Readme file for: IBM® Power Virtualization Center Publication Date: May 27 2024 This iFix applies to IBM PowerVC 2.1.1.1. Note: Ensure that the name of the maintenance file was not changed when it was downloaded. This change might be intentional, or it might be an inadvertent change that is caused by certain web browsers or download utilities. This iFix addresses the following issues: CVE-2023-6481: A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. CVE-2023-6378: A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. CVE-2023-24331: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. Installation steps :- ------------------ 1) Take PowerVC backup. 2) Copy the included IT45572-2.1.1.1-OPSMGR.tgz file to the PowerVC primary node. 3) Run the following command on primary node: tar -xzf IT45572-2.1.1.1-OPSMGR.tgz cd IT45572-2.1.1.1-OPSMGR sh patch_opsmgr.sh 4) Run the following command from the primary node to apply the iFix on all the PowerVC nodes one by one: powervc-opsmgr apply-ifix --ifix -c --host Example : powervc-opsmgr apply-ifix --ifix /root/IT45572-2.1.1.1-OPSMGR.tgz -c --host If the iFix installation fails for the host,rerun the command in Step 4. Note: The can be obtained by running "powervc-opsmgr inventory -l" command. If the inventory is created with hostname, then use hostname in the apply-ifix command. If hostip is used when the inventory is created,then use the hostip in the apply-ifix command. 5) Check whether the iFix has been successfully applied on all nodes by running the below command. powervc-opsmgr apply-ifix -l -c yum repo-pkgs ifix-IT45572-2.1.1.1-OPSMGR list --showduplicates Expected output: --------------- RHEL : # yum repo-pkgs ifix-IT45572-2.1.1.1-OPSMGR list --showduplicates Updating Subscription Management repositories. Installed Packages powervc-opsmgr.noarch 2.1.1.1-202404121151.1.ibm.el8 @ifix-IT45572-2.1.1.1-OPSMGR python3-paramiko.noarch 3.4.0-2.ibm.el8 @ifix-IT45572-2.1.1.1-OPSMGR python3-powervc-opsmgr.noarch 2.1.1.1-202404121151.1.ibm.el8 @ifix-IT45572-2.1.1.1-OPSMGR python3-pyOpenSSL.x86_64 23.3.0-4.ibm.el8 @ifix-IT45572-2.1.1.1-OPSMGR python39-cryptography.x86_64 39.0.2-1.ibm.el8 @ifix-IT45572-2.1.1.1-OPSMGR zookeeper.noarch 3.9.1-4.ibm.el8 @ifix-IT45572-2.1.1.1-OPSMGR python39-urllib3.noarch 1.25.10-1.ibm.el8 @ifix-IT45572-2.1.1.1-OPSMGR SLES : # zypper lr Repository priorities in effect: (See 'zypper lr -P' for details) 90 (raised priority) : 7 repositories 99 (default priority) : 18 repositories # | Alias | Name | Enabled | GPG Check | Refresh ---+-------------------------------------+-------------------------------------+---------+-----------+-------- 1 | Basesystem-product | Basesystem-product | Yes | (r ) Yes | No 2 | Basesystem-update | Basesystem-update | Yes | (r ) Yes | No 3 | Module-Desktop-Applications-product | Module-Desktop-Applications-product | Yes | (r ) Yes | No 4 | Module-Desktop-Applications-update | Module-Desktop-Applications-update | Yes | (r ) Yes | No 5 | Product-SLES | Product-SLES | Yes | (r ) Yes | No 6 | Product-SLES-update | Product-SLES-update | Yes | (r ) Yes | No 7 | SLE-Module-Development-Tools-update | SLE-Module-Development-Tools-update | Yes | (r ) Yes | No 8 | SLE-Product-HA-product | SLE-Product-HA-product | Yes | (r ) Yes | No 9 | SLE-Product-HA-update | SLE-Product-HA-update | Yes | (r ) Yes | No 10 | Server-product | Server-product | Yes | (r ) Yes | No 11 | Server-update | Server-update | Yes | (r ) Yes | No 12 | Web-product | Web-product | Yes | (r ) Yes | No 13 | Web-update | Web-update | Yes | (r ) Yes | No 14 | cloud-product | cloud-product | Yes | (r ) Yes | No 15 | cloud-update | cloud-update | Yes | (r ) Yes | No 16 | ifix-IT45572-2.1.1.1-OPSMGR | ifix-IT45572-2.1.1.1-OPSMGR | Yes | ( p) Yes | Yes 17 | legacy-Product | legacy-Product | Yes | (r ) Yes | No 18 | legacy-update | legacy-update | Yes | (r ) Yes | No 19 | powervc-noarch | POWERVC Openstack noarch | Yes | ( ) No | Yes 20 | powervc-opsmgr-noarch | POWERVC Opsmgr noarch | Yes | ( ) No | Yes 21 | powervc-opsmgr-ppc64le | POWERVC Opsmgr ppc64le | Yes | ( ) No | Yes 22 | powervc-ppc64le | POWERVC Openstack ppc64le | Yes | ( ) No | Yes 23 | pvc-openstack-noarch | POWERVC Openstack noarch | Yes | ( ) No | Yes 24 | pvc-openstack-ppc64le | POWERVC Openstack ppc64le | Yes | ( ) No | Yes 25 | security_SELinux | SELinux (15.4) | Yes | (r ) Yes | No # zypper pa -ir 16 Loading repository data... Reading installed packages... S | Repository | Name | Version | Arch ---+-----------------------------+------------------------+----------------------------+-------- i+ | ifix-IT45572-2.1.1.1-OPSMGR | powervc-opsmgr | 2.1.1.1-202404121151.1.ibm | noarch i+ | ifix-IT45572-2.1.1.1-OPSMGR | python3-paramiko | 3.4.0-2.ibm | noarch i+ | ifix-IT45572-2.1.1.1-OPSMGR | zookeeper | 3.9.1-4.ibm | noarch i+ | ifix-IT45572-2.1.1.1-OPSMGR | python3-urllib3 | 1.25.10-1.ibm | noarch i+ | ifix-IT45572-2.1.1.1-OPSMGR | python3-powervc-opsmgr | 2.1.1.1-202404121151.1.ibm | noarch i+ | ifix-IT45572-2.1.1.1-OPSMGR | python3-pyOpenSSL | 23.3.0-4.ibm | ppc64le i+ | ifix-IT45572-2.1.1.1-OPSMGR | python39-cryptography | 39.0.2-2.ibm | ppc64le Part-B: NovaLink Instructions. ----------------------------- -------------------------------------------- Applicable only for RHEL novalink -------------------------------------------- Note : On already registered Novalink proceed with below steps: Step 1: Download and untar file tar -xzf IT45572-2.1.1.1-OPSMGR.tgz Step 2: Update the packages : For RHEL8: cd IT45572-2.1.1.1-OPSMGR/packages/rhel8-ppc64le/ rpm -Uvh python39-cryptography-39.0.2-1.ibm.el8.ppc64le.rpm python3-paramiko-3.4.0-2.ibm.el8.noarch.rpm python3-pyOpenSSL-23.3.0-4.ibm.el8.ppc64le.rpm python39-urllib3-1.25.10-1.ibm.el8.noarch.rpm For RHEL9: cd IT45538-2.1.1.1-OPSMGR/packages/rhel9-ppc64le/ rpm -Uvh python3-cryptography-39.0.2-5.ibm.el9.ppc64le.rpm python3-paramiko-3.4.0-2.ibm.el8.noarch.rpm python3-pyOpenSSL-23.3.0-4.ibm.el8.ppc64le.rpm python3-urllib3-1.25.10-1.ibm.el8.noarch.rpm Step 3: Check updated packages For RHEL 8: rpm -qa python3-paramiko python3-pyOpenSSL python39-cryptography python39-urllib3 For RHEL 9: rpm -qa python3-paramiko python3-pyOpenSSL python3-cryptography python3-urllib3 Step 4 : Ensure pvmctl command is working fine. --- End of list --- Copyright and trademark information http://www.ibm.com/legal/copytrade.shtml Notices INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. Third-Party License Terms and Conditions, Notices and Information The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version. Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions: * the Excluded Components are provided on an "AS IS" basis * IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * IBM will not be liable to you or indemnify you for any claims related to the Excluded Components * IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components. Document change history