HMC V3.3 cumulative fix history and Readme
[ Last updated: July 29, 2013 ]
Contents
This Readme contains PTF-specific information on the following HMC V3.3 packages.
- PTF U860526
Update for expired sacm certificates - HMC V3.3.7 update package
Recommended and supported level for HMCs that manage servers with POWER4 processors - PTF U814685
HMC 3.3.7 security fixes. - PTF U810401
OpenSSL security fix for HMC 3.3.7 - PTF U809968
OpenSSL security fix for HMC 3.3.7 (superseded by PTF U810401) - PTF U808917
Security fixes/DST fixes for HMC 3.3.7 - PTF U806370
Leap second, DST time and OpenSSL fixes for HMC 3.3.6 - HMC 3.3.5 security fixes
- HMC 3.3.4 security fixes
- HMC 3.3.3 security fixes
- HMC 3.3.0 security fixes
- HMC Command Line commands
HMC and UNIX commands for the restricted shell for HMC V3 R3.0 and higher - PE mode on the HMC
Security enhancement for the HMC
PTF U860526
Update for expired sacm certificates
Prerequisites
PTF U814685
Defects fixed
The fixes in this package address the following issue:
Fix for expired SACM certificate for call home.
Package verification information
ZIP file
Size: 15699 bytes
Output of sum command: 38984 16 U860526.zipISO file
Size: 98304 bytes
Output of sum command: 02813 96 U860526.isoSplash panel info
U860526: Update for expired SACM certificates. (07-09-2013)
HMC update for V3R3.7
If you are currently running HMC 3.2.6 or less, the HMC must first be installed with HMC V3R3.5 or greater before you can install this update. Order the HMC 3.3.5 Recovery CD set from the HMC V3.3 downloads page, and then upgrade your HMC to 3.3.5. You can then update to HMC 3.3.7, the recommended and supported HMC level for HMCs that manage servers with POWER4 processors.
This package updates the software on the HMC to Version 3 Release 3.7, and should be installed on top of HMC Version 3 Release 3.5 and higher. This update can be referenced by APAR IY82939. IBM recommends that all customers update to this level or higher.
Defects fixed
This package addresses the following issues:
- Websm CUOD panel errors when using remote client
- After disconnecting a server, HMC provider goes into a loop
- HMC lock up whan accessing DVD drive
- hscroot can't run mkauthkeys on behalf of other users
- Provide more secure restricted shell
- Core dump on 512 way
- The last partiton will not activate in system profile
- lssyscfg: profile/partition names interchanged
- No access to WebSM URL or Web Start w/ @ in password
- Enable dlpar capability for each individual resource type
- Latest Federation Switch Manager fixes
Package verification information
ZIP file
Size: 768116229 bytes
Output of sum command: 62558 750114 HMC_Update_V3R3.7.zipSplash panel info
The Version is 3
The Release is 3.7
PTF U814685
HMC Security: Privilege escalation by some HMC commands for HMC V3R3.7
This PTF is a cumulative fix that includes PTFs U810911, U808784, and U807972.
Prerequisites
You must have V3 R3.7 of the HMC installed in order to install this corrective service. You can use the HMC V3R3.7 Update to update your HMC if it is not at V3R3.7. You can download the V3R3.7 Update ZIP file, or order the CD-ROM on the HMC 3.3.x Download page.
Post installation
After you install install PTF U814685, install the following PTFs in the order listed. If you have already installed them, disregard this instruction.
- U808917
- U810401
Defects fixed
The fixes in this package address the following issue:
Fix for security exposure in some HMC commands.
Package verification information
ZIP file
Size: 14739125 bytes
Output of sum command: 62420 14394 U814685.zipISO file
Size: 15308800 bytes
Output of sum command: 35243 14950 U814685.isoSplash panel info
U814685: HMC Security: privilege escalation by some HMC commands (11-28-2007)
PTF U810401
OpenSSL/OpenSSH security fix
This package provides OpenSSL and OpenSSH security fixes for HMC V3R3.7. You can also reference this package by APAR IY91354.
This package includes and supersedes PTF U809968.
