TITLE: HPE Integrity Superdome X Server Firmware Bundle

VERSION:
Firmware Version: 8.8.18

DESCRIPTION:                                                                                                                                                         
This bundle contains the Complex and nPartition Firmware updates for HPE Integrity Superdome X Servers with BL920s Gen8 and Gen9 blades. It includes an integrated OA (Onboard Administrator).

WARNING: If you are updating from a version prior to 6.0.42, you must first install 6.0.42 and then upgrade to 8.2.106 (bridge release for digital signing) prior to updating to this version.

WARNING: If you are updating from a version between 6.0.42 and 8.2.106, you must install 8.2.106 (bridge release for digital signing) prior to updating to this version.

WARNING: To ensure that the OA GUI continues to work after December 31, 2016, after upgrading from version 7.6.0 or earlier to version 8.2.106 or later, the OA SHA1 self-signed certificate will be removed and replaced with SHA256 self-signed certificate. To prevent security warnings, customer is encouraged to re-generate the self-signed certificate with the common name (CN) matching exactly the OA hostname as known by the web browser. See the Certificate Administration section in the OA user guide for more information. 

Note:                                                                                                                                                                  

• Superdome X version 5.73.0 or later supports online complex firmware update:
• The update of the Complex firmware takes effect without any additional operator interaction; some server management capabilities will become inactive until the update completes.
• The new Partition firmware however only gets programmed into the Flash ROM during the update, and a partition reboot is required to activate it. This enables rolling upgrades, where the new Partition firmware may get activated on one partition at a time, when it is convenient to bring the partition down for a reboot.
• This mixed operational mode is supported for an indefinite period of time, provided the combinations of Complex and Partition firmware are compatible.  The table below describes those supported compatible Complex/Partition firmware combinations:
• Yes in the cell means that the combination for the Partition (row)/ Complex (column) is supported and No that it is not supported.
  Note:
• The complex firmware version must always be greater than or equal to the partition firmware (but not all such combinations are supported).
• Online firmware downgrade is not supported.

 

 

Complex Firmware

5.73.0 1

6.0.42

7.5.0

7.6.0

8.2.106

8.4.84

8.5.3

8.7.84

8.8.2

8.8.14

8.8.16

8.8.18

Partition Firmware

5.73.0

Yes

Yes

Yes 1,3

Yes1,3

Yes1,3

Yes1,3

Yes1,3

Yes1,3

Yes,3,4

Yes,3,4

Yes,3,4

Yes,3,4

6.0.42

No

Yes

Yes 2,3

Yes2,3

Yes2,3

Yes2,3

Yes2,3

Yes2,3

Yes2,3,4

Yes2,3,4

Yes2,3,4

Yes2,3,4

7.5.0

No

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes4

Yes4

Yes4

Yes4

7.6.0

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes4

Yes4

Yes4

Yes4

8.2.106

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

8.4.84

No

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

8.5.3

No

No

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

8.7.84

No

No

No

No

No

No

No

Yes

Yes

Yes

Yes

Yes

8.8.2

No

No

No

No

No

No

No

No

Yes

Yes

Yes

Yes

8.8.14

No

No

No

No

No

No

No

No

No

Yes

Yes

Yes

8.8.16

No

No

No

No

No

No

No

No

No

No

Yes

Yes

8.8.18

No

No

No

No

No

No

No

No

No

No

No

Yes

 

Note 1:  Updating Complex FW from 5.X.X to 7.5.0 or later requires installing 6.0.42 first because of changes to the digital firmware bundle signature.

Note 2: Online Complex FW updates from 6.0.42 to 7.5.0 or later will show Mixed firmware due to newer PDH FPGA in 7.5.0.  Partition operation is supported in this condition. To complete the PDH FPGA update, turn off the partition(s) when convenient, and rerun firmware update.
Note 3: BL920s Gen8 Blades support running Complex FW version 7.5.0 or later with Partition FW 5.73.0 or 6.0.42, but Gen9 Blades require both Complex and nPartition FW version 7.5.0 or later when using v3 family processors, or version 8.2.106 or later when using v4 family processors.

Note 4: See 2 WARNING at top of the release notes regarding stepping updates from versions from or prior to 6.0.42 to 8.2.106.

• Additional details about online complex firmware updates can be found in the HPE Integrity Superdome X and Superdome 2 Onboard Administrator User Guide

UPDATE RECOMMENDATION: Recommended
HPE requires users update to this version immediately.
Note: Review the FIXES section to check if your system may be affected by the issue fixed in this release.   

