Troubleshooting
Problem
PureApplication System W1700, W2700, and W3700 systems are affected by the hardware processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 that are named Spectre and Meltdown.
Cause
For more information on these vulnerabilities, see Security Bulletin: IBM PureApplication Service/Systems, which includes IBM OS Images for Red Hat Linux Systems, as well as AIX-based and Windows-based deployments, has released a fix in response to the vulnerabilities known as Spectre and Meltdown.
Resolving The Problem
Fully addressing these vulnerabilities in PureApplication System requires applicable firmware updates from hardware device manufacturers for management and compute nodes, hypervisor software updates, and operating system (OS) updates for virtual images and deployed virtual machines.
IBM has released fixes for firmware, AIX and VIOS in response to CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. Both the AIX/VIOS and firmware fixes are required to address the vulnerabilities.
The firmware fix is applied to compute nodes as part of the upgrade to version 2.2.5.0. The AIX 7.1 and 7.2 base OS virtual images that are delivered as part of PureApplication System 2.2.5.0 have been patched with fixes.
- FSP updates
- POWER8: FW860.42 (01SV860_138_056)
- POWER7: FW783.51 (01AF783_039_021)
- VIOS updates
- VIOS 2.2.5.30 + efix IJ03030m9b
- Kernel patches in base OS images
These patches include:
New deployments using these updated virtual images will be protected from the vulnerabilities:
- IBM OS Image for AIX Systems (AIX 7.1) 2.1.10.0
- IBM OS Image for AIX Systems (AIX 7.2) 3.0.0.0
You must patch existing virtual images and workloads with the available updates.
Refer to "Security Bulletin: IBM has released AIX and VIOS iFixes in response to the vulnerabilities known as Spectre and Meltdown" to determine whether the affected filesets are installed on your virtual machines and how to update them.
To patch existing workloads that run on the AIX OS, you can either use an emergency fix that is installed through PureApplication System or the IBM Endpoint Manager Service. For more information, see the following Knowledge Center documents:
IBM Endpoint Manager Service:
- Configure the IBM Endpoint Manager shared service: IBM Endpoint Manager Service
- Configure the IBM Endpoint Manager Client: Install Endpoint Manager clients
Emergency fix:
- Package the emergency fix: Packaging emergency fixes
- Import the emergency fix: Adding emergency fixes to the catalog
- Apply the emergency fix: Applying fixes
Important: After applying patches to existing VMs, you must restart the VMs for the patches to be effective.
Use these steps to extend an affected virtual image, apply the patches, and capture the updated virtual image for use with your to-be-deployed workloads (also referred to as deployments or instances):
- Extend a virtual image, which deploys a classic virtual system virtual machine image:
- Click Catalog > Virtual Images.
- Select a virtual image, and then click Extend.
- Enter values in the General information and Deployment configuration sections.
- Click OK.
- A new entry is created in the virtual images list. Click the new image.
- Click the link for In the cloud now.
- You are redirected to the Virtual System Instances (Classic) page. The status of this instance should be Running.
- Log on to the classic virtual system virtual machine, and apply the operating system patch to the virtual machine (VM). Refer to "Security Bulletin: IBM has released AIX and VIOS iFixes in response to the vulnerabilities known as Spectre and Meltdown" for more information.
- Capture a new virtual image from the classic virtual system VM:
- Click Catalog > Virtual images.
- Select your extended image and click Capture.
- Use Pattern Builder to update patterns to use the new virtual image.
For W1500, W2500, W3500, and W3550 systems, see: Mitigating CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 in PureApplication System W1500, W2500, W3500, and W3550.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg22014828