FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8264CS version 7.8.28.0 (Released March 2021) ** Changes since the 7.8.27.0 release ** Enhancements: none Changes: none Fixes: - Fixed vulnerabilities as reported in the CVE Advisories: CVE-2019-5436. (207165) ================================================================================ IBM RackSwitch G8264CS version 7.8.27.0 (Released November 2020) ** Changes since the 7.8.26.0 release ** Enhancements: none Changes: none Fixes: - Fixed vulnerabilities in the Linux kernel as reported in the CVE Advisories: CVE-2020-13974, CVE-2020-10732, CVE-2020-14314, CVE-2020-12770. (207165) ================================================================================ IBM RackSwitch G8264CS version 7.8.26.0 (Released August 2020) ** Changes since the 7.8.25.0 release ** Enhancements: - Added support for deleting a HTTPs certificate. Command Line Interface: 'access https delete-certificate' (202628) Changes: none Fixes: - Https connection would be lost when generating a certificate with blank fields. (202593) - Fixed vulnerabilities as reported in the CVE Advisories: CVE-2020-12464. (207165) ================================================================================ IBM RackSwitch G8264CS version 7.8.25.0 (Released February 2020) ** Changes since the 7.8.24.0 release ** Enhancements: none Changes: none Fixes: - The switch could crash when modifying the port-channels used by FCoE. (183939) - Fixed vulnerabilities as reported in the CVE Advisories: CVE-2019-1559. (181273) ================================================================================ IBM RackSwitch G8264CS version 7.8.24.0 (Released October 2019) ** Changes since the 7.8.23.0 release ** Enhancements: none Changes: none Fixes: - A crash could occur when receiving a packet with invalid SSL/TLS information. (180641) - Fixed vulnerabilities in the Linux kernel as reported in the CVE Advisories CVE-2019-11477, CVE-2019-11478, CVE-2019-11479. (177635) ================================================================================ IBM RackSwitch G8264CS version 7.8.23.0 (Released June 2019) ** Changes since the 7.8.22.0 release ** Enhancements: none Changes: none Fixes: - Telnet and SSH to the switch would fail if the system notice were configured to have a length greater than 1970 characters. (167658) - Fixed vulnerabilities in the OpenSSL library as reported in the CVE Advisory CVE-2018-0734. (175714) ================================================================================ IBM RackSwitch G8264CS version 7.8.22.0 (Released February 2019) ** Changes since the 7.8.21.0 release ** Enhancements: none Changes: none Fixes: - Protocols would flap and Switch would experience high CPU utilization when the switch were scanned by Qualys software. (146840) - Switch could crash when changing the switch Management IP address under heavy CPU utilization conditions, while receiving continuous traffic on the Management Port. (147023) - Spanning tree group(STG) instances could not be configured from the BBI interface of the switch. (161182) - Fixed vulnerabilities in the OpenSSL library as reported in the CVE Advisory CVE-2018-0732. (147029) ================================================================================ IBM RackSwitch G8264CS Version 7.8.21.0 (Released October 2018) ** Changes since the 7.8.20.0 release ** Enhancements: - The switch tech-support now includes the information of the Broadcom SDK threads spawned by the switch. (123029) Changes: none Fixes: - A crash could occur when the switch were scanned by the Rapid 7 security tool or nessus scan for vulnerabilities or when the CLI commands "no ssh enable" or "no access netconf ssh enable" were executed after the scan. (133904/138760) - Switch would reboot due to memory exhaustion when exposed to prolonged port flapping, or prolonged network loop conditions in a VLAG setup. (133992/135129) - If either of the switches in a VLAG pair were rebooted after VLAG tier-id is changed on both switches by copying configuration (with a new VLAG tier-id) from a remote server such as FTP, a network loop could be caused. (137255) - Fixed vulnerabilities in the TLS protocol as reported in the CVE Advisories CVE-2014-8730. (80866) - Switch no longer supports the Diffie-Hellman key exchange algorithm in strict security mode. (143643) - Enhance BBI session default user password reset framework. (135949/135951) ================================================================================ IBM RackSwitch G8264CS Version 7.8.20.0 (Released June 2018) ** Changes since the 7.8.19.0 release ** Enhancements: - A syslog will now be logged - when port statistics are cleared from the UI, for example using CLI commands 'clear counters' or 'clear interfaces'. - when flash dump is cleared, for example using CLI command 'clear flash-dump'. (121539) Changes: none Fixes: - Switch