The IBM SmartCloud Entry 3.2.0.4 SCE 3.2 Fixpack 21 - Appliance Readme

If you are using IBM SmartCloud Entry 3.2 to manage to a Microsoft Hyper-V hypervisor and have (or need) the IBM SmartCloud Entry Hyper-V Agent installed, you should download and install the current IBM SmartCloud Entry Hyper-V Agent fix pack along with this IBM SmartCloud Entry 3.2 appliance fix pack. Otherwise, no prerequisite or co-requisite IBM SmartCloud Entry 3.2 fixpacks or other fixes are required for this update.

IBM SmartCloud Entry appliance fix packs are cumulative, so you only need to install the latest version to pick up all the available fixes.

The IBM SmartCloud Entry 3.2 appliance fix pack includes fixes for multiple components contained in the appliance. Installation of the IBM SmartCloud Entry 3.2 appliance fix pack updates all the components included in the fix pack. Components within the appliance cannot be updated individually.

The IBM SmartCloud Entry 3.2 appliance update is performed using the sceappmgr menu. The installation process is automated and performs all necessary service and application start/stop functions. Note that IBM SmartCloud Entry will be stopped and restarted during the update process.

For additional information, please see the IBM SmartCloud Entry 3.2 Administrator Guide.

Installation of the fixes is performed through use of sceappmgr. The sysadmin user is authorized to use sceappmgr and to initiate fix pack installation. No additional steps are needed in preparation for installation.

Appliance Fix Pack installation instructions

1. Download the appliance fix pack file (sce_3.2.0.4_appl-fp21.tgz) to a directory on the appliance (/tmp).
2. Go to 'sceappmgr' menu. Select the option for 'Support & Maintenance', then select the option for 'Install Fix Pack'. Enter the path to the fix pack file, /tmp/sce_3.2.0.4_appl-fp21.tgz, and follow the prompts.
3. If you have not previously installed appliance fix pack 3 or later, see the additional directions below.

Special instructions for appliance fix pack 21

If you are using OpenStack on the appliance and have not previously applied appliance fix pack 3 or later, private keys, passwords and other data may have been exposed. These include, but are not limited to:

• The certificates used by the IaaSGateway
• The Keystone simpletoken used by IBM SmartCloud Entry
• The sceagent password, which is part of the IBM SmartCloud Entry cloud configuration
• Passwords for any IBM SmartCloud Entry or Keystone users that are used with the IaaSGateway via OpenStack CLI commands or APIs

It is recommended that you generate new private keys and passwords following the directions below. Additional IBM SmartCloud Entry passwords and OpenStack keystone passwords can be changed as documented in the IBM SmartCloud Entry Administrator Guide and the community OpenStack documentation.

If you are not using OpenStack or have previously applied appliance fix pack 3 and followed these instructions, no action is required.

Use the following procedure to generate a new private key, simple token and sceagent password:
Note: These instruction require restarting the IBM SmartCloud Entry and OpenStack services.

1. Log in to the IBM SmartCloud Entry appliance console.
2. Run 'sceappmgr'
3. Select the option for Manage Authentication Tokens, then option for Generate New Keystone SimpleToken.
4. Enter 1 to confirm generating a new simpletoken.
5. From the Manage Authentication Tokens menu, select the option for Generate New PKI Keys.
6. Enter 1 to confirm generating new PKI keys.
7. After generating new keys, press Enter at each prompt until you return to the main menu.
8. Select the option to Manage Passwords, then select the sceagent user. Enter the new password.
9. After changing the password, exit the Password Management menu and enter 'y' when asked to restart the OpenStack services.
10. Press Enter until you return to the main menu.
11. Log in to the IBM SmartCloud Entry web interface as the administrator.
12. Go to the Configuration tab, select Clouds from the navigation pane and click the link for the OpenStack cloud configuration.
13. Click the Edit button.
14. Enter the new sceagent password in the Administrator ID password field.
15. Next to the "Security certificate" label, click "Remove...".
16. Click Save to save the changes.
17. Log off the web interface.
18. Go back to the SmartCloud Entry appliance console.
19. In sceappmgr, select option 4, Manage SmartCloud Entry Services, then option 2, Start or Stop SmartCloud Entry Service.
20. Select option 3 to restart SmartCloud Entry.
21. Press Enter at each prompt until you exit 'sceappmgr'.
22. Log in to the IBM SmartCloud Entry web interface as the administrator.
23. Go to the Configuration tab, select Clouds from the navigation pane and click the link for OpenStack cloud configuration.
24. Next to the Security certificate label, click "Trust...".
25. The status should change to "Connecting...". Refresh the display until the cloud status changes to OK.

