Power Global

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

I don't understand why it should be disruptive.  I am trying to go from ML 1030_030 to ML1030_058_026.  Last I knew 030 was in between 058 and 026 and should not be disruptive.  I would understand if I was at a level of 1030 less than 026.

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

I'm sorry if I'm hijacking the thread...but...

My experience is that even the non-disruptive updates give a message at the end that goes something like: "The update has been applied concurrently.  You must restart each partition to apply the update to that partition."

Ummmmm...if I have to restart every partition, then I might as well restart the entire frame.  Well...I suppose I could restart the partitions at different times, so there's a little bit more flexibility.  But I just restart the frame every time I do an update so that the update is completely applied.

Am I missing something?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

I don't recall having ever received that message.  Maybe I just blew by it?

I'm sorry if I'm hijacking the thread...but...

My experience is that even the non-disruptive updates give a message at the end that goes something like: "The update has been applied concurrently.  You must restart each partition to apply the update to that partition."

Ummmmm...if I have to restart every partition, then I might as well restart the entire frame.  Well...I suppose I could restart the partitions at different times, so there's a little bit more flexibility.  But I just restart the frame every time I do an update so that the update is completely applied.

Am I missing something?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

I'm sorry if I'm hijacking the thread...but...

My experience is that even the non-disruptive updates give a message at the end that goes something like: "The update has been applied concurrently.  You must restart each partition to apply the update to that partition."

Ummmmm...if I have to restart every partition, then I might as well restart the entire frame.  Well...I suppose I could restart the partitions at different times, so there's a little bit more flexibility.  But I just restart the frame every time I do an update so that the update is completely applied.

Am I missing something?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Yes, it does sound like you're missing something.  The only time I've seen that message is when there isn't a functional RMC connection from the HMC to the LPAR (AIX LPARs).  During the concurrent firmware update process the HMC needs to be able to instruct the LPAR to reset/reload the CPUs that it's using, this is done via RMC.

Phill.

I'm sorry if I'm hijacking the thread...but...

My experience is that even the non-disruptive updates give a message at the end that goes something like: "The update has been applied concurrently.  You must restart each partition to apply the update to that partition."

Ummmmm...if I have to restart every partition, then I might as well restart the entire frame.  Well...I suppose I could restart the partitions at different times, so there's a little bit more flexibility.  But I just restart the frame every time I do an update so that the update is completely applied.

Am I missing something?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

I'm sorry if I'm hijacking the thread...but...

My experience is that even the non-disruptive updates give a message at the end that goes something like: "The update has been applied concurrently.  You must restart each partition to apply the update to that partition."

Ummmmm...if I have to restart every partition, then I might as well restart the entire frame.  Well...I suppose I could restart the partitions at different times, so there's a little bit more flexibility.  But I just restart the frame every time I do an update so that the update is completely applied.

Am I missing something?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

IIRC the only time I've seen that message is when RMC connection between the HMC and one or more managed LPARs, wasn't working.

IMHO part of the physical server firmware is part of a LPAR.
This is based on a memory of a image that contained this information and when I've updated firmware on server that has sufficiently large number of LPARs, the HMC GUI showed how many LPARs had been updated, at the end of "for the Current Release..." firmware update.

I'm sorry if I'm hijacking the thread...but...

My experience is that even the non-disruptive updates give a message at the end that goes something like: "The update has been applied concurrently.  You must restart each partition to apply the update to that partition."

Ummmmm...if I have to restart every partition, then I might as well restart the entire frame.  Well...I suppose I could restart the partitions at different times, so there's a little bit more flexibility.  But I just restart the frame every time I do an update so that the update is completely applied.

Am I missing something?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

About that RMC connection... Does it matter if RMC connection only shows up for AIX and VIOS lpars and not IBM i?

IIRC the only time I've seen that message is when RMC connection between the HMC and one or more managed LPARs, wasn't working.

IMHO part of the physical server firmware is part of a LPAR.
This is based on a memory of a image that contained this information and when I've updated firmware on server that has sufficiently large number of LPARs, the HMC GUI showed how many LPARs had been updated, at the end of "for the Current Release..." firmware update.

I'm sorry if I'm hijacking the thread...but...

My experience is that even the non-disruptive updates give a message at the end that goes something like: "The update has been applied concurrently.  You must restart each partition to apply the update to that partition."

Ummmmm...if I have to restart every partition, then I might as well restart the entire frame.  Well...I suppose I could restart the partitions at different times, so there's a little bit more flexibility.  But I just restart the frame every time I do an update so that the update is completely applied.

Am I missing something?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

I'm sorry if I'm hijacking the thread...but...

My experience is that even the non-disruptive updates give a message at the end that goes something like: "The update has been applied concurrently.  You must restart each partition to apply the update to that partition."

Ummmmm...if I have to restart every partition, then I might as well restart the entire frame.  Well...I suppose I could restart the partitions at different times, so there's a little bit more flexibility.  But I just restart the frame every time I do an update so that the update is completely applied.

Am I missing something?

I would expect it disruptive for sure.

You should see the other Power 10.  They both started out at the same level but the other one had an issue (case opened) and now it's at the following.