Defects fixed
This package addresses the following issues:
| Name | Description |
|---|---|
| CVE-2006-3738/VU#547300 | Fix buffer overflow condition. |
| CVE-2006-4343/VU#386964 | OpenSSL SSLv2 client code fails to properly check for NULL which could lead to a server program using openssl to crash. |
| CVE-2006-2937 | Fix mishandling of an error condition in parsing of certain invalid ASN1 structures, which could result in an infinite loop which consumes system memory. |
| CVE-2006-2940 | Certain types of public keys can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack to cause the remote side top spend an excessive amount of time in computation. |
| CVE-2006-4924 | Denial of service problems have been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. |
| CVE-2006-4925 | Fix problem where remote attacker is able to inject network traffic that could cause a client connection to close. |
Package verification information
ZIP file
Size: 3134641 bytes
Output of sum command: 25146 3062 U810401.zipISO file
Size: 3530752 bytes
Output of sum command: 63060 3448 U810401.isoSplash panel info
U810401: OpenSSL/OpenSSH security fixes (11-07-2006)
PTF U809968
OpenSSL security fix (PTF U809968)
This PTF (APAR IY90089) is no longer available; it has been superseded by PTF U801401.
Defects fixed
This package addresses the following issue:
CVE-2006-4339: OpenSSL RSA signature evasion
Package verification information
ZIP file
Size: 2362411 bytes
Output of sum command: 24881 2308 U809968.zipISO file
Size: 2758656 bytes
Output of sum command: 24112 2694 U809968.isoSplash panel info
U809968: OpenSSL security fix (10-13-2006)
PTF U808917
Apache security fix & fixes for DST
The following corrective service package, PTF U808917, must be installed only on HMC 3.3.7. You can use the HMC V3R3.7 Update package to update your HMC if it is not at V3R3.7. This package (U808917) is also referenced by APAR IY87070.
Defects fixed
This package addresses the following issues:
Service Agent
CVE-2002-0843: Apache Buffer Overflow Vulnerability
DST
Fixes to accommodate changes in Daylight Saving Time rules for 2007 and beyond.
This package also includes the fixes provided by PTF U805614 and U806370.
Package verification information
ZIP file
Size: 53696280 bytes
Output of sum command: 09587 52438 U808917.zipISO file
Size: 54110208 bytes
Output of sum command: 26156 52842 U808917.isoSplash panel info
U808917: CVE-2002-0843: Apache Buffer Overflow Vulnerability (07-28-2006)
PTF U806370
Leap second handling , DST time and openssl
The following corrective service package must be installed only on HMC 3.3.6. This package is referenced by APAR IY79212.
Defects fixed
This package addresses the following issues:
- Includes new library to handle leap second and DST time zone properly.
- Provides CAN-2005-0109: OpenSSL update.
- Provides CAN-2005-2969: OpenSSL fix for potential SSL 2.0 Rollback vulnerability.
Package verification information
ZIP file
Size: 48831364 bytes
Output of sum command: 18793 47687 U806370.zipISO file
Size: 49235968 bytes
Output of sum command: 15514 48082 U806370.isoSplash panel info
U806370: Fixes for leap second handling , DST time and openssl (11-23-2005)
| Fix name | Description |
|---|---|
| CAN-2004-0415 | kernel: local privilege escalation, race condition in file offset pointer handling |
| VU#550464 CAN-2004-0644 | krb5: remote unauthenticated DoS |
| no cert. | Kernel: unannounced security patches (audit & queued signals) |
| CAN-2004-0817 | imlib: local execution via heap overflow |
| CAN-2004-0687 CAN-2004-0688 | xf86: multiple buffer overflows with malformed xpm images |
| no cert. | gettext: Insecure temporary file handling |
| CAN-2004-0804 | tiff: Buffer overflows in image decoding |
| CAN-2004-0975 | Openssl: possible symlink attack via temp file mishandling |
| CAN-2004-0940 | Apache: local buffer overflow in get_tag function in mod_include |
| no cert. xf86: | SuSE security updates for libxpm |
| no cert. | imlib: SuSE xpm security updates in imlib |
| CAN-2004-0989 | libxml: remote code execution, buffer overflow |
