General Page
Note: z/VSE 6.2 is not supported anymore. The End-Of-Service effective date is September 30, 2023, see z/VSE 6.2 End-Of-Service Information for details.
IBM periodically upgrades the z/VSE system libraries with the latest level of maintenance. This is known as a service refresh and contains all PTFs available at build time. A refresh is installed by performing a Fast Service Upgrade (FSU).
This refreshed system has been thoroughly tested. In general, a service refresh contains only corrections to the existing z/VSE system. In rare cases, it also might provide additional functions. These functions are implemented in a way that they do not influence your system when you do not use or need them.
As required, IBM provides refreshes at identical service levels for the z/VSE base programs, extended base products, and z/VSE optional programs.
You might want to install a refresh to avoid possible problems. Thus a service refresh might be an option for you, even if your system and its environment are stable. In addition, a refresh might be best when you want to make major changes to your system (add hardware devices or IBM licensed programs, for example). The maintenance requirements for these changes might make installing a service refresh the most efficient way to meet them
Note: Refreshes can be ordered only while the corresponding product release is available. After End of Marketing, refreshes can no longer be ordered, although the product is still in service.
Preventive Service Planning (PSP) buckets for z/VSE contain all HIPER PTFs (and other important service) for a specific set of products or components on a specific z/VSE refresh level. A PSP bucket has a name (upgrade ID) and contains product information ordered into different 'subsets'. Each subset relates to a product or set of products and contains different sections. HIPER APARs and a short error description can be found in section Service Recommendations together with the corresponding PTF number. In addition all corresponding PTFs are listed in the PTF Include List for easy ordering.
IBM Shopz can be used to order so called PSP critical service. This order includes all HIPER PTFs of all products and components currently installed on your system. You must provide an Installed Software Report when ordering the service. Such a report can be created with the Installed Software Report Tool.
- Order PTFs with IBM Shopz
- To search for PSP buckets for z/VSE 6.2.0, enter "Upgrade ZVSE620" on the IBM Support page
A preventive service offering is available for z/VSE, the Recommended Service Level (RSL).
This service offering fills the gap between z/VSE Refresh levels and the "High Impact or Pervasive APAR" (HIPER) service provided with "Preventive Service Planning" (PSP) buckets. An RSL consists of a list of ALL APAR/PTF numbers, which are available at specific cutoff dates. RSLs are updated more frequently than refreshes and contain ALL available service, not only the HIPER service.
RSLs are published like special RSL PSP buckets and on the z/VSE service page. RSL PSPs are ordered on tape like HIPER PSPs and can be ordered electronically.
This service offering helps customers keep their z/VSE system on a current and reliable service level. An RSL should be installed after installing the latest refresh, followed by the most current HIPER PSP bucket.
RSLs are available for z/VSE releases currently in service. For z/VSE releases, which are going out of service, an ‘End-of-Service’ RSL is provided
The following table contains lists of all available service for the individual z/VSE refresh levels at the specified date. The Base Products and Optional Products lists show the APAR numbers, corresponding PTF numbers, and the applicable component-IDs and CLCs. Separate 'PTF Order Lists' are provided which contain only the PTF numbers for easy ordering of the Recommended Service. Known PTF-in-Error (PE) solutions and prerequisite PTFs are included.
To order PTFs with IBM Shopz, open the order list and copy the PTF numbers over to the PTF number entry field. You may copy the PTF numbers of multiple products in one step, including the product names. Only input recognized as a PTF number is processed.
Latest update October 12, 2023
- z/VSE 6.2.0, upgraded to the October 6, 2023 level
- New PTFs are indicated by an asterisk in the Base Products and Optional Products files.
| Service recommended for | PTF Order List | Cutoff Date | |
|---|---|---|---|
| Out of Service releases | |||
| z/VSE 6.2.0 | Base Products | PTFs 620B | October 6, 2023 |
| Optional Prod. | PTFs 620O | ||
| z/VSE 6.1.0 | Base Products | PTFs 610B | July 2, 2019 |
| Optional Prod. | PTFs 610O | ||
| z/VSE 5.2.0 | Base Products | PTFs 520B | October 31, 2018 |
| Optional Prod. | PTFs 520O | ||
| z/VSE 5.1.2 | Base Products | PTFs 512B | Jun 30, 2016 |
| Optional Prod. | PTFs 512O | ||
| z/VSE 5.1.1 | Base Products | PTFs 511B | April 9, 2013 |
| Optional Prod. | PTFs 511O | ||
| z/VSE 5.1.0 | Base Products | PTFs 510B | Apr 26, 2012 |
| Optional Prod. | PTFs 510O | ||
This section describes how to create an "Installed Software Report" to be used with IBM Shopz. An Installed Software Report (also called z/VSE service bitmap) contains information about the products and components installed and PTFs that are applied on a z/VSE system. The report is build from information stored in the MSHP history file. To build the report, the MSHP RETRACE PRODUCTS and RETRACE PTFS functions are run. Afterwards the required information is extracted from the MSHP output and the report is created.