 [ ] Critical                                                                          

    [ ] Panic, [ ] Hang, [ ] Abort, [ ] Corruption, [ ] Memory Leak, [ ] Performance  [  ] Security

    [ ] Hardware Enablement, [ ] Software Enablement

[ ] Required

[X] Recommended

[ ] Optional

    [ ] Hardware Enablement, [ ] Software Enablement, [ ] non-critical

[ ] Initial Customer Release

 

SUPERSEDES:
Firmware version: 8.8.16

PRODUCT MODEL(S):          
HPE Integrity Superdome X Servers

OPERATING SYSTEMS:  
OSes supported on Gen9 blades with v4 family processors:

·       RHEL 6.7, 6.8, 6.9, 6.10, 7.2, 7.3, 7.4, 7.5, 7.6

·       SLES 11 SP4, 12 SP1, 12 SP2, 12 SP3, 12 SP4

·       Windows Server 2012 R2, 2016

·       VMware vSphere 6.0 U2, 6.0 U3, 6.5, 6.5 U1, 6.5 U2

OSes supported on Gen9 blades with v3 family processors:

·       RHEL 6.6, 6.7, 6.8, 6.9, 6.10, 7.1, 7.2, 7.3,7.4, 7.5 , 7.6

·       SLES 11 SP3, 11 SP3 for SAP, 11 SP4, 12, 12 SP1, 12 SP2, 12 SP3, 12 SP4

·       Windows Server 2012 R2, 2016

·       VMware vSphere 5.5 U3, 6.0 U1, 6.0 U2, 6.0 U3, 6.5 U2

OSes supported on Gen8 blades:

·       RHEL 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3,7.4, 7.5 , 7.6

·       SLES 11 SP3, 11 SP3 for SAP, 11 SP4, 12, 12 SP1, 12 SP2, 12 SP3, 12 SP4

·       Windows Server 2012 R2, 2016

·       VMware vSphere  5.5 U3, 6.0 U1, 6.0 U2, 6.0 U3

 

LANGUAGES:
International English

ENHANCEMENTS:

·       Added support for RHEL 7.6  and  SLES12 SP4

FIXES:

Complex firmware:

·       Fixed issue where CAE events 7571 and 8086 may sometimes be erroneously logged for power on error during repeated partition power on, power off or partition reboot. A new CAE event 12428 is added to report partition power on failure.  

 

nPartition firmware:

·       Updated with Intel microcode Revision 0B000033  for Broadwell.

·       Updated with Intel microcode Revision 00000013  for Haswell.

 

      Recommended I/O firmware:

        HPE recommends running with the IO firmware versions found on the “HPE Integrity Superdome X IO firmware and Windows Drivers image” version 2019.04 or later, available on the Superdome X firmware download page on HPESC, under the “Software – CD-ROM” section.Warning: Do not update I/O using the SPP (Service Pack for Proliant) as it may install versions that are not supported, which may cause unnecessary downtime.

Note:      

• After replacing an I/O adapter, check if a supported I/O firmware version is installed or update the firmware.
• After replacing an InfiniBand 545M card, if the replacement card comes with the firmware 10.10.40402 installed, you need to contact your HPE field representative to update the firmware to a supported version as a special procedure must be followed in that case.
• On partitions with more than 8 Infiniband 545M cards installed, HPE recommends using RHEL 7.2 or later.
• For additional details on how to install I/O firmware and for a complete list of known issues, please refer to the HPE Integrity Superdome X IO firmware and Windows Drivers image release notes.

 

      Required I/O drivers:

• For servers running a supported Linux operating system, no additional I/O driver updates are needed. For supported OS details, refer to the Linux white paper Running Linux on HPE Integrity Superdome X.
• For servers running Windows operating system, if needed, the I/O drivers should be updated using the HPE Integrity Superdome X IO firmware and Windows Drivers image (version 2019.04 or later) as the update from the SPP with HP SUM is not working for the Superdome X server at this time. You can find the latest HPE Integrity Superdome X IO firmware and Windows Drivers image on the Superdome X for Windows  download page, under Software CD-ROM. Follow the instructions in the bundle for installing the components.
• For servers running VMware, the I/O drivers should be updated using the appropriate async drivers which are available from http://vibsdepot.hpe.com/sdx/. Customers need to build their own custom VMware VSphere distributions. For details, please refer to the VMware white paper Running VMware vSphere on HPE Integrity Superdome X available at http://www.hpe.com/support/superdomeXvmware-whitepaper

