Power Global

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

But, as a TPM and not the manufacturer, are they still obligated to provide firmware (which they cannot) or cease and desist offering maintenance?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

My personal opinion: They are obliged to do what they write in the contract and the customer can expect to get what they signed.

I assume a TPM will not list anything in the contract that they cannot deliver. At least this is what my understanding of serious business is. So most probably you will not see anything related to firmware updates or (security) patches in the contract. 

This is why it is so important to read the small print.

But of course I cannot speak for any company.

But, as a TPM and not the manufacturer, are they still obligated to provide firmware (which they cannot) or cease and desist offering maintenance?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

With the regulation cited I wasn't sure if TPM's even had a choice of whether or not to put this into their contract.

My personal opinion: They are obliged to do what they write in the contract and the customer can expect to get what they signed.

I assume a TPM will not list anything in the contract that they cannot deliver. At least this is what my understanding of serious business is. So most probably you will not see anything related to firmware updates or (security) patches in the contract. 

This is why it is so important to read the small print.

But of course I cannot speak for any company.

But, as a TPM and not the manufacturer, are they still obligated to provide firmware (which they cannot) or cease and desist offering maintenance?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

My company does TPM & a form of "3rd party software support" (assistance).  We can't provide firmware updates, patches etc as that is a breach of IBM's copy-write/intellectual property/legal stuff on them etc.... as Andrey Klyachkin says....I'm (also) not a lawyer.  Firmware wise, you don't need a support agreement with IBM to access any firmware updates marked as hyper though.

With the regulation cited I wasn't sure if TPM's even had a choice of whether or not to put this into their contract.

My personal opinion: They are obliged to do what they write in the contract and the customer can expect to get what they signed.

I assume a TPM will not list anything in the contract that they cannot deliver. At least this is what my understanding of serious business is. So most probably you will not see anything related to firmware updates or (security) patches in the contract. 

This is why it is so important to read the small print.

But of course I cannot speak for any company.

But, as a TPM and not the manufacturer, are they still obligated to provide firmware (which they cannot) or cease and desist offering maintenance?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Isn't an UAK, and therefore an IBM maintenance contract, needed to apply firmware updates?

My company does TPM & a form of "3rd party software support" (assistance).  We can't provide firmware updates, patches etc as that is a breach of IBM's copy-write/intellectual property/legal stuff on them etc.... as Andrey Klyachkin says....I'm (also) not a lawyer.  Firmware wise, you don't need a support agreement with IBM to access any firmware updates marked as hyper though.

With the regulation cited I wasn't sure if TPM's even had a choice of whether or not to put this into their contract.

My personal opinion: They are obliged to do what they write in the contract and the customer can expect to get what they signed.

I assume a TPM will not list anything in the contract that they cannot deliver. At least this is what my understanding of serious business is. So most probably you will not see anything related to firmware updates or (security) patches in the contract. 

This is why it is so important to read the small print.

But of course I cannot speak for any company.

But, as a TPM and not the manufacturer, are they still obligated to provide firmware (which they cannot) or cease and desist offering maintenance?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Unless there has been a change since I last checked, not for hypers.

Isn't an UAK, and therefore an IBM maintenance contract, needed to apply firmware updates?

My company does TPM & a form of "3rd party software support" (assistance).  We can't provide firmware updates, patches etc as that is a breach of IBM's copy-write/intellectual property/legal stuff on them etc.... as Andrey Klyachkin says....I'm (also) not a lawyer.  Firmware wise, you don't need a support agreement with IBM to access any firmware updates marked as hyper though.

With the regulation cited I wasn't sure if TPM's even had a choice of whether or not to put this into their contract.

My personal opinion: They are obliged to do what they write in the contract and the customer can expect to get what they signed.

I assume a TPM will not list anything in the contract that they cannot deliver. At least this is what my understanding of serious business is. So most probably you will not see anything related to firmware updates or (security) patches in the contract. 

This is why it is so important to read the small print.

But of course I cannot speak for any company.