There is a tool available to build such a report for z/VSE. The tool connects to z/VSE by using FTP, runs 2 MSHP jobs and creates and stores the report on the workstation.
IBM strongly recommends that users of the z/VSE Operating System validate the currency of security and system integrity service and take action to promptly install all security and integrity PTFs.
In addition to available PTFs, IBM includes any pertinent Security and Integrity APAR fixes in the next Preventative Service Planning (PSP) bucket or Recommended Service Level (RSL) after the fix is available. The PSP bucket for z/VSE contains all HIPER PTFs along with other recommended service for a specific set of products or components on a specific z/VSE refresh level. The RSL offering provides a list of all APAR/PTF numbers available at specific cutoff dates and fills the gap between regular z/VSE Refresh levels and the more urgent service provided by the PSP bucket.
It is strongly recommended that clients validate the currency of their z/VSE security and system integrity service levels and routinely check the following list of APARs and PTFs to receive the latest information on IBM Z security and system integrity service. The timely installation of service, including security and system integrity service, can help minimize potential risks and maintain overall system security and availability.
Security and system integrity-related news:
| Date | Description |
|---|---|
| Dec 15, 2021 | No CVE-2021-44228 vulnerability in z/VSE z/VSE code does not include log4j. If customer applications require log4j, the customer is responsible to update log4j. Some as-is z/VSE Java tools may ask for installation of log4j. Please load the new version of log4j if you have installed it for example for CICS2WS Toolkit or Multi Instant Logic Analyzer4VSAM. |
| Feb 6, 2018 | Vulnerabilities Meltdown and Spectre Three security vulnerabilities that allow unauthorized users to bypass the hardware barrier between applications and kernel memory have been made public. These vulnerabilities all make use of speculative execution to perform side-channel information disclosure attacks. The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, are collectively known as Spectre, and allow user-level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, is known as Meltdown, and allows user-level code to infer the contents of kernel memory. The vulnerabilities are all variants of the same class of attacks and differ in the way that speculative execution is exploited. z/VSE operating system environments are unaffected. |
| Oct 4, 2016 | The SWEET32 vulnerability on Triple-DES (CVE-2016-2183) affects OpenSSL on z/VSE (PDF, 190KB) |
| Feb 8, 2016 | Vulnerability in MD5 Signature and Hash Algorithm (CVE-2015-7575) on z/VSE (PDF, 25KB) |
| Dec 18, 2014 | Impact of POODLE (CVE-2014-3566) on z/VSE (PDF, 105KB) |
Security and system integrity-related APARs and PTFs:
Last update: May 3, 2023
| APAR Date |
PTF | Contents |
|---|---|---|
| DY47862 2023/04/11 |
UD90370-62S | OpenSSL upgrade to 1.1.1t and security fixes for CVE-2023-0464 and CVE-2023-0465 |
| DY47857 2022/04/08 |
UD54405-62C | Upgrade to zlib 1.2.12 for CVE-2018-25032 |
| DY47856 2022/03/17 |
UD54404-62S | Security fixes for OpenSSL on z/VSE: CVE-2022-0778 |