 

• OS requirements

A.      Linux 

All Linux OS related information is available from the Linux white paper Running Linux on HPE Integrity Superdome X:

                                                              i.      Check the HPE Servers Support & Certification Matrices for special OS requirements for the HPE Integrity Superdome X Server

                                                             ii.      Linux SMH and WBEM providers: HPE recommends that you install the latest versions of the SMH and WBEM providers for your SLES or RHEL Operating System from the Software Delivery Repository (SDR). Superdome X providers are available under http://downloads.linux.hpe.com/repo/bl920-wbem/
Note: You must install the SMH package prior to the WBEM providers or in the same session.

Note: Reboot is not required for the SMH and WBEM provider changes to take effect.

 

                                                          iii.      Check the Linux white paper for additional details and recommendations.

 

B.      Windows
I/O drivers and WBEM providers for Windows OS for Superdome X are available as part of the HPE Integrity Superdome X IO Firmware and Windows Drivers image version 2019.04 (or later) on the Superdome X download page on HPE Support Center, under Software CD-ROM. Follow the instructions in the bundle to install the components.

For more information on installing Windows OS and components on Superdome X, see the Windows white paper Running Microsoft Windows Server on HPE Integrity Superdome X, at http://www.hpe.com/support/superdomeXwindows-whitepaper.

C.      VMware:

I/O drivers and WBEM providers for VMware are available from this link http://vibsdepot.hpe.com/sdx/downloads/ . HPE recommends to use the latest released version.

For Gen8 blades and Gen9 blades with Intel v3 family processors, select: gen8gen9v3

o   For Gen9 blades with Intel v4 family processors, select: gen9v4

For more information on installing VMware OS and components on Superdome X, see the VMware white paper Running VMware vSphere on HPE Integrity Superdome X available at http://www.hpe.com/support/superdomeXvmware-whitepaper

 

PREREQUISITES:

NOTE:

• Firmware version 7.5.0 or later is required to support BL920s Gen9 blades with Intel E7 v3 family processors.
• Firmware version 8.2.106 or later is required to support BL920s Gen9 blades with Intel E7 v4 family processors

WARNING:

·       If you are updating from a version prior to 6.0.42, you must first install 6.0.42 and then upgrade to 8.2.106 (bridge release for digital signing) prior to updating to this version.

·       If you are updating from a version between 6.0.42 and 8.2.106, you must install 8.2.106 (bridge release for digital signing) prior to updating to this version. 

IMPORTANT:

• HPE strongly recommends implementing the following security best practices to help reduce both known and future security vulnerability risks:

1.       Isolate the management network by keeping it separate from the production network and not putting it on the open internet without additional access authentication.

2.       Patch and Maintain LDAP and web servers.

3.       Run the up-to-date viruses and malware scanners in your network environment

4.       Apply HPE Firmware updates as recommended.

 

INSTALLATION INSTRUCTIONS:

Please review all instructions and the "Hewlett Packard Enterprise Support Tool License Terms" or your Hewlett Packard Enterprise support terms and conditions for precautions, scope of license, restrictions, and limitation of liability and warranties, before installing this package. It is important that you read and understand these instructions completely before you begin. This can determine your success in completing the firmware update.

These instructions describe how to install the firmware version 8.8.18. The list below is a summary of the steps to install the firmware.

A.       Downloading the bundle

B.       Updating Complex firmware using OA CLI  

C.     Updating specific nPartition firmware using OA CLI (optional)

D.       Updating IO firmware, SMH and WBEM providers

NOTE: For more details, review the HP Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. 

Update Superdome X Complex from Firmware Bundle using Onboard Administrator's Command Line Interface (CLI)

A. Downloading the bundle

1.       Download the file hpsdx-<version>-fw.bundle in a new folder in your desktop.

2.       Copy the bundle file to a USB Key or to a FTP Server reachable from Onboard Administrator.

NOTE: If you are using FTP, then please make sure the transfer mode is set to "Binary".

NOTE: At this time, the OA only supports 16GB or less USB keys.

