FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8052 Version 7.11.16.0 (Released October 2019) ** Changes since the 7.11.15.0 release ** Enhancements: none Changes: none Fixes: - Fixed vulnerabilities in the Linux kernel as reported in the CVE Advisories CVE-2019-11477, CVE-2019-11478, CVE-2019-11479. (177635) ================================================================================ IBM RackSwitch G8052 Version 7.11.15.0 (Released July 2019) ** Changes since the 7.11.14.0 release ** Enhancements: none Changes: none Fixes: - After a switch reload, Control ports in a failover manual monitor configuration and all VLAG member ports which are UP that have a higher port number than the control ports would remain err-disabled even after the expiry of the VLAG start-up delay timer. (166867) - Fixed vulnerabilities in the OpenSSL library as reported in the CVE Advisory CVE-2018-0734. (175714) ================================================================================ IBM RackSwitch G8052 Version 7.11.14.0 (Released March 2019) ** Changes since the 7.11.13.0 release ** Enhancements: none Changes: none Fixes: - Protocols would flap and Switch would experience high CPU utilization when the switch were scanned by Qualys software. (146840) - Spanning tree group(STG) instances could not be configured from the BBI interface of the switch. (161182) - Fixed vulnerabilities in the OpenSSL library as reported in the CVE Advisory CVE-2018-0732. (147029) ================================================================================ IBM RackSwitch G8052 Version 7.11.13.0 (Released October 2018) ** Changes since the 7.11.12.0 release ** Enhancements: - The switch tech-support now includes the information of the Broadcom SDK threads spawned by the switch. (123029) Changes: none Fixes: - A crash could occur when the switch were scanned by the Rapid 7 security tool or nessus scan for vulnerabilities or when the CLI commands "no ssh enable" or "no access netconf ssh enable" were executed after the scan. (133904/138760) - Switch would reboot due to memory exhaustion when exposed to prolonged port flapping, or prolonged network loop conditions in a VLAG setup. (133992/135129) - If either of the switches in a VLAG pair were rebooted after VLAG tier-id is changed on both switches by copying configuration (with a new VLAG tier-id) from a remote server such as FTP, a network loop could be caused. (137255) - Fixed vulnerabilities in the TLS protocol as reported in the CVE Advisories CVE-2014-8730. (80866) - Switch no longer supports the Diffie-Hellman key exchange algorithm in strict security mode. (143643) - Enhance BBI session default user password reset framework. (135949/135951) ================================================================================ IBM RackSwitch G8052 Version 7.11.12.0 (Released June 2018) ** Changes since the 7.11.11.0 release ** Enhancements: - A syslog will now be logged - when port statistics are cleared from the UI, for example using CLI commands 'clear counters' or 'clear interfaces'. - when flash dump is cleared, for example using CLI command 'clear flash-dump'. (121539) Changes: none Fixes: - The OID of SNMP Objects in the lldpRemManAddrTable (1.0.8802.1.1.2.1.4.2) when fetched using SNMP commands contain only two indices of lldpRemTimeMark and lldpRemLocalPortNum instead of five indices of lldpRemTimeMark,lldpRemLocalPortNum, lldpRemIndex, lldpRemManAddrSubtype and lldpRemManAddr as defined in the lldpMIB. (117804) - Fixed Libxml2 vulnerabilities as reported in the Advisories CVE-2016-5131, CVE-2017-15412, CVE-2017-16932, CVE-2017-5130. (124059) ================================================================================ IBM RackSwitch G8052 Version 7.11.11.0 (Released November 2017) ** Changes since the 7.11.10.0 release ** Enhancements: none Changes: none Fixes: - Spanning Tree protocol for the Default Group STG 1 would flap once when deleting VLANs from switch configuration. (68065) - A crash could occur when clicking the "show log" tab under the Dashboard menu when using BBI. (LV302598/77085/86874) - An incorrect SSH return code (255) indicating error is returned though the command is successfully executed. It now returns 0 indicating success upon successful completion of a command. (99036) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2017-8872, CVE-2017-9049 and CVE-2017-9050. (104768) - Address issue in login credential mechanism. (107614) - Support for the weak ciphers TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA has been removed. (109956/111620) - Fixed TCP vulnerabilities as reported in the CVE Advisory CVE-2017-6214. (113078) - Address non-configured community strings. (115054) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities cross-site scripting (XSS) and stored cross-site scripting as reported by the IBM security tool Appscan. (116507) ================================================================================ IBM RackSwitch G8052 Version 7.11.10.0 (Released May 2017) ** Changes since the 7.11.9.0 release ** Enhancements: none Changes: - The support for TLS versions 1.1 and 1.0 has been deprecated. TLS version 1.2 is now supported by default. (PSIRT ALIRT 10820) (72679) Fixes: - The MTU value for a port in the output of “show lldp info” command is incorrectly reported as 1522 instead of 9216. (73928) - The SSH Server CBC Mode Ciphers and SSH Weak MAC Algorithms have been disabled. (75828) - The switch’s browser based interface (BBI) was reported to be missing the "Content-Security-Policy", "X-Content-Type-Option" and "X-XSS-Protection" headers in the HTTP response when scanned by the web security tool IBM Appscan. (68381, 75827) - In a multicast environment, switch acting simultaneously as a "Last Hop Router" (LHR) and an "Intermediate Router" (IR) would cause the switch to be unable to send traffic to LHR clients for a specific group. This happens when the switch has already received IR PIM joins for the same group, started forwarding traffic towards the IR clients and then receives LHR IGMP joins for that group. (78192) - A crash would occur when scanned by the web security tool IBM Appscan, while running a Recorded Login option. (90107) - HTTP requests