But, as a TPM and not the manufacturer, are they still obligated to provide firmware (which they cannot) or cease and desist offering maintenance?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

OK, thanks Phil.

However, if I understand correctly https://www.ibm.com/support/pages/node/7131459 there might be situations where one will not be able to install a security (they don't talk about hiper) fix if the firmware is not (almost) up-to-date:

------------- quote--------------

1. Include only the security fixes for the most current Quarterly Service Pack, and
2. Can only be applied to the immediately preceding Quarterly Service Pack.

------------- quote--------------

But my english understanding might be in trouble here!

Unless there has been a change since I last checked, not for hypers.

Isn't an UAK, and therefore an IBM maintenance contract, needed to apply firmware updates?

My company does TPM & a form of "3rd party software support" (assistance).  We can't provide firmware updates, patches etc as that is a breach of IBM's copy-write/intellectual property/legal stuff on them etc.... as Andrey Klyachkin says....I'm (also) not a lawyer.  Firmware wise, you don't need a support agreement with IBM to access any firmware updates marked as hyper though.

With the regulation cited I wasn't sure if TPM's even had a choice of whether or not to put this into their contract.

My personal opinion: They are obliged to do what they write in the contract and the customer can expect to get what they signed.

I assume a TPM will not list anything in the contract that they cannot deliver. At least this is what my understanding of serious business is. So most probably you will not see anything related to firmware updates or (security) patches in the contract. 

This is why it is so important to read the small print.

But of course I cannot speak for any company.

But, as a TPM and not the manufacturer, are they still obligated to provide firmware (which they cannot) or cease and desist offering maintenance?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Lets just say, you can jump a lot of firmware updates without issue....

OK, thanks Phil.

However, if I understand correctly https://www.ibm.com/support/pages/node/7131459 there might be situations where one will not be able to install a security (they don't talk about hiper) fix if the firmware is not (almost) up-to-date:

------------- quote--------------

1. Include only the security fixes for the most current Quarterly Service Pack, and
2. Can only be applied to the immediately preceding Quarterly Service Pack.

------------- quote--------------

But my english understanding might be in trouble here!

Unless there has been a change since I last checked, not for hypers.

Isn't an UAK, and therefore an IBM maintenance contract, needed to apply firmware updates?

My company does TPM & a form of "3rd party software support" (assistance).  We can't provide firmware updates, patches etc as that is a breach of IBM's copy-write/intellectual property/legal stuff on them etc.... as Andrey Klyachkin says....I'm (also) not a lawyer.  Firmware wise, you don't need a support agreement with IBM to access any firmware updates marked as hyper though.

With the regulation cited I wasn't sure if TPM's even had a choice of whether or not to put this into their contract.

My personal opinion: They are obliged to do what they write in the contract and the customer can expect to get what they signed.

I assume a TPM will not list anything in the contract that they cannot deliver. At least this is what my understanding of serious business is. So most probably you will not see anything related to firmware updates or (security) patches in the contract. 

This is why it is so important to read the small print.

But of course I cannot speak for any company.

But, as a TPM and not the manufacturer, are they still obligated to provide firmware (which they cannot) or cease and desist offering maintenance?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Third Party Maintenance providers cannot create any patches. Of course they don't have access to Power Systems firmware - what a disaster that would be if everybody could do so ;-)!
That is one reason why IBM service extension is the better option if you absolutely need to keep the old boxes.

The following statement was issued by IBM mgmt regarding TPMs:

Third party maintenance providers are not capable of providing the same level of support as IBM.  The points below are exclusive to an IBM Hardware Support Extension:

a)     IBM certified parts, based on availability.

b)     Per call limited to IBM clients who maintain service with IBM.

c)     The latest IBM certified firmware and machine code (only existing ones, not development of new).

d)     Maintain access to usage and known defects information.

e)     Proactive notifications of product issues and security exposures.

I wonder about that "Manufacturer" part.  Let's say the manufacturer (IBM) drops up support.  Now some third party claims to offer support.  Are they then obligated to patch firmware also?  On a LinkedIn group I belong to, whenever I mention EOS there's this third party which always chimes in trying to get customers.