Note:

• Online complex firmware update is supported starting with firmware version 5.73.0 (see the online firmware update table and notes at the top of the release notes).
• For offline complex firmware updates, you must power off all partitions before upgrading to this firmware version. You must use the ALL option with this firmware upgrade to ensure that the partitions will boot with the new partition firmware after the update.

B. Updating Superdome X Complex and nPartition firmware using OA CLI

1.       Connect to Onboard Administrator over Telnet or SSH and login to get the command line prompt.

NOTE: Only in case of offline firmware update, do the following steps a. and b. below, otherwise skip to step 2 for online firmware update. Offline update requires downtime for the entire server. Online update is recommended for servers with firmware versions 5.73.0 or later (skip a. and b. and go directly to step 2 for online update).

Offline update:

a. Gracefully shutdown OS in each partition, using shutdown -h, as forcing partition power off is likely to corrupt OS.

b. Power down all blades using the following command (not required if performing an online firmware update):
     OA1-CLI> POWEROFF PARTITION X FORCE
This may take some time. You can use the following command to confirm status of partitions:
      OA1-CLI> parstatus P

NOTE: The update procedure for online update of complex firmware on systems with firmware version 5.73.0 or later starts here.

2. Verify communications between the OA and all installed Blades, using the connect blade command for each of the installed Cell Blades.
NOTE:  If the OA to any blade communications is not working, update firmware will fail.

                      sd-oa1> connect blade 1

                      Connecting to bay 1 ...

 User:OAtmp-Administrator-53A9 logged-in to ILO-B.hp.com(16.11.18.7 / FE80)
 iLO 4 Advanced for BladeSystem HP limited-distribution date-restricted test 1.57 at Apr 29 2014
Server Name: sd-oa1
Server Power: On 

3. Use the update firmware command, as shown below, to point to Integrated Firmware Update Bundle at a valid ftp location.

OA1-CLI> UPDATE FIRMWARE <uri> all

NOTE: The "all" option must be used in order to update complex AND partition firmware

             Where The <uri> should be formatted as usb://<path> for USB installations. Use the SHOW
             USBKEY command to obtain the <path>.

Example:

Using FTP:

update firmware ftp://user:passwd@15.1.1.75/firmware/hpsdx-<version>-fw.bundle all

Using USB Key:

update firmware usb://d2/hpsdx-<version>-fw.bundle all

NOTE: The Firmware update process can take up to 1 hour to complete. During this process you might notice no progress for up to 30 minutes at certain time. In between the updates, connection to OA will be lost as OA will reboot to proceed towards other firmware updates. OA might take up to 30 minutes to come to ready state after the reboot. After OA is rebooted you can reconnect back to OA and login to confirm successful update.

4.       Run the OA command UPDATE SHOW FIRMWARE to display the versions of complex bundle last installed and firmware versions installed.

Example:

OA1-CLI> UPDATE SHOW FIRMWARE

Configured complex firmware bundle version: 8.8.18

====================================================================

Firmware on all devices matches the complex configured bundle version
Note: Partition firmware activation requires a partition reboot (see step C. 5.).

5.       Verify all partitions are ready to be started using:

parstatus -P command (this command will not work until the OA restart is complete)

NOTE: Step 6 is only needed in case of offline firmware update (steps 1. a. and b. above)

6. Power on the partitions using poweron partition [X] for each of the nPartitions.

C. Updating specific nPartition firmware using OA CLI (optional)

    Note: Step C is not needed if you have updated both complex and all partition firmware in step B above. 

1.       Connect to Onboard Administrator over Telnet or SSH and login to get the command line prompt.

2.       Run the OA command UPDATE SHOW NPARTITION ALL to display the versions of partition firmware installed.

Example:

OA1-CLI> UPDATE SHOW NPARTITION ALL

nPartition firmware version applied to partition 1 nPar0001

Configured nPartition Firmware Version: 8.8.18

Active nPartition Firmware Version: 8.8.18

nPartition firmware on all blades matches the partition's configured version

 

3.       Use the update npartition command, as shown below, to point to Integrated Firmware Update Bundle at a valid ftp location and update the desired partition, taking into account planned downtime for OS update and reboot.

OA1-CLI> UPDATE NPARTITION <npar name or number or ALL> <uri>

Where <npar name or number> is the partition whose nPartition firmware should be updated.
The ALL keyword would update nPartition firmware for all blades in the enclosure.

The <uri> should be formatted as usb://<path> for USB installations. Use the SHOW USBKEY command to obtain the <path>.