sent by LXCA with a “/” URL would erroneously be rejected causing the switch’s GUI to fail to launch in LXCA (92267) - Fixed zlib vulnerabilities as reported in the CVE Advisories CVE-2016-9840, CVE-2016-9841, CVE-2016-9842 and CVE-2016-9843. (86800) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2016-4658 and CVE-2016-9318. (86808) - A switch upon receiving a rogue OSPF LSA containing its own router ID with a maximum sequence number (0x7fffffff), would incorrectly respond with a fight-back LSA of its own database, as opposed to the rogue's LSA database. (92346) ================================================================================ IBM RackSwitch G8052 Version 7.11.9.0 (Released January 2017) ** Changes since the 7.11.8.0 release ** Enhancements: none Changes: none Fixes: - A crash could occur when an OpenFlow Port Configuration OFPT_PORT_MOD message with an invalid port number higher or equal to 3712 was received by the switch. (69425) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2183.(SWEET32) and CVE-2016-6329. The ciphers DES,3DES and Blowfish are no longer supported. (66395) ================================================================================ IBM RackSwitch G8052 Version 7.11.8.0 (Released September 2016) ** Changes since the 7.11.7.0 release ** Enhancements: none Changes: none Fixes: - Switch would fail to generate SNMP traps when STP was not stabilized for default spanning tree group (STG 1) early on at bootup. (51622) - Password for tacacs users could not be changed from the switch using the "primary-password" command when the "tacacs-server password-change" feature is enabled. (63530) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2108.(ALIRT LEN-7502). (55174) - Fixed a security vulnerability that existed in the Linux Kernel as reported in the CVE advisory CVE-2015-8324 (57178) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2016-3705, CVE-2016-3627, CVE-2015-8806, CVE-2016-4447, CVE-2016-4449, CVE-2016-4448 (libxml2). (57176, 55781, 58942, 58943) ================================================================================ IBM RackSwitch G8052 Version 7.11.7.0 (Released June 2016) ** Changes since the 7.11.6.0 release ** Enhancements: none Changes: none Fixes: - Fixed security vulnerabilities as reported in CVE Advisories CVE-2015-8710 (libxml2). (49214) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities XSS (stored cross-site scripting) and CSRF (cross-site request forgery). The web security policy mechanism HSTS (HTTP Strict Transport Security) has been implemented on BBI. (49409, 49427, 49471) - The switch’s browser based interface (BBI) would fail to honor the “cache-control=no-cache” directive and still cache the pages. The value of the “cache-control” directive has been changed from “no-cache” to “no-store”. (49475) - Switch could crash when enabling HTTPS protocol, while the switch were trying to connect to the VSI Manager. (50435) ================================================================================ IBM RackSwitch G8052 Version 7.11.6.0 (Released February 2016) ** Changes since the 7.11.5.0 release ** Enhancements: none Changes: - The output of “show tech-support” now includes the isCLI commands as headers before their respective output. (38125) Fixes: - Using Cisco ACS, version 5.3 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) - Link would fail to come up when the port was configured with speed 100, full duplex, and auto-negotiation disabled. (38491) - Applying switch configuration having OSPF commands, could fail with the message “Routed Port Interface corresponding area (index) 0 is not enabled”, when pasting from a serial session. (7071) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-7575 (SLOTH). (47856) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-3194, CVE-2015-3195. (46801) ================================================================================ IBM RackSwitch G8052 Version 7.11.5.0 (Released October 2015) ** Changes since the 7.11.4.0 release ** Enhancements: none Changes: - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use these commands has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) - Added the ability for users to enable/disable SNMP login/logout traps through the "[no] snmp-server loginout-trap" command. (38040) Fixes: - The switch would fail to send ICMP TTL Exceeded messages back to the source when the incoming ICMP packet had a TTL of 1 with a destination address of the VRRP IP of the switch. As a side effect, Traceroute between devices would fail if the VRRP IP of the switch were one of th hops in the path. (LV311922) - When configuring “qos bandwidth min” on an UFP port, the switch would incorrectly allow the sum of the minimum bandwidth to be less than 100%. (40181, 40295) - Switch could crash when the server is configured with more than 4 UFP vNIC functions per port (switch only supports 4 vports). The switch will now shut down the vports when the mismatch occurs. (40296) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv), CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) ================================================================================ IBM RackSwitch G8052 Version 7.11.4.0 (Released July 2015) ** Changes since the 7.11.3.0 release ** Enhancements: none Changes: - Added the ability to delete SNMP read and write community strings with the introduction of two new commands "no snmp-server read-community" and "no snmp-server write-community" respectively. (LV308180) - Addiitonal Debugs have been added to the get more information about system queues and threads under maitenace mode.The output of the "show mp thread" now includes information about the last command processed by each STEM thread. (LV311825) Fixes: - The mapping between local and remote ports is incorrect when using standard LLDP MIBs. The same is not true for private LLDP mibs (lldpInfoRemoteDevicesTable). (XB299432) - A high CPU utilization could occur during Topology Changes when running MSTP protocol in a multi tier VLAG setup. (LV310542) - Vlag failover due to primary switch being reloaded may incorrectly cause the secondary switch to error disable its vlag ports. This may happen when the