FIRMWARE CHANGE HISTORY ----------------------- IBM Flex System Interconnect Fabric version 7.8.24.0 (Released October 2019) ** Changes since the 7.8.23.0 release ** Enhancements: none Changes: none Fixes: - A crash could occur when receiving a packet with invalid SSL/TLS information. (180641) - Fixed vulnerabilities in the Linux kernel as reported in the CVE Advisories CVE-2019-11477, CVE-2019-11478, CVE-2019-11479. (177635) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.23.0 (Released July 2019) ** Changes since the 7.8.22.0 release ** Enhancements: none Changes: none Fixes: - Telnet and SSH to the switch would fail if the system notice was configured to have a length greater than 1970 characters. (167658) - Fixed vulnerabilities in the OpenSSL library as reported in the CVE Advisory CVE-2018-0734. (175714) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.22.0 (Released March 2019) ** Changes since the 7.8.21.0 release ** Enhancements: none Changes: none Fixes: - A crash could occur with the syslog "INFO mgmt: FLASH ERROR - invalid address used" when configuration was applied to the switch. (145523/149354/149356) - Protocols would flap and Switch would experience high CPU utilization when the switch were scanned by Qualys software. (146840) - Switch could crash when changing the switch Management IP address under heavy CPU utilization conditions, while receiving continuous traffic on the Management Port. (147023) - Spanning tree group(STG) instances could not be configured from the BBI interface of the switch. (161182) - Fixed vulnerabilities in the OpenSSL library as reported in the CVE Advisory CVE-2018-0732. (147029) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.21.0 (Released October 2018) ** Changes since the 7.8.19.0 release ** Enhancements: - The switch tech-support now includes the information of the Broadcom SDK threads spawned by the switch. (123029) Changes: none Fixes: - A crash could occur when the switch were scanned by the Rapid 7 security tool or nessus scan for vulnerabilities or when the CLI commands "no ssh enable" or "no access netconf ssh enable" were executed after the scan. (133904/138760) - Fixed vulnerabilities in the TLS protocol as reported in the CVE Advisories CVE-2014-8730. (80866) - Switch no longer supports the Diffie-Hellman key exchange algorithm in strict security mode. (143643) - Enhance BBI session default user password reset framework. (135949/135951) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.20.0 (Released June 2018) ** Changes since the 7.8.19.0 release ** Enhancements: - A syslog will now be logged - when port statistics are cleared from the UI, for example using CLI commands 'clear counters' or 'clear interfaces'. - when flash dump is cleared, for example using CLI command 'clear flash-dump'. (121539) Changes: none Fixes: - Switch could crash when trying to view the recently applied configuration by clicking on the Diff option on the main page through BBI interface. (125655) - Member switches (SI4093's) in a stockcar solution would publish the management address assigned from CMM in their LLDP Management TLV instead of the IP Address configured on the Stack Master (Master G8264CS). (123783) - Fixed Libxml2 vulnerabilities as reported in the Advisories CVE-2016-5131, CVE-2017-15412, CVE-2017-16932, CVE-2017-5130. (124059) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.19.0 (Released February 2018) ** Changes since the 7.8.18.0 release ** Enhancements: none Changes: none Fixes: - Servers could lose connectivity with the storage when new VLANs are added on uplink ports. (118197) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.18.0 (Released November 2017) ** Changes since the 7.8.17.0 release ** Enhancements: none Changes: - In stacking configuration, the output of the command “show lldp information” is now included in the tech-support. (92332) Fixes: - Spanning Tree protocol for the Default Group STG 1 would flap once when deleting VLANs from switch configuration. (68065) - Switch would lose configuration saved as "switchport trunk allowed vlan ..." after reload, if the configuration had VLANs greater than 999. (95123) - In a stacking configuration, after stack master failover/failback, the error message “bcm_vlan_stp_set : Entry not found[-7] at file nt_bcm_vlan.c line 511“ is displayed on the switch console when creating VLANs using the “vlan ” command. (99004) - An incorrect SSH return code (255) indicating