Examples:

Using FTP:

update npartition 1 ftp://user:passwd@15.1.1.75/firmware/hpsdx-<version> -fw.bundle

Using USB Key:

update npartition 1 usb://d2/hpsdx-<version>-fw.bundle

4.       Repeat step 2 to verify that the requested update was successful

5.       Restart nPar to activate partition firmware (when ready for Partition downtime)

Note: if nPartition firmware was updated in step B, but not activated, shut down all running OSs in the nPar then power off the nPar, then power on the nPar. The nPar restart will cause the updated nPartition firmware to be activated. The following sequence can be used:

OA1-CLI>POWEROFF PARTITION< npar#> OVERRIDE

• Gracefully shuts down nPar
• Alternatively, run /etc/shutdown -h on all running OSs

OA1-CLI> POWEROFF PARTITION< npar#> FORCE

• Really power off the nPar

OA1-CLI> POWERON PARTITION <npar#>

• Start the nPar

       Run the OA command UPDATE SHOW NPARTITION ALL to display the versions of partition firmware installed.

Example:

OA1-CLI> UPDATE SHOW NPARTITION ALL

• nPartition firmware version applied to partition 1 nPar00
• Configured nPartition Firmware Version: 8.8.18
• Active nPartition Firmware Version: 8.8.18
• nPartition firmware on all blades matches the partition's configured version.

D. Updating IO firmware, SMH and WBEM providers

See the section COMPATIBILITY/INTEROPERABILITY section for supported IO cards, WBEM providers, and supported versions.

DETERMINING CURRENT VERSION:

• Establish a telnet session with OA and login to the get the command prompt
• Type the OA command "UPDATE SHOW FIRMWARE" to display the version of complex bundle installed.
• Type the OA command UPDATE SHOW NPARTITION ALL to display the version of nPartition firmware installed on each partition.

KNOWN ISSUES & WORKAROUNDS:

·       OA web interface stops working when LDAP user login to OA and modifies the “Advanced Security Settings” (SSL/TLS ciphers, protocols).
Workaround: Login to OA cli as local administrator user and modify the “Advanced Security Settings”.

·       Remote serial console applet may not launch with Java Runtime Environment (JRE) version 6.
Workaround: HPE recommends updating to the latest JRE version on the client system.

·       The user might see the following warning or notice while launching the Remote Serial Console (RSC) applet from the OA GUI: “Applet or Pericom version mismatch between the local applet the browser already has, and what server has to send to the browser. Close all browser instance and then start the browser again.”

Workaround: HPE recommends deleting the previously cached TeemWorld.jar file from java cache using Java Control Panel.

·       Updating the Superdome X firmware via FTP may fail if the password contains some special characters, for instance, §, $, & or space (but not!). This is due to interpreting the special character as part of the command instead of the password.
Workaround: Use quotes around the URI (ex. update firmware ‘ftp://user:passwd@15.1.1.75/firmware/hpsdx-<version>-fw.bundle’ all).

·       In very rare cases, after booting a Brocade 16Gb/28 SAN Switch, all internal ports of the switch attached to a 16Gb Fibre Channel QH2672 mezzanine card on a Superdome X server may be running at 8 Gbps instead of the configured 16 Gbps. This is due to the OA not detecting the server backplane type on time and may cause a SAN performance degradation. For more details, see advisory c05384312.

·       With RHEL 7.3, the time for booting to the OS prompt increases with the number of iSCSI ports and LUNs configured. It may take up to 2 hours with 32 iSCSI ports assigned to iSCSI LUNs, due to the system taking a lot of time scanning for all the ports and their mapped disks.

• The UEFI Shell command does not accept '0x' as a prefix when entering a hexadecimal value.
  Workaround: Enter the hexadecimal value without 0x in front.
• If a user connects remote vMedia to a partition from the IRC applet, a show partition dvd all from the OA CLI will not report that the partition is connected to media via the Virtual Media Applet.
• Java execution errors may be seen when launching the IRC (Integrated Remote Console) or RSC (Remote Serial Console) from the OA GUI, causing the applets to fail to launch, when using a Java Runtime Environment (JRE) other than the Oracle version.

Workaround: Remove or de-configure all java environments other than the Oracle version as this is the only JVM currently supported by iLO. The Oracle Java 7 JRE works correctly.