could crash when trying to view the recently applied configuration by clicking on the Diff option on the main page through BBI interface. (125655) - Fixed Libxml2 vulnerabilities as reported in the Advisories CVE-2016-5131, CVE-2017-15412, CVE-2017-16932, CVE-2017-5130. (124059) ================================================================================ IBM RackSwitch G8264CS Version 7.8.19.0 (Released February 2018) ** Changes since the 7.8.18.0 release ** Enhancements: none Changes: none Fixes: none ================================================================================ IBM RackSwitch G8264CS Version 7.8.18.0 (Released November 2017) ** Changes since the 7.8.17.0 release ** Enhancements: none Changes: none Fixes: - Spanning Tree protocol for the Default Group STG 1 would flap once when deleting VLANs from switch configuration. (68065) - Switch would lose configuration saved as "switchport trunk allowed vlan ..." after reload, if the configuration had VLANs greater than 999. (95123) - An incorrect SSH return code (255) indicating error is returned though the command is successfully executed. It now returns 0 indicating success upon successful completion of a command. (99036) - Switch could crash when accessing the FDMI DB webpage, located at Dashboard(on the home page) -> FC/FCOE (opens a new Tab) -> FC/FCOE -> FDMI DB, through BBI interface (99716) - When SLP is enabled, the error messages “alloc_fd find_free_fd failed find_free_fd full” would be displayed on the switch console when multiple VLANs were created using the “vlan ” command (104194) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2017-8872, CVE-2017-9049 and CVE-2017-9050. (104768) - Address issue in login credential mechanism. (107614) - Support for the weak ciphers TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA has been removed. (109956/111620) - Fixed TCP vulnerabilities as reported in the CVE Advisory CVE-2017-6214. (113078) - Address non-configured community strings. (115054) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities cross-site scripting (XSS) and stored cross-site scripting as reported by the IBM security tool Appscan. (116507) - Switch would crash when the command “show mp thread” is executed, before any syslog messages were logged by the switch or if logging was completely disabled on the switch. (117304) ================================================================================ IBM RackSwitch G8264CS Version 7.8.17.0 (Released May 2017) ** Changes since the 7.8.16.0 release ** Enhancements: none Changes: - The support for TLS versions 1.1 and 1.0 has been deprecated. TLS version 1.2 is now supported by default. (PSIRT ALIRT 10820) (72679) Fixes: - The MTU value for a port in the output of “show lldp info” command is incorrectly reported as 1522 instead of 9216. (73928) - The SSH Server CBC Mode Ciphers and SSH Weak MAC Algorithms have been disabled. (75828) - A crash could occur when scanned by the nmap security scanned if SLP were enabled on switch. (84660) - VNIC synchronization between the switch and server could stop working if the switch detects multiple DCBX peers over VNIC configured ports. One consequence of this scenario would be that VNIC ports could be incorrectly reported as UP on the switch and Down on the server side, after a server reload. (85713) - The switch’s browser based interface (BBI) was reported to be missing the "Content-Security-Policy", "X-Content-Type-Option" and "X-XSS-Protection" headers in the HTTP response when scanned by the web security tool IBM Appscan. (68381, 75827) - In a multicast environment, switch acting simultaneously as a "Last Hop Router" (LHR) and an "Intermediate Router" (IR) would cause the switch to be unable to send traffic to LHR clients for a specific group. This happens when the switch has already received IR PIM joins for the same group, started forwarding traffic towards the IR clients and then receives LHR IGMP joins for that group. (78192) - A crash would occur when scanned by the web security tool IBM Appscan, while running a Recorded Login option. (90107) - HTTP requests sent by LXCA with a “/” URL would erroneously be rejected causing the switch’s GUI to fail to launch in LXCA (92267) - A crash could occur when clicking the "show log" tab under the Dashboard menu when using BBI. (LV302598/77085/86874) - Fixed zlib vulnerabilities as reported in the CVE Advisories CVE-2016-9840, CVE-2016-9841, CVE-2016-9842 and CVE-2016-9843. (86800) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2016-4658 and CVE-2016-9318. (86808) - A switch upon receiving a rogue OSPF LSA containing its own router ID with a maximum sequence number (0x7fffffff), would incorrectly respond with a fight-back LSA of its own database, as opposed to the rogue's LSA database. (92346) ================================================================================ IBM RackSwitch G8264CS Version 7.8.16.0 (Released January 2017) ** Changes since the 7.8.15.0 release ** Enhancements: None changes: - The packets accounted as ifInErrors in ‘show interface port X interface-counters’ were correctly dropped but not reported in the ifInDiscards counter when CEE was enabled or the switch was acting in store and forward mode. (59303) - The support for the programming interface using SMI-S agent has been deprecated. (69623) Fixes: - The hour field in the syslog timestamp messages was using a single digit to represent hours 0 through 9, as opposed to the two digit 24 hour format (hh) (66717) - The switch’s browser based interface (BBI) was reported to be susceptible to the security vulnerability CSRF (cross-site request forgery) when scanned by the web security tool IBM Appscan. (68381) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2183(SWEET32) and CVE-2016-6329. The ciphers DES, 3DES and Blowfish are no longer supported. (66395) ================================================================================ IBM RackSwitch G8264CS Version 7.8.15.0 (Released September 2016) ** Changes since the 7.8.14.0 release ** Enhancements: none changes: none Fixes: - Switch would fail to generate SNMP traps when STP was not stabilized for default spanning tree group (STG 1) early on at bootup. (51622) - A crash would occur when uploading a configuration to the switch, where the configuration file was edited to remove the leading Tab from the commands under "vlan dot1q" menu. (12816/LV299681) - Switch could crash when processing SSL traffic received on the management interface. (50705) - Switch could crash upon Hotlinks failover/failback with a fully functional NPV or full-fabric configuration in the presence of ‘hotlinks fdb-update’ feature” (62032) - Password for tacacs users could not be changed from the switch using the "primary-password" command when the "tacacs-server password-change" feature is enabled. (63530) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2108.(ALIRT LEN-7502). (55174) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2016-3705, CVE-2016-3627, CVE-2015-8806, CVE-2016-4447, CVE-2016-4449, CVE-2016-4448 (libxml2). (57176, 55781, 58942, 58943) ================================================================================ IBM RackSwitch G8264CS Version 7.8.14.0 (Released June 2016) ** Changes since the 7.8.13.0 release ** Enhancements: none changes: none Fixes: - Switch could crash when enabling HTTPS protocol, while the switch were trying to connect to the VSI Manager. (50435) - Devices are unable to ping beyond their local subnet, with the switch acting as their VRRP gateway. (52099) - Using Cisco ACS, version 5.3 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities XSS (stored cross-site scripting) and CSRF (cross-site request forgery). The web security policy mechanism HSTS (HTTP Strict Transport Security) has been implemented on BBI. (49409, 49427, 49471) - The switch’s browser based interface (BBI) would fail to honor the “cache-control=no-cache” directive and still cache the pages. The value of the “cache-control” directive has been changed from “no-cache” to “no-store”. (49475) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2015-5185 (sblim-sfcb). (51801) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2015-8710 (libxml2). (49214) ================================================================================ IBM RackSwitch G8264CS Version 7.8.13.0 (Released February 2016) ** Changes since the 7.8.12.0 release ** Enhancements: none Changes: - The output of “show tech-support” now includes the isCLI commands as headers before their respective output. (38125) Fixes: - UFP vPort status between Server NIC and Switch could be inconsistent after a server reboot. (45179) - Switch could crash when the server is configured with more than 4 UFP vNIC functions per port (switch only supports 4 vPorts). The switch will now shut down the vPorts when the mismatch occurs. (40296) - Storage paths established using FCOE, would be lost as new VLANs are added to the switch configuration during run time. (41493) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-7575 (SLOTH). (47856) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-3194, CVE-2015-3195. (46801) ================================================================================ IBM RackSwitch G8264CS Version 7.8.12.0 (Released October 2015) ** Changes since the 7.8.11.0 release ** Enhancements: none Changes: - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use this command has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) Fixes: - The switch would fail to send ICMP TTL Exceeded messages back to the source when the incoming ICMP packet had a TTL of 1 with a destination address of the VRRP IP of the switch. As a side effect, Traceroute between devices would fail if the VRRP IP