healthcheck interface port number is higher than that of the ISL interface port number. (LV308603) - Switch could hang after deleting an IP interface that is associated with OSPF. (LV311901) - An SNMP MIB walk on both the peers of a VLAG domain could result in the flap of VRRP Protocol. (XB251897/XB253845) - Fixed GLIBC vulnerabilities as reported in CVE Advisories CVE-2013-7424 (getaddrinfo()) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-0286 (ASN1_TYPE_cmp). ================================================================================ IBM RackSwitch G8052 Version 7.11.3.0 (Released April 2015) ** Changes since the 7.11.2.0 release ** Enhancements: none Fixes: - FCoE sessions could flap due to the High CPU Utilization caused by the software flooding of Clear Virtual Links packets with an unknown destination MAC in the FCoE VLAN. (LV296464) - Missing space after Objects DHCPSnoopingCurCfgPortTableEntry , DHCPSnoopingNewCfgPortTableEntry , DHCPSnoopingCurCfgVlanTableEntry and MldNewInterfaceEntry in the Enterprise MIB would cause compile errors when using certain MIB compilers. (XB280147) - A crash would occur when uploading a configuration to the switch, where the configuration file was edited to remove the leading Tab from the commands under "vlan dot1q" menu. (LV299681) - Switch could fail to install an ARP Entry for the static route or gateway leading to ARP packets getting flooded in the network. (LV301211) - Syslog messages would be lost after a reboot, when setting the facility using “logging host <1/2> facility “ to an odd number (LV299860) - Updated the Description clause of the SNMP object hwGlobalHealthStatus (.1.3.6.1.4.1.26543.2.7.7.1.3.1.15.0) to reflect the correct conditions for reporting the overall switch hardware status. (LV302298) - A Software Error Recovery Mechanism has been added to correct any hardware parity errors occurring on the switch VLAN_XLATE table. (LV307926) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3572, CVE-2015-0204, CVE-2014-8275,CVE-2014-3570, CVE-2015-2808 (BarMitzvah), CVE-2014-3505, CVE-2014-3506 (openssl), CVE-2014-3507(same as 3506, d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb), CVE-2014-3508 (openssl), CVE-2014-3509 (race condition in t1_lib.c) ,CVE-2014-3510 (openssl), CVE-2014-3511 (openssl). (LV304231, LV308279,XB293143) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2014-0191 (libxml2) ,CVE-2013-2877(libxml2) ,CVE-2014-3660 (libxml2) , CVE-2013-2566(RC4 algo, TLS protocol),CVE-2015-0235 (GHOST/glibc) Changes: - Extend the ability of the command "[no] snmp-server link-trap port enable" to disable/enable link-trap for multiple interfaces. (LV302420) - The Temperature's for Fan Controls 88, 8a and 8c are no longer reported as part of the system health information and their correponding SNMP Objects hwTemperatureSensor9 (OID .1.3.6.1.4.1.26543.100.100.14.37.0), hwTemperatureSensor10 (.1.3.6.1.4.1.26543.100.100.14.38.0) and hwTemperatureSensor11 (.1.3.6.1.4.1.26543.100.100.14.39.0) are no longer supported. (LV307683) ================================================================================ IBM RackSwitch G8052 Version 7.11.2.0 (Released January 2015) ** Changes since the 7..9.11.0 release ** Enhancements: none Changes: - source MAC address of protocol packets from LLDP, LACP , STP, PVRST and 802.1x are not learned by the switch. (LV301284) Fixes: none ================================================================================ IBM RackSwitch G8052 Version 7.9.11.0 (Released September 2014) ** Changes since the 7.9.10.0 release ** Enhancements: EasyConnect ----------- Easy Connect is a feature which allows the user to easily apply a series of customizable and canned configurations based on common deployment scenarios requiring little network administration or additional network design. Changes: none Fixes: - Changes to configuration are denied with the error "Error: Ports x and y have the same LACP admin key but different link settings (speed/duplex/flowcontrol).", when links x and y with dissimilar cables (i.e DAC and SFP+) are aggregated. (XB282364) - Secure-backdoor access to the switch fails via SSH, when configured remote RADIUS/TACACS authentication servers can be reached. (XB293743,XB294261) - Secure-backdoor and backdoor access to the switch via SSH, fails to prompt for username. (XB292116,XB293076) - A crash could occur when deleting ports from a VLAN, if ARP entries were learnt on that port for the VLAN. (XB291204) - Missing space after Objects DHCPSnoopingCurCfgPortTableEntry , DHCPSnoopingNewCfgPortTableEntry , DHCPSnoopingCurCfgVlanTableEntry and MldNewInterfaceEntry in the Enterprise MIB would cause compile errors when using certain MIB compilers. (XB280147) - Absence of the fourth fan module would cause the switch to report the system health status as critical, when polling the object hwGlobalHealthStatus. (XB292996) - A crash would occur after multiple failed attempts to login via SSH or BBI, if secure-backdoor is enabled and the configured remote RADIUS/TACACS authentication servers can be reached . (XB293746,XB292790) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509,CVE-2014-3510, CVE-2014-3511. (XB293143) - Changes to configuration are denied with the error "Error Ports ... have the same LACP admin key but different STP edge settings" after a non-existing VLAN is added to a port , if LACP and STP edge/portfast are both enabled on the port. (XB282083) ================================================================================ IBM RackSwitch G8052 Version 7.9.10.0 (Released July 2014) ** Changes since the 7.9.1.0 release ** Enhancements: None Changes: - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes: None ================================================================================ IBM RackSwitch G8052 Version 7.9.1.0 (Released June 2014) LACP Individual --------------- When this feature is enabled on an LACP port-channel,if a member port of the port-channel does not receive any LACP PDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. Service Location Protocol ------------------------- Service location Protocol provides a dynamic configuration mechanism for applications in local area