• When more than one DIMM in a partition has been de-configured, the "partition status" and "pending changes" TABs on the OA GUI only show the first DIMM as de-configured.
  Workaround: Refresh the OA GUI screen or use the CLI parstatus command to show correct information.
• After a USB cable is reconnected between the OA and its matching GPSM (maybe due to a repair or lose connection), SHOW ENCLOSURE STATUS reports the Enclosure ID as "Degraded" instead of OK.
  Workaround: Reboot the OA to clear the erroneous status.
• When using the Firefox browser, users may only use IRC for a single partition at a time as only one instance of the IRC client can be opened at a time.
  Workaround: use Internet Explorer and the non-java based IRC client.
• The parstatus command incorrectly displays the complex IO enclosure capacity as 8 instead of 0.
• If a user performs an OA restart, OA failover or FW Update while an nPar is in OSBOOT state, the nPar state unexpectedly changes to UP state.
• When an alternate parspec is created with default granule sizes, the parstatus Z <parspec_name> command will display negative values (-1 MB) for granule size.
• Invalid ROM contents message may be seen in Linux OS syslog when booting to run level 5 with the partition VGA enabled.
• In network topologies with thousands of systems and high broadcast traffic, new connections or re-login to the OA may not be possible due to OA overflowing the ARP cache with network requests. Existing OA connections are not affected by this issue.
  Workaround: Reset the OA (via existing connection, serial connection or by pressing the reset button).
• Superdome X complex uses 169.254.x.x and 10.254.x.x addresses for internal management. Those addresses are visible to the outside LAN via SNMPwalk, which may cause incorrect reports of IP address conflicts. As a result, tools that use SNMPwalk to avoid IP address conflicts may refuse to use the 169.254.x.x or 10.254.x.x for other systems outside of the complex. Other than incorrect SNMP reporting, the internal management network traffic is contained within the complex and will not affect customers management network.
  Note: The addresses 169.254.x.x and 10.254.x.x are not available to be used by the OA EBIPA.

DISCLAIMER:
The information in this document is subject to change without notice.

Hewlett Packard Enterprise makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be reproduced, photocopied, or translated to another language without the prior written consent of Hewlett Packard Enterprise.

(C) Copyright 2015-2019 Hewlett Packard Enterprise Development L.P.

FEEDBACK
As we are continuing to improve the firmware management process we welcome your feedback on this document and on the firmware update process: TEAM-FWupdateFeedback@groups.ext.hpe.com  

SUPERSEDES HISTORY:

 

Version 8.8.16:

Enhancements:

•         Added support for RHEL 6.10, 7.5  and VMware  6.5 U2(Gen9 blades)

Fixes:

Complex firmware:

·       SFW addresses the following known vulnerabilities, CVE-2018-3639 and CVE-2018-3640, for all supported types of processors. For details refer to the advisory here .  

·       SFW addresses the following L1 Terminal Faults:

o   L1 Terminal Fault - OS, SMM (CVE-2018-3620). Please note this mitigation also requires operating system software updates.

o   L1 Terminal Fault - OS, VMM (CVE-2018-3646). Please note this mitigation also requires operating system software updates, and VMM software updates

        Note: For more information, see the bulletin a00055017en

·       IPMI/DCMI are now disabled by default when iLO is reset to factory defaults.

 

Version 8.8.14:

Enhancements:

Complex firmware:

•         Enabled "Content-Security-Policy" (CSP) header in HTTP responses from Onboard Administrator.

•         Enhanced OA on SDX to offer “Advance Security Settings” in strong encryption mode. This feature allows Administrator user to enable/disable SSL (Secure Sockets Layer)/TLS (Transport Layer Security) protocols and ciphers.

 

nPartition firmware:

·       Updated Intel Haswell, Broadwell and Ivy Bridge microcode to address CVE-2017-5715.

Complex firmware:

·       Addressed CVE-2017-12542 and CVE-2017-12543 vulnerabilities in iLO4.

·       Fixed an issue where the OA GUI could become very slow or sluggish and possibly log response timeouts.

·       Fixed the issue where the user name was displayed as Unknown in the OA GUI for LDAP users that are part of 2 or more LDAP groups.

·       RSC (Remote Serial Console) Java applet launch issue with Java Runtime Environment (JRE) version 1.8.0_141 and higher is fixed.

 

Version 8.8.6:

      REMOVED

 

Version 8.8.2:

 

Complex firmware fixes:

•     An instance of Document Object Model (DOM) based Cross-Site Scripting (XSS) vulnerability has been addressed.

