This IBM Security Virtual Server Protection for VMware patch fixes LMI pages showing "Loading", but not showing contents. Also fixes a PVU calculation issue due to server models not in the PVUTable.xml.
IBM Security Virtual Server Protection for VMware 188.8.131.52
Last modified: 06/18/2013
PLEASE READ THIS DOCUMENT IN ITS ENTIRETY.
© Copyright IBM Corporation 2009, 2013.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
- Applying the Update
- MD5 of included files
- TECHNICAL SUPPORT
- Reporting product issues
This patch contains enhancements for
IBM Security Virtual Server Protection for VMware V184.108.40.206
This patch fixes the following issues for IBM Security Virtual Server Protection for VMware Systems:
Under some conditions LMI pages do not work and always show "Loading" but do not show any contents on the page.
PVU calculations were wrong because their server model was not in the PVUTable.xml.
This patch also incorporates these previously released fixes for IBM Security Virtual Server Protection for VMware V220.127.116.11:
+ IBM Security Virtual Server Protection for VMware can be affected by several vulnerabilities in OpenSSL. These vulnerabilities include obtaining sensitive information and denial of service that might be exploited remotely by an attacker.
+ On the IBM Security Virtual Server Protection for VMware System, SSH can be affected by these vulnerabilities because no authentication or specialized knowledge is required, and the vulnerabilities are remotely exploitable (CVE-2013-0169, CVE-2013-0166, CVE-2011-1473, CVE-2012-2131, CVE-2011-4576, CVE-2011-4619, CVE-2012-1165, and CVE-2011-4354).
+ The iptables on the security virtual machine (SVM) block traffic on the eth1 interface, which is used by the anti-rootkit module to communicate with the ESX host to perform rootkit detection.
This update applies only to:
IBM Security Virtual Server Protection for VMware V18.104.22.168.
APPLYING THE UPDATE
To apply the update:
Important: You must have root user permissions to perform the steps in this procedure.
Prerequisites for Steps 3 through 7:
All guest VMs on the ESX/ESXi host must be migrated to another host to ensure business continuity. If the guest VMs are not migrated, then you must shut them down before you follow these instructions.
These instructions assume that VSP V22.214.171.124 is running on the ESX/ESXi host.
1. Copy the patch file to the /var/support directory of the SVM (126.96.36.199-ISS-VSP-host-svm-FP003.sh).
2. On the SVM, from the /var/support directory, run the patch installation script:
The patch installation performs an automatic reboot of the SVM.
Steps 3 through 6 provide instructions for updating the VSP kernel module on the ESX/ESXi host. If you have previously installed patch 188.8.131.52-ISS-VSP-host-FP001 or 184.108.40.206-ISS-VSP-host-svm-FP002 on the SVM, then you can skip these steps. If you are not sure that you have previously installed patch 220.127.116.11-ISS-VSP-host-FP001 or 18.104.22.168-ISS-VSP-host-svm-FP002, you can perform Step 7 to verify whether the kernel module version is installed and loaded successfully. If it is not, then perform steps 3 through 6.
If you have never performed ESX Server Configuration in provVSetup on the host (e.g., with a new installation), then skip steps 3 and 4.
3. Uninstall the agent from the provVSetup menu. Important: After the agent is uninstalled, turn off the SVM. Do not delete the SVM.
4. Reboot the ESX/ESXi host.
5. Start the Network Configuration / ESX Server Configuration in provVSetup. The updated module is pushed and installed on the ESX host.
6. Use the VMware vSphere client to go to the SVM settings and select the "Connected" and the "Connect at power on" check boxes for network adapters 2, 3 and 6.
7. On the SVM, issue the following command to verify that the new kernel module is installed and loaded:
grep "Version of ibm-iss-vmkmod" /var/iss/engine1.log
If the new kernel module is installed and loaded successfully, the following output is displayed:
On ESX/ESXi 4.1:
2013/04/12 16:34:53.983 T:3083860672 Version of ibm-iss-vmkmod: [22.214.171.12421107] Version of IPS Engine: [126.96.36.19930315]
On ESXi 5.x:
2013/04/12 16:39:23.211 T:3084061376 Version of ibm-iss-vmkmod: [188.8.131.5221024] Version of IPS Engine: [184.108.40.20630315]
Note: The version string of the IPS Engine contained in this patch is different than the version string of the kernel modules for both the 4.1 and 5.x platforms. You might see a warning in engine1.log about this version difference. You can safely ignore this warning.
Refer to the following Technote for troubleshooting information if the procedure is not successful:
MD5 OF INCLUDED FILES
TECHNICAL SUPPORT FOR NORTH AMERICA
IBM Security Systems provides technical support to customers that are entitled to receive support.
The IBM Support Portal
Before you contact IBM Security Systems about a problem, see the IBM Support Portal at http://www.ibm.com/software/support
The IBM Software Support Guide
If you need to contact technical support, use the methods described in the IBM Software Support Guide at
The guide provides the following information:
- Registration and eligibility requirements for receiving support
- Technical support telephone numbers for the country in which you are located
- Information you must gather before contacting technical support
INFORMATION REQUIRED FOR REPORTING PRODUCT ISSUES
If you encounter a problem with this product, please make notes that are as detailed as possible about the following:
- Version of IBM Security Virtual Server Protection for VMware
- IBM Security Virtual Server Protection for VMware configuration
- Network deployment
- Specific failure symptoms or undesirable behavior
This information helps us reproduce the problem and resolve it as quickly as possible.