Birgit,

I am not a lawyer and don't want to get into it, but there has been a new EU Cyber-resilience Act since the end of 2024. According to it, even after the support phase, the manufacturer must provide security-related information if it is known to them within 72 hours. It doesn't matter if the manufacturer has a fix or not.

The CRA doesn't distinguish between "standard" or "extended" support. If the hardware is supported, the manufacturer must provide a security patch free of charge for all consumers. 

Some of the CRA obligations have been active since December (?) 2024, and others will be active during 2025-2026. I am not sure if IBM must provide the fixes for POWER8 today for all European consumers, but if the POWER8 extended support will be in place in 2026, that might be the case.

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

It isn't exactly "on a whim", for both Spectre/Meltdown and log4j IBM issued a lot of patches for things that were out of service.  They didn't have to, but they looked at the situation and decided that they should.

------------------------------
José Pina Coelho
IT Specialist at Kyndryl

Original Message:
Sent: Fri February 14, 2025 10:21 AM
From: Birgit Röhm
Subject: CVEs and old firmware

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

------------------------------
Birgit Röhm

Original Message:
Sent: Fri February 14, 2025 09:57 AM
From: Robert Berendt
Subject: CVEs and old firmware

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne

Original Message:
Sent: Fri February 14, 2025 04:50 AM
From: Birgit Röhm
Subject: CVEs and old firmware

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

------------------------------
Birgit Röhm

Original Message:
Sent: Thu February 13, 2025 08:38 AM
From: Robert Berendt
Subject: CVEs and old firmware

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne
------------------------------

Hello everybody,
we just discussed this in our team meeting. And yes, we also came to the conclusion that you need an UAK that you cannot renew unless you have an IBM support contract

Furthermore we looked at the EU Cyber Resilience Act in more detail and our understanding is that the new rules apply end of 2027 for products that are brought into the market after the full CRA is in effect: "11th December 2027: All CRA requirements apply, including compliance with the essential cybersecurity requirements before a product is placed on the market, addressing vulnerabilities throughout the product's life cycle and transparency to users."
Source: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html

So I will stop answering in this discussion now as I think everybody understood my opinion ;-): buy a new box if you want to be on the safe side. Get IBM extended service if you cannot get a new box for whatever reason.

------------------------------
Birgit Röhm

Original Message:
Sent: Mon February 17, 2025 11:52 AM
From: José Pina Coelho
Subject: CVEs and old firmware

It isn't exactly "on a whim", for both Spectre/Meltdown and log4j IBM issued a lot of patches for things that were out of service.  They didn't have to, but they looked at the situation and decided that they should.

------------------------------
José Pina Coelho
IT Specialist at Kyndryl

Original Message:
Sent: Fri February 14, 2025 10:21 AM
From: Birgit Röhm
Subject: CVEs and old firmware

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

------------------------------
Birgit Röhm

Original Message:
Sent: Fri February 14, 2025 09:57 AM
From: Robert Berendt
Subject: CVEs and old firmware

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne

Original Message:
Sent: Fri February 14, 2025 04:50 AM
From: Birgit Röhm
Subject: CVEs and old firmware

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

------------------------------
Birgit Röhm

Original Message:
Sent: Thu February 13, 2025 08:38 AM
From: Robert Berendt
Subject: CVEs and old firmware

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne
------------------------------

Hello everybody,
we just discussed this in our team meeting. And yes, we also came to the conclusion that you need an UAK that you cannot renew unless you have an IBM support contract

Furthermore we looked at the EU Cyber Resilience Act in more detail and our understanding is that the new rules apply end of 2027 for products that are brought into the market after the full CRA is in effect: "11th December 2027: All CRA requirements apply, including compliance with the essential cybersecurity requirements before a product is placed on the market, addressing vulnerabilities throughout the product's life cycle and transparency to users."
Source: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html

So I will stop answering in this discussion now as I think everybody understood my opinion ;-): buy a new box if you want to be on the safe side. Get IBM extended service if you cannot get a new box for whatever reason.