networks.Applications are modeled as clients that need to find servers attached to any of the available networks within an enterprise. Auto VLAN Tagging on Trunk Ports -------------------------------- This enhancement facilitates the process of adding trunk ports in VLANs by automatically adding them to all VLANs from their allowed ranges. By default, all VLANs are allowed on each port.When a port is configured as trunk port, it is automatically added to all VLANs from its allowed range. Also, when a new VLAN is created, all trunk ports which have that VLAN in their allowed ranges are automatically added to it. VLAG-MSTP Enhancement --------------------- This enhancement removes STP configuration restrictions, such as changing the MSTP instance and VLAN associations, that were enforced in previous releases when vLAG and MSTP are both enabled. The vLAG interswitch link ports are no longer error-disabled when there's an MSTP region mismatch between the vLAG switches, instead a recurring warning message is generated during the duration of the configuration mismatch. STP Range enhancement --------------------- This feature is an enhancement for existing STP commands to support configuration of a range of STP groups at a time. IPv6 Health Check for VLAG -------------------------- The release supports the use of IPv6 address for vLAG health check. Static LACP Portchannel (LAG) ----------------------------- This enhancement provides the capability to assign a fixed portchannel ID to two or more ports having the same LACP administrative key in order to prevent the ports from forming multiple link aggregations that can potentially create a loop in case the partner switch is mis-configured or the ports are mis-cabled. Ports that cannot be aggregated into a portchannel will be placed in suspended state. IBM-NOS CLI removal ------------------- The IBM-NOS CLI will not be supported as of this release. All switches will boot up with ISCLI. The existing NOS CLI configuration still can be recognized and correctly converted to provide smooth migration for customers who have NOS CLI configuration. BGP Community Lite ------------------ This feature provides support for BGP community strings to be advertised in updates to neighbors.The switch will be configured to attach a community string to the route updates it sends to peers.In this release, the IBM switch will not make any routing changes or alterations to the community string when receiving updates with a community string attached. Display BGP Routes ------------------- This feature provides an option to display BGP advertised routes that have been advertised to a specific neighbor. OpenFlow 1.3.1 Support: ----------------------- Added support for OpenFlow Switch Specification Version 1.3.1; including but not limited to the following key features: * Static LAG * MAC/IP masking * Flexible Table Miss and Fail Secure * Static CLI for Flow Programming * OpenFlow 1.0 backward compatability OpenFlow 1.3.1 Group support ------------------------ In this release support for OpenFlow groups in accordance with OpenFlow 1.3.1 has been added.Actions associated with flow entries can direct packets to a group. OpenFlow Support for LAG over Edge Ports ----------------------------------------- This feature will allow user to configure openflow static LAG ports as edge port on the switch.A user can configure multiple Openflow LAG ports and physical ports as edge ports as required. sFlow support in OpenFlow ports ------------------------------- This release adds sampling support for packets received on Openflow ports configured for this feature.An sFlow server should be configured to reachable via non-openflow data port or management port for this functionality to work. Password Fix-Up Mode --------------------- Password Fix-Up Mode enables admin user account recovery if administrator access is lost. This release adds the option to disable password fix-up functionality to let the administrator of the switch decide whether the Fix-Up mode should be enabled or not to cover security concerns. SNMP ACL --------- This feature is an enhancement to add access control for SNMP requests. SNMP Trap Host --------------- This feature implements the SNMP interface for getting and setting SNMP host configuration for traps. ESN to SNMP ------------ This feature enables SNMP access to Electronic Serial Number of the switch. IPv6 Counter enhancement ------------------------ This release adds CLI and corresponding SNMP MIB objects for IPv6 counters. The feature provides support for IPv6 neighbor cache table statistics like: Current number of installed entries. Maximum number of entries supported by router. High Water of the ipv6 neighbor cache table. Clear statistics IPSec over Virtual links ------------------------ OSPFv3 over IPSec on Virtual Links is needed to complete NIST IPSec certification for OSPFv3 traffic. IPSec is needed to secure IPv6 traffic. The feature will use IPv6 Authentication Header (AH) to provide authentication and IPv6 Encapsulating Security Payload (ESP) to provide authentication and confidentiality to virtual link packets. RMON Support (RFC1757,RFC2819) --------------------------------- Remote network monitoring devices, often called monitors or probes, are instruments that exist for the purpose of managing a network. This release supports RMON for Ethernet statistics, Ethernet History as well as Alarm and Event groups. Microburst ---------- Microburst is a packet burst that lasts several milliseconds (5 ms granularity). The feature uses hardware support for microburst detection, by checking different counters when hardware flag for interface congestion is up.Every time a packet arrives, Ingress Admission Control checks a threshold set on ingress port. The threshold represents the maximum memory that a port can use without congestion signaling. If this threshold is reached, then a corresponding bit for that port is set, signaling that the port is congested (the source is transmitting more than the ingress port can handle). QBG ---- Implements IEEE802.1Qbg standard allowing server-network edge virtualization, uniform view of the VMs in the network hypervisors, allow visibility of VM traffic and automatic migration