| DY47851 2021/09/01 |
UD54399-62S | Security fixes for OpenSSL on z/VSE: CVE-2021-3712 |
| DY47846 2021/06/08 |
UD54394-62S | Updates for OpenSSL on z/VSE with TLSV1.3 |
| DY30239 2021/02/18 |
UD54385-62S |
|
| DY47825 2020/03/18 |
UD54364-62S | z/VSE V6.2: OpenSSL upgrade to 1.1.1d |
| DY47721 2017/07/26 |
UD54251-61S | z/VSE V5.2: zlib upgrade to V1.2.11 (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842) |
| DY47720 2017/07/26 |
UD54250-52S | z/VSE V5.2: zlib upgrade to V1.2.11 (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842) |
| DY47706 2017/03/17 |
UD54224-61S | z/VSE V6.1: Security fixes for OpenSSL (CVE-2016-2182, CVE-2016-6306) |
| DY47705 2017/03/17 |
UD54223-52S | z/VSE V5.2: Security fixes for OpenSSL (CVE-2016-2182, CVE-2016-6306) |
| DY47689 2016/09/26 |
UD54211-61S | z/VSE V6.1: OpenSSL Upgrade to 1.0.2h plus CVE-2016-2177 |
| DY47688 2016/09/26 |
UD54209-52S | z/VSE V5.2: OpenSSL Upgrade to 1.0.2h plus CVE-2016-2177 |
| DY47613 2015/07/15 |
UD54123-52S | z/VSE V5.2: Security fixes for OpenSSL (CVE-2015-1793) |
| DY47613 2015/07/15 |
UD54122-51S | z/VSE V5.1: Security fixes for OpenSSL (CVE-2015-1793) |
| DY47610 2015/05/29 |
UD54118-52S | z/VSE V5.2: Security fixes for OpenSSL: The minimum Diffie-Hellman (DH) parameter length is changed to 1024 bits |
| DY47610 2015/05/29 |
UD54117-51S | z/VSE V5.1: Security fixes for OpenSSL: The minimum Diffie-Hellman (DH) parameter length is changed to 1024 bits |
| DY47602 2015/04/09 |
UD54106-52S | z/VSE V5.2: Security fixes for OpenSSL (CVE-2015-0286) |
| DY47602 2015/04/09 |
UD54105-51S | z/VSE V5.1: Security fixes for OpenSSL (CVE-2015-0286) |
| DY47591 2015/02/16 |
UD54091-52S | z/VSE V5.2: Security fixes for OpenSSL (CVE-2014-3572, CVE-2014-8275, CVE-2015-0204) |
| DY47591 2015/02/16 |
UD54090-51S | z/VSE V5.1: Security fixes for OpenSSL (CVE-2014-3572, CVE-2014-8275, CVE-2015-0204) |
| DY47581 2014/10/22 |
UD54072-52S | z/VSE V5.2: Security fixes for OpenSSL (CVE-2014-3567) |
| DY47581 2014/10/22 |
UD54071-51S | z/VSE V5.1: Security fixes for OpenSSL (CVE-2014-3567) |
| DY47561 2014/08/29 |
UD54054-52S | z/VSE V5.2: Security fixes for OpenSSL (CVE-2014-3509, CVE-2014-3511) |
| DY47561 2014/08/29 |
UD54053-51S | z/VSE V5.1: Security fixes for OpenSSL (CVE-2014-3509, CVE-2014-3511) |
| DY47545 2014/06/12 |
UD54037-52S | z/VSE V5.2: Security fixes for OpenSSL (CVE-2014-0224) |
| DY47545 2014/06/12 |
UD54036-51S | z/VSE V5.1: Security fixes for OpenSSL (CVE-2014-0224) |
| DY47534 2014/04/25 |
UD54027-52S | z/VSE V5.2: Security fixes for OpenSSL (CVE-2014-0160) |
| DY47532 2014/04/15 |
UD54020-51S | z/VSE V5.1: Security fixes for OpenSSL (CVE-2014-0160) |
| DY47516 2014/02/18 |
UD54005-51S | z/VSE V5.1: Security fixes for OpenSSL (CVE-2013-4353, CVE-2013-6449, CVE-2013-6450) |
| DY47499 2013/10/17 |
UD53983-51S | z/VSE V5.1: OpenSSL 1.0.1e refresh |
| PM98875 2013/10/11 |
UK98397-B10 | IPv6/VSE update for TLSv1.2 support |
| DY47472 2013/06/25 |
UD53952-51S | z/VSE V5.1: OpenSSL: Remove RC4 cipher suites due to security issues. |
| PM77065 2012/11/19 |
UK83637-B10 | Initial IPv6/VSE version with OpenSSL support |
| DY47397 2012/09/11 |
UD53864-51S | z/VSE V5.1: OpenSSL 1.0.0d update for z/VSE 5.1 |
Was this topic helpful?
Document Information
Modified date:
03 April 2024
UID
isg3T1027465