error is returned though the command is successfully executed. It now returns 0 indicating success upon successful completion of a command. (99036) - Switch could crash when accessing the FDMI DB webpage, located at Dashboard(on the home page) -> FC/FCOE (opens a new Tab) -> FC/FCOE -> FDMI DB, through BBI interface (99716) - When SLP is enabled, the error messages “alloc_fd find_free_fd failed find_free_fd full” would be displayed on the switch console when multiple VLANs were created using the “vlan ” command (104194) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2017-8872, CVE-2017-9049 and CVE-2017-9050. (104768) - Address issue in login credential mechanism. (107614) - Support for the weak ciphers TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA has been removed. (109956/111620) - Fixed TCP vulnerabilities as reported in the CVE Advisory CVE-2017-6214. (113078) - Address non-configured community strings. (115054) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities cross-site scripting (XSS) and stored cross-site scripting as reported by the IBM security tool Appscan. (116507) - Switch would crash when the command “show mp thread” is executed, before any syslog messages were logged by the switch or if logging was completely disabled on the switch. (117304) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.17.0 (Released May 2017) ** Changes since the 7.8.16.0 release ** Enhancements: none Changes: - The support for TLS versions 1.1 and 1.0 has been deprecated. TLS version 1.2 is now supported by default. (PSIRT ALIRT 10820) (72679) Fixes: - The MTU value for a port in the output of “show lldp info” command is incorrectly reported as 1522 instead of 9216. (73928) - The SSH Server CBC Mode Ciphers and SSH Weak MAC Algorithms have been disabled. (75828) - A crash could occur when scanned by the nmap security scanned if SLP were enabled on switch. (84660) - The switch’s browser based interface (BBI) was reported to be missing the "Content-Security-Policy", "X-Content-Type-Option" and "X-XSS-Protection" headers in the HTTP response when scanned by the web security tool IBM Appscan. (68381, 75827) - In a multicast environment, switch acting simultaneously as a "Last Hop Router" (LHR) and an "Intermediate Router" (IR) would cause the switch to be unable to send traffic to LHR clients for a specific group. This happens when the switch has already received IR PIM joins for the same group, started forwarding traffic towards the IR clients and then receives LHR IGMP joins for that group. (78192) - A crash would occur when scanned by the web security tool IBM Appscan, while running a Recorded Login option. (90107) - HTTP requests sent by LXCA with a “/” URL would erroneously be rejected causing the switch’s GUI to fail to launch in LXCA (92267) - A crash could occur when clicking the "show log" tab under the Dashboard menu when using BBI. (LV302598/77085/86874) - Fixed zlib vulnerabilities as reported in the CVE Advisores CVE-2016-9840, CVE-2016-9841, CVE-2016-9842 and CVE-2016-9843. (86800) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2016-4658 and CVE-2016-9318. (86808) - A switch upon receiving a rogue OSPF LSA containing its own router ID with a maximum sequence number (0x7fffffff), would incorrectly respond with a fight-back LSA of its own database, as opposed to the rogue's LSA database. (92346) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.16.0 (Released January 2017) ** Changes since the 7.8.15.0 release ** Enhancements: - SHA1 authentication has been extended on the switch enabling us to support I/O NTP synchronization with CMM2. (56527) changes: - The packets accounted as ifInErrors in ‘show interface port X interface-counters’ were correctly dropped but not reported in the ifInDiscards counter when CEE was enabled or the switch was acting in store and forward mode. (59303) - The support for the programming interface using SMI-S agent has been deprecated. (69623) Fixes: - NTP configuration is not being sent to the switch during a CMM physical (re-seat) failover. (64726) - The Objects ifHCInOctets (1.3.6.1.2.1.31.1.1.1.6) and ifHCOutOctets (1.3.6.1.2.1.31.1.1.1.10) report incorrect values for management interfaces on switches that support more than one interface for management (for ex: EXTM and MGMT). This problem is also manifested by the fact that a clear of interface counters on one management interface clears the counters on the other management