of the switch were one of th hops in the path. (LV311922) - In NPV Gateway mode, Enodes could fail to login through the switch when the uplink FC switch had the persistent FCID feature enabled. (LV311670) - FCOE connections would be lost when the /sbin/llddpnetmap script (utility from VMware vSphere) was run. The script was incorrectly causing the switch detect multiple peers causing DCBX to be out of sync. The connection would be restored after a shut/no shut of the affected ports. (XB300488, 7400) - When configuring “qos bandwidth min” on an UFP port, the switch would incorrectly allow the sum of the minimum bandwidth to be less than 100%. (40181, 40295) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv), CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) ================================================================================ IBM RackSwitch G8264CS Version 7.8.11.0 (Released July 2015) ** Changes since the 7.8.10.0 release ** Enhancements: none Changes: - Additional Debug information has been added to the flash dump to gather internal timer information. (XB269085) Fixes: - FC port would send out FIP Advertisements despite FIPS being disabled on the port. Users will now be prevented from disabling FIPS and/or FCF mode on an FC port. (LV300602) - The mapping between local and remote ports is incorrect when using standard LLDP MIBs. The same is not true for private LLDP mibs (lldpInfoRemoteDevicesTable). (XB299432) - Configuration of an ipv6 Link Local Address as default gateway on management interface from the CMM would fail. (LV306988) - User configured ACLs would fail to drop subnet directed ping. (LV295376) - When using SSH the System notice was not being displayed before the login challenge phrase. (LV309949) - Inserting an unsupported transceiver could cause port link down to remain even after inserting a supported DAC cable. (LV310839) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-0286 (ASN1_TYPE_cmp). ================================================================================ IBM RackSwitch G8264CS Version 7.8.10.0 (Released March 2015) ** Changes since the 7.8.8.0 release ** Enhancements: none Changes: - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3572, CVE-2015-0204, CVE-2014-8275, CVE-2014-3570. - Fixed security vulnerabilities as reported in CVE Advisories CVE-2014-0191 (libxml2), CVE-2013-2877(libxml2), CVE-2014-3660 (libxml2), CVE-2013-2566(RC4 algo, TLS protocol) Fixes: none ================================================================================ IBM RackSwitch G8264CS Version 7.8.8.0 (Released November 2014) ** Changes since the 7.8.7.0 release ** Enhancements: LACP Individual Mode -------------------- When this feature is enabled on an LACP port-channel, if a member port of the port-channel does not receive any LACPDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. Changes: none Fixes: - FCoE sessions could flap due to the High CPU Utilization caused by the software flooding of Clear Virtual Links packets with an unknown destination MAC in the FCoE VLAN. (LV296464) - Configuration changes could be denied with the error "Error: STP cannot be enabled on FC port .", if any vlan assigned to a fiber channel port is a member of a MSTP instance. (X294677) ================================================================================ IBM RackSwitch G8264CS Version 7.8.7.0 (Released September 2014) ** Changes since the 7.8.6.0 release ** Enhancements: EasyConnect Easy Connect is a feature which allows the user to easily apply a series of customizable and canned configurations based on common deployment scenarios requiring little network administration or additional network design. Changes: none Fixes: - FCOE sessions would flap at random and the message "Could not read FC module temperature" would be logged due to deadlock on the I2C bus shared between Ehternet and Fiber Channel modules. (XB281638) - All FCOE FIP solicitation messages were tied to the lowest numbered port in the NPV Vlan, even when no FCF ports were online in the NPV Vlan. (XB290563) - A crash would occur after multiple failed attempts to login via SSH or BBI, if secure-backdoor is enabled and the configured remote RADIUS/TACACS authentication servers can be reached . (XB293746, XB292790) - Secure-backdoor access to the switch fails via SSH, when configured remote RADIUS/TACACS authentication servers can be reached. (XB293743, XB294261) - Secure-backdoor and backdoor access to the switch via SSH, fails to prompt for username. (XB292116, XB293076) - Changes to configuration are denied with the error "Error: Ports x and y have the same LACP admin key but different link settings (speed/duplex/flowcontrol).", when links x and y with dissimilar cables (i.e DAC and SFP+) are aggregated. (XB282364) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511. (XB293143) - Changes to configuration are