Original Message:
Sent: Wed May 24, 2023 05:16 PM
From: Gustavo Orlando de Santis
Subject: CVE 2023-30438
Sorry, to be sure, so as @Pete Heyrman said, and as I commented before from my side:
We have firmware level at VH950_092_045 (FW950.30)
Required firmware level is VH950_124_045 (71)
Here is the HMC update information screenshot:
And in FLRT we have
![](https://dw1.s81c.com//IMWUC/MessageImages/cb37d8caa67d43e49031a7272083e7af.png)
And taking into account that:
An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed.
(In our case 092 > 045)
So if we update, this will be concurrent, NO need to reboot the server neither the LPARs, since the release is the same (950) and the last disruptive service pack level (045) is the same. is that correct?
Thanks again team. I already opened a skill case to IBM Support, but still waiting for their reply on this.
Gustavo
------------------------------
Gustavo Orlando de Santis
Original Message:
Sent: Wed May 24, 2023 04:36 PM
From: Alan Fulton
Subject: CVE 2023-30438
To clarify , can be applied conncurrently from the last ACTIVATED disruptive service pack. So as not to confuse with deferred,
------------------------------
Alan Fulton Follow me on Twitter - @The_Iron_Monger
Budd Lake
2015329657
Original Message:
Sent: Wed May 24, 2023 04:05 PM
From: Pete Heyrman
Subject: CVE 2023-30438
Yes, all the POWER9 and Power10 SPs for CVE 2023-30438 can be applied conncurrently from the last disruptive service pack.
------------------------------
Pete Heyrman
Original Message:
Sent: Wed May 24, 2023 03:11 PM
From: Vincencio Michaelis
Subject: CVE 2023-30438
Hi Pete
same valid for P10 that security patch will be activated concurrent ?
thx vince
------------------------------
Vincencio Michaelis
Original Message:
Sent: Wed May 24, 2023 03:07 PM
From: Pete Heyrman
Subject: CVE 2023-30438
A service pack can be applied concurrently (while the server and partitions are active) if the release level and the last disruptive service pack level is the same. From the example, updating from HV950_092_045 to HV950_124_045 can be applied concurrently since the release is the same (950) and the last disruptive service pack level (045) is the same. A successful concurrent apply and activate will be running with all the latest fixes that are concurrent. There is no need to reboot any on the partition on the server. The fix packs may contain deferred fixes and those require a server reboot to apply. The security fix that went into HV950_124_045 is concurrent so once the service pack is activated successfully, the fix will have been applied.
------------------------------
Pete Heyrman
Original Message:
Sent: Wed May 24, 2023 12:04 PM
From: Gustavo Orlando de Santis
Subject: CVE 2023-30438
Hello,
We have similar question for that published CVE, but we are running a Power9 server:
We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)
So this should be an update if am correct, right?
file name convention from documentation:
01VHxxx_yyy_zzz
xxx is the release level
yyy is the service pack level
zzz is the last disruptive service pack level
An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed.
(In our case 092 > 045)
Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release")
Would that process not need to power off the server?
Also, the LPARs from the server to be updated , should they have to be IPLed?
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything?
Thanks in advance
------------------------------
Gustavo Orlando de Santis
Original Message:
Sent: Tue May 23, 2023 02:34 AM
From: Andres Cordoba
Subject: CVE 2023-30438
Hi Robert,
you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.
Regards.
------------------------------
Andres Cordoba
Unix Specialist
Dia Corporate
Madrid
+34 676934659
Original Message:
Sent: Mon May 22, 2023 09:42 AM
From: Robert Berendt
Subject: CVE 2023-30438
https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/
The firmware was concurrent for my case.
I am now at:
Installed level: fw1030.01 (030)
Activated level: fw1030.10 (058)
Deferred level: FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level? Or does the deferred stuff just refer to other hardware, etc items?
------------------------------
Robert Berendt IBMChampion
------------------------------