IBM SmartCloud Entry should now be connected to the OpenStack cloud properly and you can log out of the IBM SmartCloud Entry web interface and the appliance console.

IBM SmartCloud Entry appliance fix packs cannot be uninstalled.

Update log (25/07/2016):
SmartCloud Entry 3.2 Appliance Fix pack 21 includes:
- JRE update for PSIRT: "IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU + 3 IBM CVEs CVE-2016-3443 CVE-2016-0687 CVE-2016-0686 CVE-2016-3427 CVE-2016-3449 CVE-2016-3425 CVE-2016-3422 CVE-2016-0695 CVE-2016-3426 CVE-2016-0636 CVE-2016-0363 CVE-2016-0376 CVE-2016-0264"
- OpenStack Havana ifixes for PSIRT: "opensource openstack vuln." (CVE-2015-8749 CVE-2015-7548 CVE-2015-8466 CVE-2015-5295 CVE-2015-5306 CVE-2015-1850 CVE-2015-8749 CVE-2015-7548 CVE-2015-8466 CVE-2015-5295 CVE-2015-5306 CVE-2015-1850)
- MCP OpenSSL update for PSIRT: "OpenSource OpenSSL Vuln." (CVE-2016-0701 CVE-2015-3197 CVE-2016-0705 CVE-2016-0798 CVE-2016-0797 CVE-2016-0799 CVE-2016-0702 CVE-2016-0703 CVE-2016-0704 CVE-2016-2842 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176)

Update log (31/05/2016):
SmartCloud Entry 3.2 Appliance Fix pack 20 includes:
- Operating system fixes for:

• PSIRT for "MCP 7 and MCP 8 affected by Open Source - 1 issue for nss-util" ()
• PSIRT for "MCP 5, 6, and 7 affected by Open Source - 1 issue for sudo" ()
• PSIRT for "MCP 7 and MCP 8 affected by Open Source - 2 issues for bind" ()
• PSIRT for "MCP 7 affected by Open Source - 10 issues for libxml2" ()
• PSIRT for "MCP7 affected by Open Source - 2 issues for httpd" ()
• PSIRT for "MCP 7 affected by Open Source - 3 issues for ntp" ()
• PSIRT for "MCP 7 and MCP 8 affected by Open Source - 5 issues for openssl" ()

Update log (10/03/2016):
SmartCloud Entry 3.2 Appliance Fix pack 19 includes:
- Update SmartCloud Entry 3.2 JRE:

• rtc-218703: PSIRT for SCE/ICM "EXPEDITED Java specific SLOTH - Weak MD5 Signature Hash - CVE-2015-7575"
• rtc-218830: PSIRT for SCE/ICM "IBM SDK, Java Technology Edition Quarterly CPU - Jan 2016 - Includes Oracle Jan 2016 CPU + 3 IBM CVEs"(CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466)

- OpenStack Havana ifixes for:

• rtc-210784: PSIRT for "OpenSource OpenStack vulnerability" (CVE-2015-3241)
• rtc-212833: PSIRT for "OpenSource OpenStack Vuln" (CVE-2015-7713 CVE-2015-5286)
• rtc-211184: PSIRT for ICM "opensource openstack vuln." (CVE-2015-5240 CVE-2015-3280)
• rtc-212064: PSIRT for "OpenSource Openstack Glance Vuln." ()

- Operating system fixes for:

• rtc-219004: PSIRT for SCE "EXPEDITED: glibc getaddrinfo stack-based buffer overflow." (CVE-2015-7547)
• rtc-218833: PSIRT for "MCP7 affected by Open Source - 3 issues for libpng" ()
• rtc-218674: PSIRT for "MCP 7 affected by Open Source - 1 issue for sqlite" ()

Update log (29/01/2016):
SmartCloud Entry 3.2 Appliance Fix pack 18 includes:
- Update SmartCloud Entry 3.2 JRE:

• rtc-213802 - Build a new JRE 1.7.0.9.20, to contain IBM JRE 1.7.0.9.20 fix for a lot of Java CVEs

- MCP bugs:

• PSIRT 4148, 3831, 3866, 3990, 3914, 4362, 4484, 4550.