denied with the error "Error Ports ... have the same LACP admin key but different STP edge settings" after a non-existing VLAN is added to a port, if LACP and STP edge/portfast are both enabled on the port. (XB282083) - Executing "copy tech-support" family of commands could result in instability in the stack and cause FCOE sessions to flap. (XB274963, XB274963) ================================================================================ IBM RackSwitch G8264CS Version 7.8.6.0 (Released July 2014) ** Changes since the 7.8.5.0 release ** Enhancements: None Changes: - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes: None ================================================================================ IBM RackSwitch G8264CS Version 7.8.5.0 (Released June 2014) ** Changes since the 7.8.4.0 release ** Enhancements: None Changes : - A security vulnerability existed in the OpenSSL Protocol that is used in IBM System Networking Ethernet Switches. (CVE-2014-0224) Fixes : None ======================================================================================== IBM RackSwitch G8264CS Version 7.8.4.0 (Released June 2014) New and Updated Features: ------------------------- Virtual Link Aggregation Group (VLAG): -------------------------------------- Typically, Spanning Tree Protocol (STP) is used to prevent broadcast loops, blocking redundant uplink paths. This has the unwanted consequence of reducing the available bandwidth between the layers by as much as 50%. In addition, STP may be slow to resolve topology changes that occur during a link failure, and can result in considerable MAC address flooding. Using VLAGs, the redundant uplinks remain active, utilizing all available bandwidth. Two switches are paired into VLAG peers, and act as a single virtual entity for the purpose of establishing a multi-port trunk. Ports from both peers can be grouped into a VLAG and connected to the same LAG-capable target device. From the perspective of the target device, the ports connected to the VLAG peers appear to be a single trunk connecting to a single logical device. The target device uses the configured Tier ID to identify the VLAG peers as this single logical device. It is important that you use a unique Tier ID for each VLAG pair you configure. The VLAG-capable switches synchronize their logical view of the access layer port structure and internally prevent implicit loops. The VLAG topology also responds more quickly to link failure and does not result in unnecessary MAC flooding. VLAGs are also useful in multi-layer environments for both uplink and downlink redundancy to any regular LAG-capable device. Full Private VLAN: ------------------ This feature supports Private VLAN configurations as described in RFC 5517. QoS Monitoring: --------------- This feature enhances the QoS statistics by presenting the COS statistics per port and per COS queue used. Enhanced Number of FCoE Sessions: --------------------------------- Number of FCoE sessions increased to 2000. SNMP support for management via IBM Systems Director: ----------------------------------------------------- This feature adds SNMP support for configuration and management of FC features to enable management of the switch via IBM Systems Director. Decoupling active VLANs from MSTP configuration: ------------------------------------------------ This feature enables the decoupling of the VLAN(s) configuration from MSTP configuration and changes the MSTP configuration menu to a more simplified one. By doing so, specifying a mapping between VLAN(s) and MSTI will not create any VLAN(s) and the participation of the VLAN(s) in MSTP will not depend on the VLAN(s) creation. NIST SP 800-131A Compliance: ---------------------------- Added a mode of operation that forces the device to operate and secure network operations in a manner that is fully compliant to the NIST SP 800-131A security standard. Removed support for obsolete cryptographic algorithms DES and MD5, as well as protocols like SSLv3, even in the non-compliant mode. Use SHA-256 as default: ----------------------- Set SHA-256 as the default and preferred hashing algorithm for all secured network operations where applicable. This includes TLS certificates and cipher suites with HMAC SHA-256 in TLS. Switch Login display: --------------------- When the "system notice" attribute is configured, the information which identifies the Switch Product Name is no longer displayed at the login banner. https support for IBM Flex System Manager (FSM) to download the Qbg Virtual Service Interface (VSI) Database: ---------------------------------------------------------------- FSM provides VSIDB service and requires SSL connection to communicate with VSIDB client for enhanced security. This feature provides SSL support for VSIDB client to get the VSIDB from FSM. ACL6 Metering: -------------- Added metering support for IPv6 ACLs