a problem preventing users from being able to log in on the local HMC console, where after the Welcome page loads on the local console, clicking "Log on and Launch" results in the following error: /Problem loading page// //An error occurred during a connection to 127.0.0.1.// // //Cannot communicate securely with peer: no common encryption algorithm(s).// //(Error code: ssl_error_no_cypher_overlap) / This problem only occurs on HMCs that have PTF MH01659 installed. The fix is the reenablement of TLS1.0 on port 443. * MH01659* 10/21/16 * Fixed IBM Websphere Application Server (WAS) vulnerabilities: CVE-2016-0378 and CVE-2016-5986. * Fixed Apache Tomcat vulnerability: CVE-2016-3092. * Fixed PAM vulnerabilities: CVE-2015-3238 and CVE-2013-7041. * Fixed DHCP vulnerabilities: CVE-2015-8605 and CVE-2016-2774. * Fixed Perl vulnerability: CVE-2016-1238. * Disabled TLS 1.0 for HMC ports 443, 9920 and 9960. * Fixed a problem causing the lshmcencr command to show no results when listing the current SSH encryption ciphers if the user has not modified the default list of SSH encryption ciphers. This problem only occurs after PTF MH01644 is installed. * Fixed a problem where some GUI views of system firmware levels such as the Updates, System Code Levels table incorrectly show a deferred level of none (or blank) when a deferred level exists. * Fixed a rare problem that caused a server to return to the Save Area Version Mismatch state immediately after the partition data for the server was successfully recovered. * Enhanced error handling to prevent a rare situation that can cause the HMC to hang or return unpredictable results due to a system wide "too many open files" issue. * Fixed rare issue where numerous managed system change events occurring in rapid succession could cause a system wide HMC performance issue or hang. * Prevent the generation and call home of SRC E3550925. This SRC is generated when creating a Kerberos user and no remote user ID is specified or the remote user ID specified is not valid. * MH01644* 08/16/16 * Using the lshmcencr command enhancements to list the current SSH encryptions will initially show no results (l*shmcencr -c ssh -t c*). This indicates the default list of all the supported SSH ciphers is currently configured. Once a user modifies the defaults using the *chhmcencr -c ssh* command, the list command will correctly return the active ciphers. * This PTF has been rebuilt to resolve an issue that can cause one or more managed servers to go to an "incomplete" state. The impacted PTF has a build date of 08-16-2016. Users that have already applied the 08-16 build of MH01687 should download the new build and re-apply the PTF, even if they are currently not encountering any symptoms. Impacted build: "version= Version: 7 Release: 7.9.0 Service Pack: 3 HMC Build level 20160816.1 MH01687: security updates (08-16-2016) ","base_version=V7R7.9.0 " * Enhanced the chhmcencr and lshmcencr commands to support user configuration of the encryption ciphers and Message Authentication Code (MAC) algorithms used by the HMC Secure Shell (SSH) interface. * Fixed Apache Tomcat Vulnerability: CVE-2016-3092. * Fixed multiple NTP vulnerabilities: CVE-2015-7703, CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, and CVE-2016-2518. * Fixed multiple OpenSSH vulnerabilities: CVE-2015-6563, CVE-2015-6564, CVE-2016-3115, and CVE-2016-1908. * Fixed IBM Websphere Application Server (WAS) vulnerability: CVE-2016-2923. * Updated the expiration date for the vterm applet. The current certificate expires August 25th 2016. * Fixed an issue where, after successfully applying a concurrent server firmware update, the HMC Change Licensed Internal Code panel could show an incorrect pending deferred firmware level. The problem does not impact the GUI view levels task or lslic command. This issue is only exposed by a rare type of concurrent server firmware update which has never been released in the field but could occur in the future. * Fixed an issue where HMC backups to a remote server may fail with /rc=26 permission denied/ when the remote user has write access to the target. The problem only occurs when a previous backup was done and the remote user does not have the permissions to overwrite an existing RemoteAccessFile.Test file. * Fixed a problem where HMC to HMC communication intermittently fails resulting in serviceable event B3036620. Other symptoms include failure to negotiate a primary HMC for problem analysis which can result in failure to report a server serviceable event or calling home the same event twice. Repeated occurrences of the B3036620 without a HMC reboot can eventually lead to a hang of the HMC where users are unable to login via the GUI or run commands via ssh. * No longer initialize the OS version the HMC shows for VIOS partitions with the underlying OS kernel version information. This practice sometimes caused the OS version shown for VIOS partitions to be the base AIX version, or to be the VIOS OS version appended with the AIX OS version distribution number. After this fix, if the HMC is unable to query the OS version information from the VIOS, the OS version shown will be blank. * Changed the backup critical console data function to no longer fail when the backup of performance monitoring data fails. With this fix, a warning is reported if the performance monitoring data is not successfully backed up and the backup function continues. Prior to this fix, the backup function failed with the wrong error. * Fixed a rare timing issue where attempting to view properties on a powered off server can cause the HMC to lose connection to all managed servers until the next HMC reboot. SRC E23D040A may be reported due to the core dump