interface as well. (69756) - Switch would fail to retain entire configuration after reboot if port-map settings were changed. (62406) - A crash could occur when the switch is sending DHCP v6 solicitation messages. (70483) - The hour field in the syslog timestamp messages was using a single digit to represent hours 0 through 9, as opposed to the two digit 24 hour format (hh) (66717) - The "Width" of the port is incorrectly reported as zero under the Port Info Tab section when clicking on the I/O Module image in the chassis map. This is due to the fact that the object portModuleLaneCount (1.3.6.1.4.12.6.215.2.1.1.1.12.1.1) in the bcCustom MIB returns an invalid value. (63430) - The switch’s browser based interface (BBI) was reported to be susceptible to the security vulnerability CSRF (cross-site request forgery) when scanned by the web security tool IBM Appscan. (68381) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2183.(SWEET32) and CVE-2016-6329. The ciphers DES, 3DES and Blowfish are no longer supported. (66395) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.15.0 (Released September 2016) ** Changes since the 7.8.14.0 release ** Enhancements: none changes: none Fixes: - Switch would fail to generate SNMP traps when STP was not stabilized for default spanning tree group (STG 1) early on at bootup. (51622) - A crash would occur when uploading a configuration to the switch, where the configuration file was edited to remove the leading Tab from the commands under "vlan dot1q" menu. (12816/LV299681) - Switch could crash when processing SSL traffic received on the management interface. (50705) - Switch could crash upon Hotlinks failover/failback with a fully functional NPV or full-fabric configuration in the presence of ‘hotlinks fdb-update’ feature”. (62032) - Password for tacacs users could not be changed from the switch using the "primary-password" command when the "tacacs-server password-change" feature is enabled. (63530) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2108.(ALIRT LEN-7502). (55174) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2016-3705, CVE-2016-3627, CVE-2015-8806, CVE-2016-4447, CVE-2016-4449, CVE-2016-4448 (libxml2). (57176, 55781, 58942, 58943) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.14.0 (Released June 2016) ** Changes since the 7.8.13.0 release ** Enhancements: none changes: none Fixes: - Incorrect port number is displayed in the warning message, when trying to enable UFP on a port via BBI, if vports are configured with a total minimum bandwidth that is less than 100% of port's bandwidth. (55172) - A warning message is incorrectly displayed when configuring UFP via BBI, on port when the total minimum bandwidth of the vports equals 100% of port's bandwidth. (54756) - Switch could crash when enabling HTTPS protocol, while the switch were trying to connect to the VSI Manager. (50435) - In a Stacked Configuration, switch would crash when trying to apply configuration using the NETCONF protocol. All access to the NETCONF protocol in stacked configurations, which is not supported, is now disabled. (50339, 50353) - Packets with destination IP 127.x.x.x received by the switch could result in high CPU utilization leading to failure for the stack to initialize and converge. (50244) - Using Cisco ACS, version 5.3 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) - A crash would occur in stacked configuration upon fetching objects from the ufpInfoVportTable (.1.3.6.1.4.1.20301.2.5.17.2.6) when running multiple sessions of SNMP walk concurrently. (40518) - Server might lose access to upstream SAN fabric through an FCoE UFP channel upon a switch reboot in the presence of a high number of VLANs/Spanning Tree instances on the switch. (50483) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities XSS (stored cross-site scripting) and CSRF (cross-site request forgery). The web security policy mechanism HSTS (HTTP Strict Transport Security) has been implemented on BBI. (49409, 49427, 49471) - The switch’s browser based interface (BBI) would fail to honor the “cache-control=no-cache” directive and still cache the pages. The value of the “cache-control” directive has been changed from “no-cache” to “no-store”. (49475) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.13.0 (Released February 2016) ** Changes since the 7.8.12.0 release ** Enhancements: none Changes: - The output of “show tech-support” now includes the isCLI commands as headers