similar to the IPv4 ACLs. Increase Local Users: --------------------- Added support for up to 20 local user accounts with different privilege levels. syslog console and buffer severity: ----------------------------------- This feature provides a mechanism to configure severity level for log messages displayed on the console as well as for the syslog messages stored locally on the switch. BGP DSCP Marking: ----------------- This feature allows users to configure the DSCP value to be used in the IP header of the outgoing BGP packets. BGP next hop self: ------------------ BGP routing updates sent to a neighbor contain the next hop IP address used to reach a destination. In eBGP, the edge router, by default, sends its own IP address as the next hop address. However, this can sometimes cause routing path failures in Non-Broadcast Multiaccess Networks (NBMA) and when the edge router sends iBGP updates. To avoid routing failures, you can manually configure the next hop IP address. In case of NBMA networks, you can configure the external BGP speaker to advertise its own IP address as the next hop. In case of iBGP updates, you can configure the edge iBGP router to send its IP address as the next hop. BGP Multihop TTL Security: -------------------------- This feature ensures a protection mechanism for BGP peering sessions against CPU utilization based attacks by validating the TTL in the incoming BGP packet. LLDP MIB: --------- This feature supports LLDP MIB per IEEE 802.ab standard. LLDP vendor information display: -------------------------------- In prior releases, LLDP is disabled by default. This feature enables LLDP by default, and disables optional TLVs, corrects the vendor information and adds three new commands that show more detailed LLDP information. SNMP and BBI for OSPFv3: ------------------------ BBI and SNMP support for OSPFv3 over IPsec has been added. 4K VLAN Support: ---------------- Upto 4095 VLANs per switch are supported. Fibre Channel ISL E_Port support: --------------------------------- FC E_Port support has been added. E_ports (expansion ports) connect two full fabric switches to form an inter-switch link (ISL). Fixes: - A Security vulnerability existed in the TLS protocol versions TLS1.0 and earlier, in that an attacker could potentially discover the TLS session key. Added a configurable CLI option to restrict the minimum allowable protocol version of TLS, from TLS1.0 through TLS1.2. This is so that the user can avoid this vulnerability described in CVE-2011-3389, by selecting a higher protocol version that is not vulnerable to attack (TLS1.1 and above) ======================================================================================== IBM RackSwitch G8264CS Version 7.7.8.0 (Released December 2013) ** Changes since the 7.7.5.0 release ** Enhancements: None Changes: - A security vulnerability existed in the TLS protocol versions TLS1.0 and earlier, in that an attacker could potentially discover the TLS session key. To prevent this, a configurable CLI option was added to restrict the minimum allowable protocol version of TLS, from SSLv3 through TLS1.2. (CVE-2011-3389) Fixes: - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A crash would occur during TACACS+ authentication when receiving optional attributes (during the authorization stage). (68473) - With Layer-2 Failover configured, data traffic would momentarily be interrupted while transitioning from the active port to the standby port during a failover. (XB172186, XB222079) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - Valid LLC frames received would erroneously be reported as ingress errors if they included a 802.1Q VLAN tag. (XB208414, XB227573) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - Connecting to a Secure FTP server using a human-readable hostname would fail(would only work when an IP address was explicitly specified). (XB216488) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - In a VRRP topology, when the Nessus security-scanning tool performed the "failed login" test via SSH, the VRRP process on the backup switch could fail to receive advertisement packets from the VRRP master within the specified threshold, leading to an oscillation between master and back-up states. (XB217716) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - FCoE connections could be lost when receiving FLOGI packets in rapid succession from servers hosting a large number of FCoE-enabled Virtual Machines. (XB220347) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) - A crash would occur when performing an SNMP Get operation upon index 128 of the stpInfoPortTable object. (XB249428) - An over-temperature could occur, leading to a loss of FCoE connections and traffic. (XB255903) ======================================================================================== IBM RackSwitch G8264CS Version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: - Dynamic link aggregation (LACP) ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. - Added support for a new front-to-back airflow power supplies (part numbers 94Y8104 and 94Y8105). Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - A hang of the Switch's I2C bus could occur, leading to a reset of the Switch by the hardware watchdog. (71721) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Inefficiencies in the periodic polling of I2C devices would result in a persistent high CPU-utilization condition. (71814) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Receiving multicast packets on server-facing ports at a high rate could cause FCoE sessions to go down momentarily. (XB148188) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash could occur if an FCoE-related CLI command was issued while the external management port was being flooded with packets. (XB199890) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) ====================================================================== IBM RackSwitch G8264CS 7.7.3.0 (Released, June 2013) Enhancements: VMReady coexistence with QBG ---------------------------- In the previous releases, VMready and QBG cannot be enabled at the same time on the switch system due to conflicting behavior. In this release, the user is allowed to run both VMready and QBG at the same time on the same switch system. Debug enhancements ------------------ Added debug commands to provide more detail than shown in current counters. New commands added for LACP packets and spanning tree BPDU packets. Diff flash support in iSCLI --------------------------- Provided a command in iSCLI to display the differences between the running configuration and the saved configuration. This functionality is currently available in IBMNOSCLI and is now added to the iSCLI. VMcheck ------- Provide MAC checking mechanism to prevent untrusted devices from spoofing the MAC of a trusted device and gaining access to the VM network. When VMcheck is enabled on an ESX server port virtual machines are only allowed to use their assigned MAC address. VMcheck can be configured to disable port, drop packets only from intruding MAC, only send a log if MAC checking detects a VM transmitting with a different MAC address than what is listed in VMware?s Vcenter. Host Resources MIB(RFC-1514) ---------------------------- Provided support for standards based HOST-RESOURCES-MIB defined in RFC 2790 allowing the switches to be managed by standard objectIDs. Host resources mib defines a uniform set of objects to manage host devices that are independent of the vendor, software or network capabilities. Implementation of the system and interface groups is mandatory. Terminal-length 0 persistent ---------------------------- Provided isCLI commands for configuring the terminal length for CLI sessions. The commands saved in the flash for persistency across resets. Runtime option to change the terminal length for the current session without affecting the saved configuration. Manual Reflective Relay mode for SRIOV/VEPA NICs ------------------------------------------------ Reflective relay is a basic feature on switch. Manual reflective relay means configuring reflective relay manually by user. Currently, reflective relay is enabled by Qbg automatically when EVB profile is enabled on port, and peer server requests it via LLDP. Meanwhile there is no interface for user to configure. In this release we added the option to manually configured reflective relay by user, especially when Qbg is disabled. IPv6 Address support with VSIDB ------------------------------- The servers on FSM use IPv6 address by default and support IPv6 HTTP server. But IPv6 HTTP client has not been supported by VSIDB so far. In this release, we added the support of IPv6 HTTP client to communicate to VSIDB. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. DHCP Option 7 and option 12 --------------------------- These features enhance the DHCP client support on the switch to support Option 12 which defines the configuration of hostname and Option 7 which is used to get the syslog server address from DHCP server. Enhanced Password security -------------------------- This feature provides stronger login enforcements for userIDs and password by forcing the local user passwords to be case sensitive, 8-64 character mix of uppercase letters, lowercase letters, numbers, and special characters, including at least one of each. Configurable port for SFTP -------------------------- This enhancement provides an option to perform SFTP operations on the switch using port numbers that can be configured explicitly (different from standard port 22) BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. SMIS IPv6 support ----------------- The Storage Management Initiative - Specification (SMIS) protocol was introduced in the last release to provide the