of the hdwr_svr process. * Fixed a problem where, on the local HMC console session, the HMC Management > Open Restricted Shell Terminal GUI task is not displayed for any HMC user except hscroot. * Fixed an issue where a managed system may go into an Incomplete state after removing I/O hardware due to stale data in the hardware discovery cache causing an unhandled NullPointerException. * Fixed an issue that impacts partition profiles that contain SR-IOV logical ports and also contain virtual Ethernet adapters that use non-default vSwitches. After the first activation of the profile, any non-default vSwitches used by virtual Ethernet adapters in the profile will be changed to the default vSwitch. The user must edit all affected profiles to restore the original vSwitch names/ / * MH01635* 6/23/16 * Added functionality to the chhmc command to allow an admin to set a grub password at bootup. * Removed support for all the Ciphers which are less than or equal to 1024 bits for port 443. * Fixed openSSL vulnerabilities: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109 * Fixed Java vulnerability: CVE-2016-3426 * Fixed Power Hardware Management Console: CVE-2016-0230 * Fix gnutls security vulnerabilities: CVE-2015-2806 and CVE-2015-8313 * Fixed an issue with the "mu" key not working when using an IBM spacesaver keyboard with the Japanese keyboard layout. * Fixed an issue with pedbg failing to collect all the necessary data when the zip file exceeded 2GB. * Fixed an issue where the event log showed HSCL05E9 when activating new partitions. * Fixed a backup issue where PCM data was included even though the user did not select to include PCM data./ / * MH01628* 05/16/16 * Disabled DHE ciphers with private key less than or equal to 1024 bits. * Enhanced logging for serviceable event E212E122 logged against /dev./ / * MH01622* 04/22/16 * Fixed the following openssl security vulnerabilities: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797 * Fixed Tomcat vulnerabilities: CVE 2015-5174,CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763 * Fixed Vulnerabilities in bind: CVE-2016-1285 and CVE-2016-1286 * Fixed security vulnerability with Strongswan: CVE-2015-8023 * Fixed a security issue with HMC restricted shell. * Fixed a Repair & Verify issue on systems utilizing the 24 inch frame with a power subsystem where users can experience a failure of concurrent service maintenance activities on power components within the CEC enclosure, the Power Subsystem enclosure, and any installed I/O devices within the frame. Servers impacted include the POWER 575, 590, 595, 795: Models 9125-F2A,F2B,F2C; 9118-575; 9119-590,595,FHA,FHB; 9406-595. Errors include: "/An internal error occurred when the management console // //attempted to validate the service network. Some or all of the // //required network resources may not be available. Contact your // //next level of support for problem determination/." and "/Redundancy status could not be determined for the FRU in // //location: // //U5791.001.XXXXXXX-Ex" (example) // // // //The FRU cannot be exchanged concurrently. The IO Drawer must be// //powered off and partitions may need to be shut down to continue// //the repair. /" ** * Fixed an issue where serviceable event E212E115 may be reported against rmcd during performance information transmission. * Fixed a rare deadlock issue that required a HMC reboot to recover. Symptoms include unable to login GUI remotely; CLI commands fail with "/command server failed/" errors; partition mobility failing with H/SCLA200 An unknown error occurred during the partition migration./ * MH01610* 03/15/16 * Fixed a Java security issue: CVE-2016-0448 * Fixed security vulnerabilities in glibc: CVE-2015-7547, CVE-2014-9761, CVE-2015-8776, CVE-2015-8777, and CVE-2015-8778 * Enabled all TLS protocols on vterm(9960), FCS(9920) and remote web access(12443) ports. * Fixed an issue during Remote Restart to prevent the lpars going into open firmware state on the target managed system because storage mappings/adapters were missing. The HMC will now report a valid error when an exception is hit and will display the correct Remote Restart status. * MH01605* 02/17/16 * Fixed multiple OpenSSH vulnerabilities involving the ssh client "Roaming" feature: CVE-2016-0777 and CVE-2016-0778 * Fixed multiple Vulnerabilities in NTP : CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and CVE-2015-7871 * Fixed an issue where the managed servers go to an Incomplete state when the RMC interface has a blank (null) ipv4 or ipv6 value. * Fixed an issue where /var may fill up with core dumps when Pegasus server is enabled and in use by a remote client. * MH01597* 1/25/16 * Fixed multiple OpenSSL Vulnerabilities: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794 * Fixed multiple Java Vulnerabilities: CVE-2015-4843, CVE-2015-4868, CVE-2015-4806, CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4842, and CVE-2015-4803 * Fixed an issue where the HMC web server may intermittently deadlock. Symptoms include one or more of the following: unable to connect using a browser; browser error "Service Temporarily Unavailable"'; multiple serviceable events for E35A0016 and/or E35A0017; unable to restart due to / file system full from repeated diagnostic dumps. Back to top <#ibm-content> Installation Installation instructions for HMC Version 7 upgrades, updates and corrective service can be found at these locations: Installation methods for HMC Version 7 updates and fixes Upgrading or restoring HMC Version 7 Instructions and images for upgrading via a remote network install can be found here (for all HMC releases): HMC network installation images Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>