When I tried to apply the update again (as recommended in the case) it said it would be disruptive.  I had to cancel.

Can you confirm that the Deferred level is really shown as FW1030.11 (045).  We would have expected FW1030.10 (045).

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Hello Team. We have similar question for that published CVE, but we are running a Power9 server:

We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)

So this should be an update if am correct, right?

file name convention from documentation:
01VHxxx_yyy_zzz 
xxx is the release level 
yyy is the service pack level 
zzz is the last disruptive service pack level 

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release") 
Would that process not need to power off the server? 

Also, the LPARs from the server to be updated , should they have to be IPLed? 
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything? 

Thanks in advance
Gustavo

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Hello, 

We have similar question for that published CVE, but we are running a Power9 server:

We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)

So this should be an update if am correct, right?

file name convention from documentation:
01VHxxx_yyy_zzz 
xxx is the release level 
yyy is the service pack level 
zzz is the last disruptive service pack level 

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release") 
Would that process not need to power off the server? 

Also, the LPARs from the server to be updated , should they have to be IPLed? 
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything? 

Thanks in advance

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

A service pack can be applied concurrently (while the server and partitions are active) if the release level and the last disruptive service pack level is the same.  From the example,  updating from HV950_092_045 to HV950_124_045 can be applied concurrently since the release is the same (950) and the last disruptive service pack level (045) is the same.  A successful concurrent apply and activate will be running with all the latest fixes that are concurrent.  There is no need to reboot any on the partition on the server.  The fix packs may contain deferred fixes and those require a server reboot to apply.  The security fix that went into HV950_124_045 is concurrent so once the service pack is activated successfully, the fix will have been applied.

Hello, 

We have similar question for that published CVE, but we are running a Power9 server:

We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)

So this should be an update if am correct, right?

file name convention from documentation:
01VHxxx_yyy_zzz 
xxx is the release level 
yyy is the service pack level 
zzz is the last disruptive service pack level 

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release") 
Would that process not need to power off the server? 

Also, the LPARs from the server to be updated , should they have to be IPLed? 
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything? 

Thanks in advance

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Hi Pete
same valid for P10 that security patch will be activated concurrent ?
thx vince

A service pack can be applied concurrently (while the server and partitions are active) if the release level and the last disruptive service pack level is the same.  From the example,  updating from HV950_092_045 to HV950_124_045 can be applied concurrently since the release is the same (950) and the last disruptive service pack level (045) is the same.  A successful concurrent apply and activate will be running with all the latest fixes that are concurrent.  There is no need to reboot any on the partition on the server.  The fix packs may contain deferred fixes and those require a server reboot to apply.  The security fix that went into HV950_124_045 is concurrent so once the service pack is activated successfully, the fix will have been applied.

Hello, 

We have similar question for that published CVE, but we are running a Power9 server:

We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)

So this should be an update if am correct, right?

file name convention from documentation:
01VHxxx_yyy_zzz 
xxx is the release level 
yyy is the service pack level 
zzz is the last disruptive service pack level 

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release") 
Would that process not need to power off the server? 

Also, the LPARs from the server to be updated , should they have to be IPLed? 
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything? 

Thanks in advance

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Hi Pete
same valid for P10 that security patch will be activated concurrent ?
thx vince

A service pack can be applied concurrently (while the server and partitions are active) if the release level and the last disruptive service pack level is the same.  From the example,  updating from HV950_092_045 to HV950_124_045 can be applied concurrently since the release is the same (950) and the last disruptive service pack level (045) is the same.  A successful concurrent apply and activate will be running with all the latest fixes that are concurrent.  There is no need to reboot any on the partition on the server.  The fix packs may contain deferred fixes and those require a server reboot to apply.  The security fix that went into HV950_124_045 is concurrent so once the service pack is activated successfully, the fix will have been applied.

Hello, 

We have similar question for that published CVE, but we are running a Power9 server:

We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)

So this should be an update if am correct, right?

file name convention from documentation:
01VHxxx_yyy_zzz 
xxx is the release level 
yyy is the service pack level 
zzz is the last disruptive service pack level 

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release") 
Would that process not need to power off the server? 

Also, the LPARs from the server to be updated , should they have to be IPLed? 
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything? 

Thanks in advance

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Yes, all the POWER9 and Power10 SPs for CVE 2023-30438 can be applied conncurrently from the last disruptive service pack.

Hi Pete
same valid for P10 that security patch will be activated concurrent ?
thx vince

A service pack can be applied concurrently (while the server and partitions are active) if the release level and the last disruptive service pack level is the same.  From the example,  updating from HV950_092_045 to HV950_124_045 can be applied concurrently since the release is the same (950) and the last disruptive service pack level (045) is the same.  A successful concurrent apply and activate will be running with all the latest fixes that are concurrent.  There is no need to reboot any on the partition on the server.  The fix packs may contain deferred fixes and those require a server reboot to apply.  The security fix that went into HV950_124_045 is concurrent so once the service pack is activated successfully, the fix will have been applied.