Update log (12/11/2015):
SmartCloud Entry 3.2 Appliance Fix pack 17 includes:
- OpenStack Havana ifixes for:

• rtc-204819 - PSIRT for "Open Source OpenStack vulnerability" (CVE-2015-1851 CVE-2015-3219)

Update log (10/13/2015):
SmartCloud Entry 3.2 Appliance Fix pack 16 includes:
- OpenStack Havana ifixes for:

• rtc-198472 - PSIRT for "Open Source OpenStack Nova vulnerability - Reported in 03/24/2015 X-Force Report" (CVE-2015-2687)

Update log (9/21/2015):
SmartCloud Entry 3.2 Appliance Fix pack 15 includes:
- Operating system fixes for:

• ntp CVE-2014-9297 CVE-2014-9298 CVE-2015-1798 CVE-2015-1799 CVE-2015-3405

Update log (8/11/2015):
SmartCloud Entry 3.2 Appliance Fix pack 14 includes:
- Update SmartCloud Entry 3.2 JRE - IBM SDK, Java Technology Edition Quarterly CPU - July 2015 -

• Includes Oracle July 2015 CPU + CVE-2015-1931" (CVE-2015-2638 CVE-2015-4733 CVE-2015-4732 CVE-2015-2590 CVE-2015-4731 CVE-2015-2628 CVE-2015-4760 CVE-2015-4736 CVE-2015-4748 CVE-2015-2664 CVE-2015-2632 CVE-2015-2637 CVE-2015-2619 CVE-2015-2621 CVE-2015-2613 CVE-2015-2601 CVE-2015-2659 CVE-2015-4749 CVE-2015-2596 CVE-2015-4729 CVE-2015-2625 CVE-2015-1931)

- Operating system fixes for:

• openssl CVE-2014-8176 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216 CVE-2015-1788
• ntp CVE-2014-9297 CVE-2014-9298
• glibc CVE-2013-7424
• 2015e tzdata update

Update log (6/29/2015):
SmartCloud Entry 3.2 Appliance Fix pack 13 includes:
- Operating system fix for:

• glibc CVE-2013-7423 CVE-2015-1781

- Update SmartCloud Entry 3.2 JRE - IBM SDK, Java Technology Edition Quarterly CPU - April 2015 -

• Includes Oracle April 2015 CPU + 4 IBM specific CVEs (CVE-2015-0491 CVE-2015-0459 CVE-2015-0469 CVE-2015-0458 CVE-2015-0460 CVE-2015-0480 CVE-2015-0486 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0470 CVE-2015-2808 CVE-2015-1916 CVE-2015-1914 CVE-2015-0192 CVE-2015-0204)

- OpenStack Havana ifixes for:

• rtc-194626 - PSIRT for "Open Source OpenStack Glance vulnerability" (CVE-2015-1195)
• rtc-195315 - PSIRT for "OpenStack Neutron L3 agent denial of service and OpenStack Glance glance-api server security bypass" (CVE-2014-8153 CVE-2014-9493)
• rtc-195155 - PSIRT for "Open Source Apache Qpid vulnerability" (CVE-2015-0203 CVE-2015-0223 CVE-2015-0224)
• rtc-195177 - PSIRT for "Open Source YAML LibYAML vulnerability" (CVE-2014-9130)
• rtc-198472 - PSIRT for "Open Source OpenStack Nova vulnerability - Reported in 03/24/2015 X-Force Report" (CVE-2015-2687)
• rtc-201534 - PSIRT for "Open Source OpenStack Keystone vulnerability - Reported in 05/04/2015 X-Force" (CVE-2015-3646)

Update log (4/17/2015):
SmartCloud Entry 3.2 Appliance Fix pack 12 includes:
- Operating system fix for:

• openssl CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293

- rtc-198430 - "RC4 Bar Mitzvah Attack for SSL/TLS" (CVE-2015-2808)

• OpenStack Havana ifix to qpidd
• Update SmartCloud Entry 3.2 JRE java.security

Update log (1/29/2015):
SmartCloud Entry 3.2 Appliance Fix pack 11 includes:
- Operating system fixes:

• glibc CVE-2015-0235 (GHOST)
• glibc CVE-2014-6040 CVE-2014-7817
• bind CVE-2014-8500

Update log (1/22/2015):
SmartCloud Entry 3.2 Appliance Fix pack 10 includes:
- Operating system fixes:

• ntp CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
• glibc CVE-2013-4237 CVE-2013-4458
• timezone update

- OpenStack Havana ifixes:

• rtc-189854 - "keystonemiddleware SSL man-in-the-middle" (CVE-2014-7144)

Update log (1/13/2015):
SmartCloud Entry 3.2 Appliance Fix pack 9 includes:
- OpenStack Havana ifixes:

• rtc-191854 - "OpenStack Trove, Nova, Cinder, keystone middleware vulnerability" (.CVE-2014-7230 CVE-2014-7231 CVE-2014-7144 CVE-2014-3641 CVE-2014-3608)
• rtc-189541 - "Admin-only network attributes may be reset to defaults by non-privileged users" (CVE-2014-6414)
• rtc-191669 - "Nova VMware driver may connect VNC to another tenant's console" (CVE-2014-8750)
• rtc-190858 - "Maliciously crafted dns_nameservers will crash neutron" (CVE-2014-7821)

Update log (12/05/2014):
SmartCloud Entry 3.2 Appliance Fix pack 8 includes:
IBM SmartCloud Entry 3.2 fix pack 4, IF001
CVE-2014-3566 (POODLE). The IaaS Gateway client is updated to use a TLS connection.

Update log (10/15/2014):
SmartCloud Entry 3.2 Appliance Fix pack 7 includes:

• IBM SmartCloud Entry 3.2 fix pack 4
• OpenStack Havana service release 2013.2.4
    "Glance store DoS through disk space exhaustion" (CVE-2014-5356)
    "Denial of Service in Neutron allowed address pair" (CVE-2014-3555)
    "Use of non-constant time comparison operation" (CVE-2014-3517)
    "Keystone V2 trusts privilege escalation through user supplied project id" (CVE-2014-3520)

SmartCloud Entry 3.2 Appliance Fix pack 6 includes operating system fixes for the following security advisories:
CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 (bash Shellshock), CVE-2014-5119, CVE-2014-3505 - 3511, CVE-2014-3467 - 3469, CVE-2014-2653, CVE-2014-2532, CVE-2014-1740, CVE-2014-1545, CVE-2014-1544, CVE-2014-1490 - 1492, and CVE-2014-0475

SmartCloud Entry 3.2 Appliance Fix pack 4 includes fixes for the following security advisories related to the OpenSSL package:
CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-3470, CVE-2010-5298, and CVE-2014-0198 No additional action is required for these fixes.

SmartCloud Entry 3.2 Appliance Fix pack 3 includes fixes for CVE-2014-0160 (Heartbleed Bug, http://heartbleed.com/).

This IBM SmartCloud Entry 3.2 appliance fix pack 21 contains the following component updates:

• Appliance RPM: 3.2-8-D20141126-1423
  
• IaaS: D201406250136
  
• OpenStack: D20140924-2316
    ifix rtc-189541
    ifix rtc-189854
    ifix rtc-190858
    ifix rtc-191669
    ifix rtc-191854
    ifix rtc-194626
    ifix rtc-195155
    ifix rtc-195177
    ifix rtc-195315
    ifix rtc-198430
    ifix rtc-198472
    ifix rtc-201534
    ifix rtc-204819
  
• PowerVC Driver: D201406250100
  
• SCE: 3.2.0.4-201411250100
  
• SCE JRE: 3.2.0.4-201607 (1.7.0 SR9 FP40)
  
• OpSys: 3.2-21

This fix is subject to the terms of the license agreement which accompanied, or was contained in, the Program for which you are obtaining the fix. You are not authorized to install or use the fix except as part of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT, REGARDING THE PTF.

By furnishing this document, IBM grants no licenses to any related patents or copyrights.

The applicable license agreement may have been provided to you in printed form and/or may be viewed at http://www-03.ibm.com/software/sla/sladb.nsf/viewbla/.

Copyright © IBM Corporation 2013, 2016