Hardware Management Console Readme For use with Version 8 Release 8.3.0 Service Pack 3 Date: 21 August 2017 (C) Copyright International Business Machines Corp., 2017 All rights reserved. Contents The information in this Readme contains fix list and other package information about the Hardware Management Console. * PTF MH01717 <#MH01717> * Package information <#package> * List of fixes <#fixes> * Installation (Please read special instructions.) <#install> * Additional information <#additional> PTF MH01717 This package includes a fix for HMC Version 8 Release 8.3.0 Service Pack 3. You can reference this package by APAR MB04102 and PTF MH01717. This image must be installed on top of HMC Version 8 Release 8.3.0 Service Pack 3 (PTF MH01619) with or without additional fixes. Note 1 : This PTF supersedes MH01679, MH01683, MH01692, and MH01700. Note 2 : An HMC backup created after installing PTF MH01717 must be restored on HMC Version 8 Release 8.3.0 with Service Pack 3 (MH01619) or later installed. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01717.iso 1279567872 c70e1bf33e9ed279f597dd820f950f9829fb8910 MB04102 MH01717 Splash Panel information (or lshmc -V output) "version= Version: 8 Release: 8.3.0 Service Pack: 3 HMC Build level 20170726.1 MH01717: Fix for HMC V8R8.3.0 SP3 (08-07-2017) ","base_version=V8R8.3.0 " Known Issues:* * 1*._Special Install Instructions_* Installing this PTF using the Enhanced+ interface may hang. Prior to installing this PTF using the web browser graphical interface perform the following: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced+ GUI, log off the HMC. 3. Install using the normal installation instructions. Alternatively, install this PTF using CLI. 2. A vterm console cannot be opened by the GUI on the local HMC console when the HMC is in NIST mode. You can use the mkvterm or vtmenu command on the local HMC console or use the GUI remotely to open a vterm. List of fixes *Security Fix* * Fixed IBM WebSphere Application Server vulnerability: CVE-2017-1194 *General **Fix* * Updated the certificate expiration date for the vterm applet. *Previously released fixes also included in this PTF: * * MH01700* 06/16/17 * Fixed glibc vulnerabilities: CVE-2014-9761, CVE-2015-8776, CVE-2015-8778 and CVE-2015-8779. * Removed support for all ciphers that use a Diffie-Hellman modulus of 1024 bits or less from HMC ports 9920, 9960 and 12443. This change was made to address the following vulnerability: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam). * Disabled client-initiated renegotiation for HMC port 9960. * Fixed a rare issue where HMC performance degrades over time until the command server and/or web servers hang requiring an HMC reboot to resolve. Logs will show a large number of partition surveillance events and blocked threads and may also include out of memory errors. This issue can occur when network connectivity issues repeatedly occur between the HMC and large numbers of partitions over a short period of time. * Fixed a problem where old Elastic CoD information was being called home, resulting in out of compliance emails being sent out from the CoD project office. * Fixed a rare timing issue that can cause the Customizable Data Types table on the Configure Customizable Data Replication GUI window on a slave HMC to be empty. * MH01692* 04/20/17 * Fixed a security issue with the Firefox browser on the local HMC console. * Fixed an issue that caused an exception during repair of the DCCA on bulk power systems. * Fixed an issue that caused the following error to be displayed when trying to open a vterm console window: "/Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running/". With this fix, vterm console windows can continue to be opened after the vterm applet certificate has ex * MH01683* 03/22/17 * Fixed BIND vulnerability: CVE-2016-9147 * Fixed openSSH vulnerability: CVE-2015-8325 * Fixed multiple NTP vulnerabilities: CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, and CVE-2016-9311 * Fixed openSSL vulnerabilities: CVE-2016-8610 and CVE-2017-3731 * Fixed a rare timing issue that can cause the HMC to not report a serviceable event for a managed server. * MH01679* 01/31/17 * Fixed Apache Tomcat vulnerabilities: CVE-2016-6816, CVE-2016-6817 and CVE-2016-0762 * Fixed BIND vulnerability: CVE-2016-8864 * Disabled HTTP compression for the necessary URIs and data types to fix vulnerability: CVE-2013-3587 * Removed support for all Triple DES ciphers from the Web UI (HMC ports 443 and 12443) to address vulnerability: CVE-2016-2183 * Fixed an issue where HMC performance degrades over time until the command server and/or web servers hang requiring a reboot to resolve. Logs will show a large number of blocked threads for the unified JRE and may include an error of "too many open files". The issue is typically seen on HMCs where external scripts are running dozens or hundreds of commands. * Fixed a problem causing a blank window to be opened when the ASM interface for a server is launched when the server is in Failed Authentication state. * Prevent another occurrence of the generation and call home of SRC E3550925. This SRC is generated when creating a Kerberos user and no remote user ID is specified or the remote user ID specified is not valid. * Fixed a problem that caused the lpar_netboot command to fail with the error "/The system has no more ptys. Ask your system administrator to create more./" * Fixed an issue where email notifications for HMC reported service events were not sent when the failing machine type and model differs from the underlying model type of the POWER server (for example the 5146-GL6 Elastic Storage Server systems). Back to top <#ibm-content> Installation *_Special Install Instructions_* Installing this PTF using the Enhanced+ interface may hang. Prior to installing this PTF using the web browser graphical interface perform the following: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced+ GUI, log off the HMC. 3. Install using the normal installation instructions. Alternatively, install this PTF using CLI. Installation instructions for HMC Version 8 upgrades and corrective service can be found at these locations: Upgrading or restoring HMC Version 8 Installation methods for HMC Version 8 fixes Instructions and images for upgrading via a remote network install can be found here: HMC V8 network installation images and installation instructions Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service. Back to top <#ibm-content>