before their respective output. (38125) Fixes: - UFP vPort status between Server NIC and Switch could be inconsistent after a server reboot. (45179) - Switch could crash when the server is configured with more than 4 UFP vNIC functions per port (switch only supports 4 vPorts). The switch will now shut down the vPorts when the mismatch occurs. (40296) - Storage paths established using FCOE, would be lost as new VLANs are added to the switch configuration during run time. (41493) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-7575 (SLOTH). (47856) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-3194,CVE-2015-3195. (46801) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.12.0 (Released October 2015) ** Changes since the 7.8.11.0 release ** Enhancements: none Changes: - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use this command has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) Fixes: - The switch would fail to send ICMP TTL Exceeded messages back to the source when the incoming ICMP packet had a TTL of 1 with a destination address of the VRRP IP of the switch. As a side effect, Traceroute between devices would fail if the VRRP IP of the switch were one of th hops in the path. (LV311922) - A switch would hang upon watchdog timer expiry in a stacked setup, when the switch was either a member switch or a master switch with a backup configured. (XB300611) - Packets with the destination MAC address of the stack are processed by the member switch CPU instead of master switch CPU , after ip routing is enabled and disabled, causing network loops. (XB268308) - All packets received with a certain MAC address are flooded subsequent to receiving an IGMP Join/Leave on the stack member with the same MAC address as source MAC. (XB271036) - When using a stack, configuration changes such as enabling/disabling ‘ip routing,’ adding/removing an IP address could cause traffic to be CPU routed, instead of hardware routed. (LV312593) - In NPV Gateway mode, Enodes could fail to login through the switch when the uplink FC switch had the persistent FCID feature enabled. (LV311670) - FCOE connections would be lost when the /sbin/llddpnetmap script (utility from VMware vSphere) was run. The script was incorrectly causing the switch detect multiple peers causing DCBX to be out of sync. The connection would be restored after a shut/no shut of the affected ports. (XB300488,7400) - When configuring “qos bandwidth min” on an UFP port, the switch would incorrectly allow the sum of the minimum bandwidth to be less than 100%. (40181,40295) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv), CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.11.0 (Released July 2015) ** Changes since the 7.8.10.0 release ** Enhancements: none Changes: - Additional Debug information has been added to the flash dump to gather internal timer information. (XB269085) Fixes: - FC port would send out FIP Advertisements despite FIPS being disabled on the port. Users will now be prevented from disabling FIPS and/or FCF mode on an FC port. (LV300602) - The mapping between local and remote ports is incorrect when using standard LLDP MIBs. The same is not true for private LLDP mibs (lldpInfoRemoteDevicesTable). (XB299432) - Configuration of an ipv6 Link Local Address as default gateway on management interface from the CMM would fail. (LV306988) - User configured ACLs would fail to drop subnet directed ping. (LV295376) - When using SSH the System notice was not being displayed before the login challenge phrase. (LV309949) - Inserting an unsupported transceiver could cause port link down to remain even after inserting a supported DAC cable. (LV310839) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-0286 (ASN1_TYPE_cmp). ================================================================================ IBM Flex System Interconnect Fabric version 7.8.10.0 (Released March 2015) ** Changes since the 7.8.8.0 release ** Enhancements: none Changes: - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3572, CVE-2015-0204, CVE-2014-8275,CVE-2014-3570. - Fixed security vulnerabilities as reported in CVE Advisories CVE-2014-0191 (libxml2) ,CVE-2013-2877(libxml2) ,CVE-2014-3660 (libxml2) , CVE-2013-2566(RC4 algo, TLS protocol) Fixes: - VLAG ports would stay in err-disabled state despite expiration of the Startup Delay Interval, if they were members of L2 failover group. (LV299952) - Switch would crash when it receives a gratitous