Hello, 

We have similar question for that published CVE, but we are running a Power9 server:

We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)

So this should be an update if am correct, right?

file name convention from documentation:
01VHxxx_yyy_zzz 
xxx is the release level 
yyy is the service pack level 
zzz is the last disruptive service pack level 

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release") 
Would that process not need to power off the server? 

Also, the LPARs from the server to be updated , should they have to be IPLed? 
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything? 

Thanks in advance

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

To clarify , can be applied conncurrently from the last ACTIVATED disruptive service pack. So as not to confuse with deferred, 

Yes, all the POWER9 and Power10 SPs for CVE 2023-30438 can be applied conncurrently from the last disruptive service pack.

Hi Pete
same valid for P10 that security patch will be activated concurrent ?
thx vince

A service pack can be applied concurrently (while the server and partitions are active) if the release level and the last disruptive service pack level is the same.  From the example,  updating from HV950_092_045 to HV950_124_045 can be applied concurrently since the release is the same (950) and the last disruptive service pack level (045) is the same.  A successful concurrent apply and activate will be running with all the latest fixes that are concurrent.  There is no need to reboot any on the partition on the server.  The fix packs may contain deferred fixes and those require a server reboot to apply.  The security fix that went into HV950_124_045 is concurrent so once the service pack is activated successfully, the fix will have been applied.

------------------------------
Pete Heyrman

Original Message:
Sent: Wed May 24, 2023 12:04 PM
From: Gustavo Orlando de Santis
Subject: CVE 2023-30438

Hello, 

We have similar question for that published CVE, but we are running a Power9 server:

We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)

So this should be an update if am correct, right?

file name convention from documentation:
01VHxxx_yyy_zzz 
xxx is the release level 
yyy is the service pack level 
zzz is the last disruptive service pack level 

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release") 
Would that process not need to power off the server? 

Also, the LPARs from the server to be updated , should they have to be IPLed? 
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything? 

Thanks in advance

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?

Sorry, to be sure, so as @Pete Heyrman said, and as I commented before from my side:

We have firmware level at VH950_092_045 (FW950.30)
Required firmware level is VH950_124_045 (71)

Here is the HMC update information screenshot:

And in FLRT we have



And taking into account that:

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

So if we update, this will be concurrent, NO need to reboot the server neither the LPARs, since the release is the same (950) and the last disruptive service pack level (045) is the same. is that correct?

Thanks again team. I already opened a skill case to IBM Support, but still waiting for their reply on this.

Gustavo

To clarify , can be applied conncurrently from the last ACTIVATED disruptive service pack. So as not to confuse with deferred, 

Yes, all the POWER9 and Power10 SPs for CVE 2023-30438 can be applied conncurrently from the last disruptive service pack.

Hi Pete
same valid for P10 that security patch will be activated concurrent ?
thx vince

A service pack can be applied concurrently (while the server and partitions are active) if the release level and the last disruptive service pack level is the same.  From the example,  updating from HV950_092_045 to HV950_124_045 can be applied concurrently since the release is the same (950) and the last disruptive service pack level (045) is the same.  A successful concurrent apply and activate will be running with all the latest fixes that are concurrent.  There is no need to reboot any on the partition on the server.  The fix packs may contain deferred fixes and those require a server reboot to apply.  The security fix that went into HV950_124_045 is concurrent so once the service pack is activated successfully, the fix will have been applied.

------------------------------
Pete Heyrman

Original Message:
Sent: Wed May 24, 2023 12:04 PM
From: Gustavo Orlando de Santis
Subject: CVE 2023-30438

Hello, 

We have similar question for that published CVE, but we are running a Power9 server:

We have firmware level at VH950_092_045 (30)
Required firmware level is VH950_124_045 (71)

So this should be an update if am correct, right?

file name convention from documentation:
01VHxxx_yyy_zzz 
xxx is the release level 
yyy is the service pack level 
zzz is the last disruptive service pack level 

An installation is concurrent if: The release level (xxx) is the same, and The service pack level (yyy) currently installed on the system is the same or higher than the last disruptive service pack level (zzz) of the service pack to be installed. 
(In our case 092 > 045)

Our question then is, if this is a concurrent update> from HMC GUI (that is, Updates>Change LIC> "for the current release") 
Would that process not need to power off the server? 

Also, the LPARs from the server to be updated , should they have to be IPLed? 
We just want to be sure if this concurrent installation procedures has to be done with any LPAR/server/or any other device to be turned off , or doing it concurrently it is a "transparent" installation and there is no need to power off/IPL anything? 

Thanks in advance

Hi Robert,

you have to power off and on the server. Your activated level is 1030.10 so your system is still affected by the vulnerability.

Regards.

https://www.itjungle.com/2023/05/22/critical-security-vulnerability-in-powervm-hypervisor/

The firmware was concurrent for my case.

I am now at:
Installed level:  fw1030.01 (030)
Activated level:  fw1030.10 (058)
Deferred level:  FW1030.11 (45)
Is this CVE addressed on my machine or does it still require an IPL to remove the Deferred level and make it the Activated level?  Or does the deferred stuff just refer to other hardware, etc items?