management of storage devices within the fiber channel fabric. In this release we introduced support to configure IPv6 switch management addresses. LACP Suspend Port ----------------- This feature provides the capability to allocate an assigned trunk to LACP ports by LACP key, which avoids a potential traffic loop caused by mis-connection or error configuration. Static ARP entry with mcast address ----------------------------------- Provide solution to allow static unicast ARPs with multicast MAC entries to support networks using Microsoft NLB. IBM NOS now allows two enhancements: a multicast address is now configured as a static ARP entry and the static ARP entry does not require the port to be defined. NTP Client Display Improvements: --------------------------------- The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. With the NTP service enabled, the switch can accurately update its internal clock to be consistent with other devices on the network. The "show ntp" command has been updated with details like clock offset, stratum, reference clock etc. NTP enhancements have been provided to minimize the number of syslogs sent when NTP sync fails and when the system clock is updated. SNMP and BBI Support for OSPFv3 and MLDv2 ----------------------------------------- IPSec feature was provided in 6.7 release but only in command line interfaces. This release addded configuration and monitoring support for MLDv2 via the BBI and SNMP interfaces. SNMP trap for power failure --------------------------- The IBM RackSwitch has hot-swappable redundant power supplies that can be monitored. When one power supply fails/is removed, the switch will send a failure notification SNMP trap. When the power supply returns to normal operation the switch will send another notification SNMP trap. RFC5340 Support (OSPFv3 IPv6) ----------------------------- Modifications to OSPF for IPv6 in order to update it from current supported RFC2740 to newer RFC5340. Distributed vSwitch and vSphere 5.0 ----------------------------------- A distributed vSwitch (dvSwitch) spans across multiple hypervisors in a data center and simplify virtual machine networking by enabling the administrator to set up virtual machine networking for the entire datacenter from a centralized interface. SNMP: need 8 RO & RW communities -------------------------------- Update switch SNMP incoming packet processing to support 8 read community strings and 8 write community strings. BGP Route Reflector ------------------- Route reflector (RFC 4456) is a technique to avoid the large number of sessions between IBGP peers. Typically BGP requires that IBGP peers should be in a full mesh topology. For a large number of peers scaling problems may appear. A route reflector(RR) basically is a router which distributes routes received from an IBGP peer to another IBGP peer. Qbg/Vepa phase 2 ---------------- Enable 802.1QBG support with Virtual Ethernet Port Aggregator (VEPA) mode (also called reflective relay) per port. BGP Debug --------- This feature will allow administrator to turn on log for BGP update message sent/received from/to a particular neighbor. ====================================================================== IBM RackSwitch G8264CS Version 7.1.6.0 (Released October 2013) ** Changes since the 7.1.5.0 release ** Enhancements: None Changes: None Fixes: - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - BGP neighborship sessions would flap when receiving BGP route messages that contained community attributes (XB194426) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - A crash would occur when receiving a random sequence of IGMPv3 reports that were interleaved from different Multicast receivers. (XB219263) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) ======================================================================= IBM RackSwitch G8264CS Version 7.1.5.0 (Released June 2013) ** Changes since the 7.1.3.0 release ** Enhancements: None Changes: - Added support for a new front-to-back airflow power supplies (part numbers 94Y8104 and 94Y8105). Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149) ======================================================================= IBM RackSwitch G8264CS Version 7.1.3.0 (Released June 2013) ** Changes since the 7.1.2.0 release ** Enhancements: None Changes: None Fixes: - Firmware upgrades could fail if a transceiver is removed or inserted during the process. The failure would be accompanied with the error message "CRC Error in KERNEL region". - A Security vulnerability existed in IBM Switches which support Fibre Channel over Ethernet (FCoE), in that data frames were being flooded out of every port if the destination address was not in the MAC table. (CVE-2013-0570) ======================================================================= IBM RackSwitch G8264CS Version 7.1.2.0 (Released June 2013) Initial release.