| CAN-2004-0971 | krb5: krb5-workstation: Possible symlink attack, priv escalation via temproary file mishandling |
| Trustix Secure Linux Security Advisory #2004-0053 | Cyrus-sasl: (ver 1.5.27) Insecure handling of environment variable |
| Fix name | Description |
|---|---|
| CAN-2004-0415 | kernel: local privilege escalation, race condition in file offset pointer handling |
| VU#550464 CAN-2004-0644 | krb5: remote unauthenticated DoS |
| no cert. | Kernel: unannounced security patches (audit & queued signals) |
| CAN-2004-0817 | imlib: local execution via heap overflow |
| CAN-2004-0687 CAN-2004-0688 | xf86: multiple buffer overflows with malformed xpm images |
| no cert. | gettext: Insecure temporary file handling |
| CAN-2004-0804 | tiff: Buffer overflows in image decoding |
| CAN-2004-0975 | Openssl: possible symlink attack via temp file mishandling |
| CAN-2004-0940 | Apache: local buffer overflow in get_tag function in mod_include |
| no cert. xf86: | SuSE security updates for libxpm |
| no cert. | imlib: SuSE xpm security updates in imlib |
| CAN-2004-0989 | libxml: remote code execution, buffer overflow |
| CAN-2004-0971 | krb5: krb5-workstation: Possible symlink attack, priv escalation via temproary file mishandling |
| Trustix Secure Linux Security Advisory #2004-0053 | Cyrus-sasl: (ver 1.5.27) Insecure handling of environment variable |
| Fix name | Description |
|---|---|
| CAN-2004-0828 | IBM AIX ctstrtcasd Local File Corruption Vulnerability |
| VU#388984, VU#236656, VU#160448, VU#477512, VU#817368, VU#286464, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 | SECURITY libpng: multiple vulnerabilities |
| CAN-2004-0495, CAN-2004-0496, CAN-2004-0497, CAN-2004-0535, CAN-2004-0626 | SECURITY kernel: kernel multiple local privilege escalation |
| CAN-2004-0419 | SECURITY: XFree86: XDM: remote access on "closed" port |
| CAN-2004-0649 | SECURITY: L2tpd: remote execution of arbitrary files w/ prvs of l2tpd user |
| CAN-2004-0600, CAN-2004-0686 | SECURITY: mod_ssl remote exploit |
| VU#317350, VU#654390 | SECURITY: dhcp-server remote system compromise |
| Fix name | Description |
|---|---|
| CAN-2003-0252 | nfs-utils remote code execution |
| CAN-2003-0688 | sendmail remote DOS |
| CAN-2003-0694 | sendmail prescan() remote vulnerability |
| CERTVU#333628 | OpenSSH Remote Vulnerability |
| CVE CAN-2003-0693 | OpenSSH Remote Vulnerability |
| CVE CAN-2003-0695 | OpenSSH Remote Vulnerability |
| CVE CAN-2003-0682 | OpenSSH Remote Vulnerability |
| CAN-2003-0543 | openSSL ASN.1 Vulnerability |
| CAN-2003-0544 | openSSL ASN.1 Vulnerability |
| CAN-2003-0545 | openSSL ASN.1 Vulnerability |
| CAN-2003-0961 | kernel do_brk vulnerability |
| CAN-2003-0989 | TCPDUMP remote DOS |
| CAN-2004-0003 | kernel do_mremap local vulnerability |
| CAN-2004-0010 | kernel do_mremap local vulnerability |
| CAN-2004-0077 | kernel do_mremap local vulnerability |
| CAN-2004-0075 | kernel do_mremap local vulnerability |
| SECUNIA ADVISORY ID SA10958 | libxml2 URI Parsing Remote Buffer Overflow |
| SECUNIA ADVISORY ID SA10846 | mutt Remote Buffer Overflow |
| CAN-2004-0079 | openssl remote DoS |
| CAN-2004-0112 | openssl remote DoS |
| CAN-2004-0093 | xf86 GLX remote DoS/ privilege escalation |
| CAN-2004-0094 | xf86 GLX remote DoS/ privilege escalation |
| CAN-2004-0183 | Security: Second tcpdump ISAKMP remote DOS |
| CAN-2004-0109 | Security: kernel ISO9660/JFS local privilege escalation |
| CAN-2004-0181 | Security: kernel ISO9660/JFS local privilege escalation |
| CAN-2004-0174 | Security: Apache multiple vulnerabilities |
| CAN-2003-0987 | Security: Apache multiple vulnerabilities |
| CAN-2003-0020 | Security: Apache multiple vulnerabilities |
| CAN-2003-0993 | Security: Apache multiple vulnerabilities |
| CAN-2003-0542 | Security: Apache multiple vulnerabilities |
| MIT krb5 Security Advisory 2004-001 | Security: kerberos aname_to_localname remote root compromise |
HMC and UNIX commands for the restricted shell for HMC V3 R3.0 and higher
The following HMC commands are available for the restricted shell.