of port profiles. Secure FTP ---------- This release adds support for Secure FTP (sFTP). Layer 3 ARP Table full ----------------------- When the L3 ARP table is full, the switch will generate a new trap message in addition to the existing syslog message. Use SSH public keys for up to 20 local switch users/admins ----------------------------------------------------------- The feature allows users to login to switch via SSH using public key authentication instead of password authentication.When SSH is enabled the switch should support both password and public key authentication. The switch shall support up to 20 SSH public key users. FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8052 Version 7.8.1.0 (Released December 2013) New and Updated Features: ------------------------- Full Private VLAN: ------------------ This feature supports Private VLAN configurations as described in RFC 5517. Decoupling active VLANs from MSTP configuration: ------------------------------------------------ This feature enables the decoupling of the VLAN(s) configuration from MSTP configuration and changes the MSTP configuration menu to a more simplified one. By doing so, specifying a mapping between VLAN(s) and MSTI will not create any VLAN(s) and the participation of the VLAN(s) in MSTP will not depend on the VLAN(s) creation. NIST SP 800-131A Compliance: ---------------------------- Added a mode of operation that forces the device to operate and secure network operations in a manner that is fully compliant to the NIST SP 800-131A security standard. Removed support for obsolete cryptographic algorithms DES and MD5, as well as protocols like SSLv3, even in the non-compliant mode. Use SHA-256 as default: ----------------------- Set SHA-256 as the default and preferred hashing algorithm for all secured network operations where applicable. This includes TLS certificates and cipher suites with HMAC SHA-256 in TLS. Security Enhancements: ---------------------- Updated default protocols used for configuration to be secure. Devices will use secure protocols by default for configuration; for example: SSH, HTTPS, and SNMPv3. Insecure protocols are disabled by default for configuration; for example: Telnet, HTTP, and SNMPv1/v2. Also added a default user whose password must be changed after initial login. Remove Switch Type from login display: -------------------------------------- Removed Switch Type from login display. ACL6 Metering: -------------- Added metering support for IPv6 ACLs similar to the IPv4 ACLs. OSPF 20 Areas: -------------- Added support for upto 20 OSPF Areas. Increase Local Users: --------------------- Added support for up to 20 local user accounts with different privilege levels. syslog console and buffer severity: ----------------------------------- This feature provides a mechanism to configure severity level for log messages displayed on the console as well as for the syslog messages stored locally on the switch. Fixes: - A Security vulnerability existed in the TLS protocol versions TLS1.0 and earlier, in that an attacker could potentially discover the TLS session key. Added a configurable CLI option to restrict the minimum allowable protocol version of TLS, from TLS1.0 through TLS1.2. This is so that the user can avoid this vulnerability described in CVE-2011-3389, by selecting a higher protocol version that is not vulnerable to attack (TLS1.1 and above) ======================================================================================== IBM RackSwitch G8052 Version 7.7.8.0 (Released December 2013) ** Changes since the 7.7.5.0 release ** Enhancements: None Changes: - A security vulnerability existed in the TLS protocol versions TLS1.0 and earlier, in that an attacker could potentially discover the TLS session key. To prevent this, a configurable CLI option was added to restrict the minimum allowable protocol version of TLS, from SSLv3 through TLS1.2. (CVE-2011-3389) Fixes: - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A crash would occur during TACACS+ authentication when receiving optional attributes (during the authorization stage). (68473) - With Layer-2 Failover configured, data traffic would momentarily be interrupted while transitioning from the active port to the standby port during a failover. (XB172186, XB222079) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - Connecting to a Secure FTP server using a human-readable hostname would fail(would only work when an IP address was explicitly specified). (XB216488) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - In a VRRP topology, when the Nessus security-scanning tool performed the "failed login" test via SSH, the VRRP process on the backup switch could fail to receive advertisement packets from the VRRP master within the specified threshold, leading to an oscillation between master and back-up states. (XB217716) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) - A crash would occur when performing an SNMP Get operation upon index 128 of the stpInfoPortTable object. (XB249428) ======================================================================================== IBM RackSwitch G8052 Version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: - Dynamic link aggregation (LACP) ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A crash would occur when issuing the "show ufp info vport" command without explicitly specifying a vport number. (71951) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash would occur while handling an SNMP “Get” Request for the Object that contains UFP information pertaining the switch (OID 1.0.8802.1.1.2.1.4.1.1.12.2700.65.4). (XB194463, XB202919) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) =============================================================================== IBM RackSwitch G8052 Version 7.7.3.0 (Released, June 2013) Enhancements: Enhanced Password security -------------------------- This feature provides stronger login enforcements for userIDs and password by forcing the local user passwords to be case sensitive, 8-64 character mix of uppercase letters, lowercase letters, numbers, and special characters, including at least one of each. DHCP Option 7 and option 12 --------------------------- These features enhance the DHCP client support on the switch to support Option 12 which defines the configuration of hostname and Option 7 which is used to get the syslog server address from DHCP server. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. OpenFlow 1.0 ------------ OpenFlow support has been added in this release, with an increase of 1K to 2K ACL support. Hotlinks + STP -------------- In prior releases, STP needs to be disabled globally when Hotlinks feature is configured. This feature removed this limitation of having to globally disable STP. BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. TAGIPVID -------- Enable outer vlan tag insertion at the port ingress direction. With this capability, the handling of outer tag could become symmetric for both directions (ingress and egress) and for both untagged and single tagged packet (inside switch, it becomes single tagged and double tagged respectively). Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149). =================================================================================== Rackswitch G8052 Firmware version 7.6.3.20 (released October 2013) ** Changes since the 7.6.3.10 release ** Enhancements: None. Changes: None. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - BGP neighborship sessions would flap when receiving BGP route messages that contained community attributes (XB194426) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - A crash would occur when receiving a random sequence of IGMPv3 reports that were interleaved from different Multicast receivers. (XB219263) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) ====================================================================== Rackswitch G8052 Firmware version 7.6.3.10 (released July 2013) ** Changes since the 7.6.3.0 release ** Enhancements: None. Changes: None. Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149) =================================================================================== Rackswitch G8052 Firmware version 7.6.3.0 (released February 2013) ** Changes since the 7.6.1.0 release ** Enhancements: None. Changes: - Added support for power supplies that meet the new China Compulsory Certificate (CCC) requirements for altitude and humidity. (68354) Fixes: None. =================================================================================== Rackswith G8052 Firmware version 7.6.1.0 (released December 2012) New and Updated Features ======================== BGP Route Reflection: --------------------- Route Reflection is a technique to avoid a large number of sessions between IBGP peers. In this release, support for RFC4456 (BGP Route Reflection - An Alternative to Full Mesh Internal BGP (IBGP)) has been added. SNMP: Support for 8 Read-Only and Read-Write communities: --------------------------------------------------------- This release adds support for 8 read-community names(Read-Only), and 8 write-community names(Read-Write) with SNMPv1 and SNMPv2. RFC5340: OSPF For IPv6: ----------------------- The switch was previously compliant with RFC2740. Starting with this release, the switch is compliant with RFC5340, which supersedes RFC2740. NTP Client Display Improvements: --------------------------------- The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. With the NTP service enabled, the switch can accurately update its internal clock to be consistent with other devices on the network. In this release, the "show ntp" command has been updated with such details as clock offset, stratum, and reference clock. Also in this release is a dampening of the number of syslog messages generated when the system clock is updated or if NTP synchronization fails. Cisco-like CLI: --------------- As part of this change, some existing ISCLI commands have been modified to look more like those in Cisco's IOS. The commands chosen for modification in this release are ones frequently used for VLAN, Port, and STP configuration. With these changes, those familiar with Cisco-IOS CLI can more readily configure the IBM-NOS VLAN, Port, and STP modules. =============================================================================== RackSwitch G8052 Version 7.2.4.0 (Released June 2012) ** Changes since the 7.2.3.0 release ** Enhancements: - Added the ability to monitor per-Port and per-QoS-queue, the number and rate of packets and octets transmitted and discarded. (57359) Changes: None. Fixes: - MAC synchronization would not complete successfully after reloading any of the switches in a multi-tier vLAG topology. (56939, 59727) - VLANs could not be added or deleted on vLAG ports without first disabling vLAG. This has been fixed in this release for PVRST mode only. This will be fixed for MSTP in a future release. (57336) - Early implementations of vLAG used TCP port 13000 to represent vLAG health-check packets. This would cause other applications that used this port (e.g., Traceroute) to fail, even in a non-vLAG topology. (57885) - False "L3 table is full" messages could be displayed when the Switch ASIC is adding ARP entries. (58480, 60362, 60481) - The 'intfInfoAddr' and 'intfInfoNetMask' SNMP MIB objects contained invalid data for IPv6 interfaces. (59132) - VM Association ACLs would become invalid if the "copy active-config running-config" command was run. (59328) - An "HTTP 405" error would occur when attempting to enable Layer-2 failover via the BBI. (59898) - QSFP+ transceivers would not be recognized after removal and reinsertion. (60067) - A CIST topology change could occur when uploading a tech-support file when over 2000 MSTP instances were configured. (60076) - SNMP traps were not being sent for NTP "clock updated", NTP "server unreachable", and 802.1x events. (60203) - On an forwarding LACP-member port for which is CIST disabled, the STP state in hardware would remain Blocking after recovering from a link flap (60375) - With static ECMP routes configured, disabling any of the associated IP interfaces would cause its routes to be removed from all other interfaces for which those routes were configured. (60430) - Performing an SNMP Walk on the IPv6 Routing table could lead to a corruption of CPU's packet-buffer pool, leading to an inability of the CPU to further receive