ARP request for an IP address that was configured on the switch. (LV301785) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.8.0 (Released November 2014) ** Changes since the 7.8.7.0 release ** Enhancements: LACP Individual Mode -------------------- When this feature is enabled on an LACP port-channel, if a member port of the port-channel does not receive any LACPDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. Changes: none Fixes: - FCoE sessions could flap due to the High CPU Utilization caused by the software flooding of Clear Virtual Links packets with an unknown destination MAC in the FCoE VLAN. (LV296464) - Configuration changes could be denied with the error "Error: STP cannot be enabled on FC port .", if any vlan assigned to a fiber channel port is a member of a MSTP instance. (X294677) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.7.0 (Released September 2014) ** Changes since the 7.8.6.0 release ** Enhancements: none Changes: none Fixes: - Ports INTB1 & INTB2 would be disabled, when CMM failover occurs due to loss of physical connectivity on the active CMM link. (XB172285) - CMM could incorrectly report the switch to be offline for about 30 seconds at boot up, after failing to query switch information. A notificatin "communication offline" shows up on the CMM UI during this time, and is cleared once the CMM establishes communication to the switch. (XB268099) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509,CVE-2014-3510, CVE-2014-3511. (XB293143) - FCOE sessions would flap at random and the message "Could not read FC module temperature" would be logged due to deadlock on the I2C bus shared between Ehternet and Fiber Channel modules. (XB281638) - Receive FCS Errors would be reported on ports EXT1 and EXT2 when using 7m or longer passive DAC cables due to incorrect firmware settings.The "Receive FCS Error Frame Counter" would increase on these ports. (XB280713) - Changes to configuration are denied with the error "Error: Ports x and y have the same LACP admin key but different link settings (speed/duplex/flowcontrol).", when links x and y with dissimilar cables (i.e DAC and SFP+) are aggregated. (XB282364) - All FCOE FIP solicitation messages were tied to the lowest numbered port in the NPV Vlan, even when no FCF ports were online in the NPV Vlan. (XB290563) - A crash would occur after multiple failed attempts to login via SSH or BBI, if secure-backdoor is enabled and the configured remote RADIUS/TACACS authentication servers can be reached . (XB293746,XB292790) - Secure-backdoor access to the switch fails via SSH, when configured remote RADIUS/TACACS authentication servers can be reached. (XB293743,XB294261) - Secure-backdoor and backdoor access to the switch via SSH, fails to prompt for username. (XB292116,XB293076) - Saved IP Gateway configuration is lost upon reload or upon issuing "copy" commands when associated IP interface is deleted. (XB274331) - A crash would occur when hotlinks active interface is disabled and enabled in quick succession. (XB278024) - Executing "copy tech-support" family of commands could result in instability in the stack and cause FCOE sessions to flap. (XB274963,XB274963) - The internal/external controlled ports from all units other than the master remain down post reload, in a L2 Failover AMON/MMON scenario. (XB275310,XB277583,XB277982) - Changes to configuration are denied with the error "Error Ports ... have the same LACP admin key but different STP edge settings" after a non-existing VLAN is added to a port , if LACP and STP edge/portfast are both enabled on the port. (XB282083) ================================================================================ IBM Flex System Interconnect Fabric version 7.8.6.0 (Released July 2014) ** Changes since the 7.8.5.0 release ** Enhancements: None Changes: - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes: None ================================================================================ IBM Flex System Interconnect Fabric version 7.8.5.0 (Released June 2014) ** Changes since the 7.8.4.0 release ** Enhancements: None Changes : - A security vulnerability existed in the OpenSSL Protocol that is used in IBM System Networking Ethernet Switches. (CVE-2014-0224) Fixes : None ======================================================================================== IBM Flex System Interconnect Fabric version 7.8.4.0 (Released June 2014) Initial Release of IBM Flex System SI Fabric.