| Command | Description |
|---|---|
| bkprofdata | Backup profile data configuration |
| chcuod | Change Capacity on Demand attribute |
| chhmc | Change HMC's configuration |
| chhmcusr | Change a HMC User attribute |
| chhwres | Change Hardware Resource Configuration (DLPAR) |
| chswnm | Enables/Disables Swith Network Manager software |
| chswpower | Powers switch board on and off |
| chsyscfg | Change a system resource configuration |
| chsysstate | Changes the state of the System, such as power on/off, activate partition |
| hmcshutdown | Shutdowns the HMC |
| lscuod | Displays information about Capacity on Demand |
| lshmc | Displays information about the HMC, such as network configuration |
| lshmcusr | Displays users on the HMC |
| lshwinfo | Displays Hardware information such as temperature, voltage, current |
| lshwres | Displays Hardware Resource Information |
| lslpars | Displays LPAR configuration in a column format |
| lssvcevents | Displays Serviceable Events |
| lsswendpt | Displays status about the end points and servers known to the Switch Network Manager |
| lsswenvir | Displays the power environment for a switch board |
| lsswmanprop | Displays information about HMC, networks and planes |
| lsswtopol | Displays Switch Network Manager switches and links |
| lsswtrace | Displays Switch Network Manager Log information |
| lssyscfg | List System Resouce configuration |
| mkauthkeys | Add/Remove ssh keys on the HMC |
| mkhmcusr | Creates a user on the HMC |
| mksyscfg | Creates a system resource configuration such as LPAR |
| mkvterm | Opens a Virtual Terminal session |
| pedbg | Performs various debug functions for Problem Determination |
| pesh | Provides shell access for Problem Determination |
| rmhmcusr | Removes a user on the HMC |
| rmsplock | Removes a lock set in the Service Processor |
| rmsyscfg | Removes a system resource configuration such as lpar |
| rmvterm | Closes a Virtual Terminal session |
| rsthwres | Restores Hardware Resource Configuration |
| rstprofdata | Restores Profile Data |
| testlinecont | Performs line-continuity diagnostic test |
| verifylink | Performs verify-link diagnostic test |
| updhmc | Updates code on the HMC |
Linux commands for the restricted shell
The following UNIX commands are also available in the restricted shell for HMC Version 3 Release 3.0.
| Command names | ||
|---|---|---|
| basename | cat | clear |
| cp | cut | date |
| diff | du | echo |
| egrep | expr | fgrep |
| getopt | grep | head |
| host | less | ls |
| man | more | mount |
| netstat | ping | scp |
| sed | sleep | sort |
| ssh | sum | tail |
| umount | uname | who |
| whoami | ||
Security enhancement on the HMC (PE mode)
The following security enhancement applies to both the lpp-based (R3V2.6) and machine code versions (V3.0 and V4.0) of the HMC.
PE Mode on HMC
To give IBM support personnel the ability to retrieve certain trace/debug information on the HMC, the customer can create a user hscpe and assign a password. IBM support can contact the customer to get the password, and then remotely connect to the HMC (with customer consent).
This allows IBM support to perform additional functions, such as viewing logs or starting trace to diagnose problems on the HMC. This user has access similar to the hscroot user on HMC.
When accessing the HMC remotely via ssh, the hscpe user is put into the restricted shell environment. The pesh command provides a means to bypass the restricted shell. The pesh command can be run by the hscpe user only, allowing this user to pass in the serial number of the HMC. If the serial number is correct, the user is required to enter a password obtained from IBM Support. If the password is correct, then the user is then put into the un-restricted shell as user hscpe.
For example:
pesh 23A345K
Enter the serial number in uppercase letters. When prompted for a password, enter in lowercase letters the password provided by IBM support.
To query the HMC serial number, use the following command:
lshmc -v | grep SE
Or, find the serial number on the label that is on the front of the HMC.
Use the date command to verify that the date of the HMC is for the day you intend to use the pesh command.
With HMC Version 3 Release 3.0 and Version 4 Release 1.0, you can also access the restricted shell terminal on the local HMC. Right-click on the desktop and select the Terminal--rshterm task. You can also login at the HMC as user hscpe, and then run the pesh command from the restricted shell terminal.
For HMC Version 3 Release 3.0 and below, you can create the hscpe user id with any role. However, to use some of the High Performance Switch (HPS) debug commands, you must select the Service Rep role.
For HMC Version 4 Release 1.0 and above, the hscpe user id MUST be created with hmcpe task role.