IPv6 packets. (60486) - vLAG switches would errantly forward IGMP messages (Reports, Leaves, and Joins) across the ISL on VLANs for which IGMP snooping was disabled. (60545) - Reserved IP Multicast packets would not be forwarded if flooding and and IP routing were disabled. (60563) - The sequence of disabling then enabling vLAG (globally or per-instance) could lead to the the swapping of the Trunk IDs of LACP trunks, but with hardware FDB still reflecting the previous IDs. This could lead to the flooding of vLAG traffic to non-vLAG ports. (60673) - When a vLAG instance was removed from an underlying static trunk, all of the ports in the trunk would go into the STP Discarding state. (60736) - In a vLAG topology with the vLAG switches running in MSTP mode, and the corresponding Access switch running in PVRST mode, the sequence of disabling then enabling vLAG on the Primary switch would cause the vLAG ports of the Secondary switch to go into the STP Discarding state. (60837) - The NTP primary server IP address would be replaced with the word 'key' if the invalid command 'ntp primary-server key [x]' was invoked from ISCLI. (60900) - If two LLDP PDUs were received from the same source on two different ports within the time specified by the TTL TLV of the first PDU to arrive, 4KB of CPU memory would be lost (i.e., not returned to the global memory pool) while processing the second PDU. Over time, this condition could lead to CPU memory exhaustion, and a reset by the switch's Memory Monitor. (61108) - MAC synchronization would not complete successfully after a topology change occurred in a vLAG configuration. (61305) - Repetitive use of the isCLI "pipe" option would result in a memory leak. Over time, this could lead to CPU memory exhaustion, and a reset by the switch's Memory Monitor. (61623) - The "terminal-length 0" setting would not be respected when using the isCLI "pipe" option. (61751) - A crash could occur when receiving IP packets with the TCP port 11000. (61786) =================================================================================== RackSwitch G8052 Version 7.2.3.0 (Released May 2012) ** Changes since the 7.2.2.0 release ** Enhancements: None. Changes: None. Fixes: - In vLAG pair, if the vLAG port on the Primary switch was down while the Secondary switch was rebooted, the vLAG port on Secondary switch would remain in the DISC/DESG state after boot-up. (59735) =================================================================================== RackSwitch G8052 Version 7.2.2.0 (Released April 2012) ** Changes since the 7.2.1.0 release ** Enhancements: None. Changes: None. Fixes: - Stack traces produced by Memory-Monitor resets were inaccurate. (59210) =================================================================================== RackSwitch G8052 Version 6.8.10.0 (Released July 2012) ** Changes since the 6.8.9.0 release ** Enhancements: None. Changes: None. Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149). ===================================================================== RackSwitch G8052 Version 6.8.9.0 (Released June 2012) ** Changes since the 6.8.2.0 release ** Enhancements: - Added the ability to configure the BBI refresh rate. (59008) Changes: - The LLDP "Port and Protocol VLAN ID" and "VLAN Name" optional TLVs are now disabled by default. (56041) - Previously when a PIM Rendezvous Point became unreachable, a PIM Join message would be sent on the alternate path after a 10-second timeout. To improve the failover time, PIM will now send a Join on the alternate path immediately after being notified of the lost route by the Unicast Routing Table. (CR 56265) - Syslogs are now displayed most-recent first in the BBI. (59008) Fixes: - Some multicast packets would be lost by existing IGMP receivers if a new receiver registered for the same Group and VLAN, or a receiver already registered for the same Group and Vlan would leave (due to a Leave or a port-down event). (44857) - The SNMP "swTempReturnThreshold" trap would not be generated when returning to the normal operating range after previously exceeding the temperature-warning threshold. (50510) - The "show ip route counters" command could display more than the actual number of ECMP routes after performing the "interface enable/disable" command sequence in a topology with indirect next hop routes. (52271) - BGP peer connections would be lost when receiving update packets with the community attribute containing transitive temporary flags. (52595) - A crash could occur after receiving an STP BPDU with an invalid STG instance number. (52947) - In a multi-ECMP configuration, only one non-best ECMP route would be displayed in the routing table after adding a static route to the same destination. (54641) - Static Multicast routes were not removed from the IP Multicast table after deleting them from the running configuration. (54901) - The switch would erroneously allow the configuration of a TACACS+ password greater than the maximum length of 32 characters. (55007) - Ping requests would not be sent on a port which had previously been removed from an LACP Trunk. (55234) - A crash would occur if the "show running-config" command was issued after a login notice greater than 1024 characters was previously configured (55417) - The SNMP and TACACS+ CoPP queue priorities were not being respected when PIM was enabled. (55642) - High CPU utilization could occur if IGMP packets were received while IGMP was not configured and VLAN flooding was disabled. (55647) - A crash would occur when using the Nmap/Zenmap port-scanning tools with the "intense udp scan" option. (55771) - IP Multicast traffic in groups that had been learned via IGMPv3 Reports was no longer forwarded after a General Query was received on the same port and the multicast groups had expired. (55923) - The switch was not being recognized as a Remote Device by Juniper MX480 Routers when LLDP was enabled. (56041) - Momentary packet discards would occur within a VLAN when removing ports from that VLAN. (56304) - The "Object Identifier" field in the output of the "/i/l2/lldp/remodev" command could sometimes appear garbled. (56426) - STP flapping could occur if receiving unregistered multicast traffic for a