------------------------------
Birgit Röhm

Original Message:
Sent: Mon February 17, 2025 11:52 AM
From: José Pina Coelho
Subject: CVEs and old firmware

It isn't exactly "on a whim", for both Spectre/Meltdown and log4j IBM issued a lot of patches for things that were out of service.  They didn't have to, but they looked at the situation and decided that they should.

------------------------------
José Pina Coelho
IT Specialist at Kyndryl

Original Message:
Sent: Fri February 14, 2025 10:21 AM
From: Birgit Röhm
Subject: CVEs and old firmware

Yes. That is what I mean - you have no right to get such a fix and when you sign a service extension contract this is in the T&Cs and you cannot expect anything.

Correct, POWER8 is out of standard service.

And I don't think it is up to "their whim" - they will definitively consider it very carefully. And when you look at the CVE mentioned, I believe that development understood that this is really a severe problem and they know that a number of POWER8 customers chose the service extension and are still productively using those systems - thus many customers are vulnerable and IBM does not want to leave them out in the rain.

------------------------------
Birgit Röhm

Original Message:
Sent: Fri February 14, 2025 09:57 AM
From: Robert Berendt
Subject: CVEs and old firmware

I'm under the belief that Power 8 is not under standard service anymore.  Yet they issued a fix for the high CVE.  Yet they did not issue a fix for the lower risk one.  Is this what you mean by "not obliged"?  Whether or not they do is up to their whim?

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne

Original Message:
Sent: Fri February 14, 2025 04:50 AM
From: Birgit Röhm
Subject: CVEs and old firmware

Hello Robert,

to my knowledge, end of standard service normally means that NO new security fixes are issued. This is why it is so important to stay current on your hardware. Only known defects are covered.

So if a new security issue arises, then IBM is not obliged to provide a fix. I assume (not being in IBM TLS) that this is clearly outlined in the contract when you order service extension.

Here you can download a flyer describing the full service extension scope: https://www.ibm.com/services/systems-support

Excerpt from that flyer:
Reduce risk and protect your current technology investments
Running EOS equipment can feel like a risky business, but it doesn't have to be. IBM technical specialists offer globally consistent onsite or remote service to address hardware support needs for withdrawn equipment. Their in-depth knowledge and experience help provide seamless known defect support, including existing microcode fixes and patches. The service also covers parts replacement, depending on availability. IBM's worldwide reach fosters a holistic approach to hardware support services that helps identify dependencies across your organization's IT environment. The service also helps you mitigate the risk of compliance challenges, lost data, and decreased staff productivity that can accompany failed equipment.

------------------------------
Birgit Röhm

Original Message:
Sent: Thu February 13, 2025 08:38 AM
From: Robert Berendt
Subject: CVEs and old firmware

Normally if a CVE is published for IBM related products we generally do not discover it until IBM has a fix on it.  I'm giving IBM the benefit of the doubt that they don't want to publish potential hacks without giving you a way to address it.

So, if some level of firmware has a CVE against it, they tell you when they have an update to that firmware to address it.  For example, any of the entries at  https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Power%20Systems

So if there is a critical one, like this 9.8 level one:  https://www.ibm.com/support/pages/node/7174183 they will tell you what firmware levels are vulnerable and how to fix it.  For Power 9 & 10 they release a new firmware level.  For Power 8 they have a 'mitigation' but only if you are on the latest firmware level for that.  I assume that this means for Power 7 and below you are vulnerable.  I'm sure that somewhere there is an ostrich who is sticking their head in the sand and choosing to believe that the earlier stuff is simply not vulnerable because they didn't have the newer code with the vulnerability.

My question is this:  Does this match with extended service offerings with those Power models?

Follow up question.  If it is a less critical CVE like https://www.ibm.com/support/pages/node/7172698, which fails to mention anything lower than a Power 9, is IBM not bothering with older systems?  Or are the ostriches right?

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne
------------------------------