VLAN configured with Flooding disabled, or Optimized Flooding enabled. (56489, 56970) - The "Total entries" parameter displayed via the "show ip igmp mrouter" command was being double-counted if static multicast routers were configured on Trunks. (56788) - Using either of the "include", "exclude", "section", or "begin" CLI filtering options with commands that require user confirmation to proceed (e.g., "show tech" and "show counters") would result in a hang of the terminal session (56840) - Enabling the sFLow feature could lead to a CPU packet-buffer leak that over a prolonged period of time would eventually lead to a loss of control-plane protocols that are dependent on the CPU, and an inability to manage the switch (via Telnet, SSH, SNMP, etc.). (57045) - Multicast routers previously learned via PIM Hello packets would not expire after receiving PIM Hello packets updated with a new multicast-router source-IP address. (57249, 55588) - The SNMP 'altTeamingTriggerUp' and 'altTeamingTriggerDownTraps' were not included in the Enterprise MIB, resulting in the traps being unrecognized by SNMP Management software. (57311) - A memory leak existed when receiving LLDP DCBX v1 packets, such that over time could lead to complete memory exhaustion and eventual reset by the Switch's Memory Monitor. (57389) - A crash could occur while processing invalid or unsupported LLDP DUs. (57438) - Enabling the sFLow feature could lead to a crash. (58016) - After 4 failed SSH login attempts when the user-authentication server (TACACS or RADIUS) is unreachable, memory exhaustion could occur if continuous connection attempts were made in rapid succession from an SSH client before the configured authentication timeout is reached. (58263) - The "operational-enable" option for the "no system service-led" configuration command was missing, making it impossible to disable the Service LED from isCLI mode. (58485) - Attempting to configure an IPsec 3DES key beginning with "00" would fail. (55362) - User-configured IPv6 interfaces could fail to initialize during reboot. (58970) - the IPv6 Conformance Test For Path MTU Discovery would fail after rebooting the switch. (53604) - The ARP database was not being updated upon Station Moves, resulting in Layer-3 traffic not being re-routed to the new switch port. (56437) - Routed traffic would not resume after performing the "shut/no shut" command sequence on active links (56438) - Syslog events would not be generated after downloading a configuration file via the "copy tftp running-config" command. (58841) - IGMP Reports would be lost if unregistered IP Multicast traffic was simultaneously being received at a rate greater then 500Mbps. (58984) - When traffic was mirrored to multiple Mirror ports, some packets would be lost if the traffic being received on the Monitor ports was a mix of Broadcast and Unicast. (59168) - Stack traces produced by Memory-Monitor resets were inaccurate. (59210) - Instances of the escape character '\' in the System Notice were not explicitly being stored in the configuration file, leading to an "Invalid input detected" error during reboot, and the user-configured message missing from the running configuration. (59926) - After changing the LACP mode from "active" to "off", MAC addresses previously learned on that trunk were not being flushed from the FDB. (60094) - When receiving frames with the Broadcast destination address at a rate greater than 100Mbps, DNS Resolution Requests would fail. (60537) - Reserved IP Multicast packets would not be forwarded if flooding and and IP routing were disabled. (60563) - A user could inadvertently configure more Multicast groups than are supported. (60770) - In a case where more than 2000 IGMP groups are installed, if multiple IGMP Query packets are received simultaneously on two ports in the same VLAN, some may not be processed. (60855) - A loopback interface configured as the Source Address of an NTP server could inadvertently be deleted. (60936) - UDLD PDUs received on an port which is a member of LACP trunk and for which UDLD was disabled would errantly accept the PDUs, leading to the port being set to the "Error Disabled" state. (60945) - After disabling MAC Learning via the "no learning" command, MAC addresses previously learned on an LACP trunk would not be flushed from the FDB. (61026) - If two LLDP PDUs were received from the same source on two different ports within the time specified by the TTL TLV of the first PDU to arrive, 4KB of CPU memory would be lost (i.e., not returned to the global memory pool) while processing the second PDU. Over time, this condition could lead to CPU memory exhaustion, and a reset by the switch's Memory Monitor. (61108) - After changing the SSH port number via the "ssh port " command, active SSH sessions were not being terminated as expected. (61140) - If during reboot, a timezone other than default was explicitly configured, the time reflected in the "Booting complete" message would not use the configured timezone, resulting in an inaccurate boot-complete time being displayed (and possibly earlier than the prior "Resetting at" time). (61266) - After adding a static IP Multicast entry to a Port/VLAN, multicast traffic that was previously being forwarded to Mrouter ports in the same VLAN would no longer be forwarded. (61487) - If an LACP trunk had ports in multiple Spanning Tree groups, and two or more ports in the trunk were not in the same forwarding state (e.g., during boot-up, or after issuing the "shut/no shut" command sequence), any static Mrouter configuration for that trunk would "error out" and be lost (i.e., the Mrouter entries would not be installed). (61529) - If a user had logged in with a TACACS user ID of the maximum allowable length then disabled TACACS, a crash would occur upon logging out. (61691) - Repetitive use of the isCLI "pipe" option would result in a memory leak. Over time, this could lead to CPU memory exhaustion, and a reset by the switch's Memory Monitor. (61623) - When displaying the IGMP table simultaneously via Telnet and Console sessions, the Telnet session would be disconnected. (61747) - The "terminal-length 0" setting would not be respected when using the isCLI "pipe" option. (61751)