•     An instance of Stored Cross-Site Scripting (XSS) vulnerability has been addressed.

•     Enabled HTTP Strict Transport Security (HSTS) headers in HTTPS response from Onboard Administrator.

•     NTP is upgraded to address CVE-2016-7434 vulnerability.

•     Addressed a memory leak issue in SNMP.

 

Version 8.7.84:

FIXES
nPartition firmware fix:

·       Blades with a mix of 32GB and 64GB DDR4 PC-2133 and PC-2400 DIMMs would be indicted and marked as degraded even though the blade and all its installed memory was available to the partition. With this release the blade is no longer indicted and marked as degraded.

IMPORTANT: Due to a compatibility issue, blades with a mix of 32GB DDR4 PC-2133 and PC-2400 DIMMs will fail to power on if these DIMMs are installed within the same DRAM bus or lockstep pairs. For more details, see advisory c05404697.  

ENHANCEMENTS:

·       Added support for RHEL 6.9, VMware 6.0 U3 and 6.5

·       Added support for Xeon E7-8894

·       Added support for iSCSI on the 650FLB adapters (FW version 11.1.183.23) with Windows 2016, VMware 6.5 and RHEL 7.3 starting with Superdome X firmware version 8.7.84 (bundle 2017.03)

Version 8.5.3:
FIXES:

nPartition firmware fix:

• Under certain error conditions, the system firmware would rarely enter an assert loop, flooding the OA with events, thus hindering the OAs ability to power-off or reboot the failing system. This is now fixed.

Complex firmware fixes:

• The system no longer crashes (MCA) when faulty DIMMs trigger a CMC (Corrected Machine Check) storm leading to multiple corrected memory errors.
• Software applications could lead to generating events 1063 or events 100924. For instance, HPE diagnostics or Windows 2012 hypervisor could generate events 1063. These were not hardware related errors. With firmware version 8.5.3, events 1063 will no longer be reported and events 100924 will now be reported at a reduced rate.

 

ENHANCEMENTS:

• Added support for Windows Server 2016, RHEL 7.3 and SLES 12 SP2
• Added VMware OS support for 560M/FLB adapters on Superdome X Gen9 blades with v4 family processors
• Added RoCE support on the 650M/FLB adapters with Windows Server 2016

 

Version 8.4.84:

FIXES:
nPartition firmware fix:

• In very specific multi-blades configurations, de-configured DIMMs could cause an MCA during boot. One of the conditions for the MCA was to have one or more 64GB DIMMs or five 32GB DIMMs de-configured on a non-root blade loaded with 48 64GB DIMMs or with 48 32GB DIMMs. This is now fixed.
  
  

Complex firmware fixes:

• Increased robustness of Superdome X servers when experiencing a high number of correctable memory errors that could lead to unplanned system downtime.
• The HTTPoxy vulnerability CVE-2016-5387 has been addressed.
• OA CLI UPLOAD command with scp/sftp in the URL now works both when the file name immediately follows the hostname and when the URL specifies the full path to the file.
• When all blades in a partition are set to link local, the OA syslog no longer incorrectly reports the blades as powered off.
• After a blade replacement, show blade info would sometimes report "Error Reading CPU Data" and parstatus would report a CPU speed of 0 MHz. This is now fixed.
• If the OA detected only 3 XFMs, active partitions would continue running but would not reboot, and inactive partitions would not power on (for instance, after an e-fuse reset or an XFM removal without replacement). This is now fixed.

 

ENHANCEMENTS:

• Added support for 64 GB DIMMs and 24 TB of Memory
• Added support for Windows Server 2012 R2 and VMware 6.0 u2 (8 sockets only) on Gen9 blades with Intel v4 family processors
• Added support of Infiniband 545 M adapter on Gen9 blades with Intel v4 family processors
• Added support for RoCE on 650M/FLB adapters with Linux RHEL 7.2

 

Version 8.2.106:

nPartition firmware fixes:

• The standby OA GUI no longer reports an incorrect firmware version.
• If connected to the OA via telnet, the message fatal: Cannot bind any address is no longer seen in the OA syslog after running the command disable ntp, disable https or disable snmp.
• The Network access section was added to the OA GUI so that OA users with operator privilege can now enable or disable network protocols from the GUI.
• Enclosure ID field in enclosure status no longer shows as degraded after the DVD module has recovered from USB connectivity issues.
• CAE (Core Analysis Engine) now correctly identifies the socket that timed out in CAE event 1053.
• As a non-supported feature, Blade PowerDelay is now always disabled and can no longer be changed from the CLI or GUI.
• When reseating or e-fusing a monarch blade partition, the message now states that the iLO IP address has been reconfigured automatically by the firmware and not by the user.
• A secondary error (100906) was flagged by CAE for MCAs, actually caused by a known issue of fabric failover handling due to the presence of invalid packets, and the blade of the processor reporting that issue is no longer de-configured. Note: The invalid packet issue has been addressed in a prior release
• After the DVD module is removed and reinserted, the OA CLI would sometimes no longer see the FPL and SEL events logged prior to the removal. This is now fixed.
• The monarch iLO in complex firmware version 5.73.0 was affected by the OpenSSL Poodle (Padding Oracle on Downgraded Legacy Encryption) CVE-2014-3566 vulnerability. This is fixed in complex firmware version 7.5.0 and later.
• Some BL920s Gen8 Blade servers with a specific memory configuration (32 GB DDR3 DIMMs per blade) would rarely experience a crash or hang in the presence of excessive correctable memory errors, with FPL logs showing X86_CPU_EXCEPTION in case of crash or STATUS_ASSERT_* messages in case of hang. This is now fixed.
• The OA syslog would sometimes fill up with events such as udog logged into the Onboard Administrator using RSA key <key>. These have now been suppressed.

ENHANCEMENTS:

·       Added support for Intel EX v4 family processors on BL920s Gen9 blades with firmware 8.2.106

 

Version 7.6.0:

nPartition firmware:

• Superdome X systems with Gen9 blades installed and configured in 8- or 16-socket nPars, using 18 core processors (E7-8890 v3 or E7-8880 v3) and running Linux could experience a performance degradation. This is now fixed.

ENHANCEMENTS:

February 2016 updates:

• Added support for VMware and for HPE Ethernet 560FLB/560M adapters on Gen9 blades

January 2016 updates:

• Added support for Windows 2012 R2 and related IO drivers on HPE Integrity Superdome X Gen9 blades 
• Added support for Linux SLES 12 SP1 and RHEL 7.2

 

Version 7.5.0:

ENHANCEMENTS:

• Superdome X server firmware version 7.5.0 introduced support for BL920s Gen9 blades
• With firmware version 7.5.0, HP Integrity Superdome X Server supports multiple nPartitions of 6 sockets in addition to 2, 4, 8 and 16 sockets.

 

FIXES:

• Excessive correctable memory errors could prevent an entire partition from booting. Boot attempts would fail with the error SFW_BOOT_FATAL_ERROR in FPL. This is now fixed.
• False fabric errors or CAE event 2015 could rarely be seen after an EFI reset command or a non-graceful system shutdown, causing in some cases a critical error like an MCA, due to some packets not being discarded before power-on. This is now fixed.
• A system nPartition would very rarely hang with the FPL (Forward Progress Log) or SEL (System Event Log) displaying some STATUS_ASSERT_* messages. This is now fixed.
• The WSMAN daemon no longer crashes if a WSMAN client makes a subscription request with an unusually long end point reference.
• SNMP no longer incorrectly sends trap 22041 whenever the active OA status changes.
• On systems running SLES, Event ID 100924 would sometimes be erroneously reported for corrected memory errors. This is now fixed.
• In case the monarch blade of an nPar is serviced and the Administrator does not wait long enough (about 5 minutes) before attempting to power on the partition, the partition no longer fails to power on with an error message in OA syslog nPartition Power On failed. Error: fatal internal error.
• When removing an SNMP receivers IP address (ex. 10.11.12.13), OA no longer incorrectly removes all receivers IP addresses that contain that IP address as a substring (ex. 10.11.12.13 and 10.11.12.133).
• A PDH low battery warning event is no longer reported daily in case of low PDH battery level. It is now reported yearly as an informational event.
• The OA GUI now properly detects and displays a valid firmware bundle present on a USB stick in the external USB drive.

 

Version 6.0.42:
ENHANCEMENTS:

Bundle version 6.0.42(a):

• Added support for SUSE Linux Enterprise Server 12

Bundle version 6.0.42:

• Added support for Intel Xeon Processor E7-8893 v2 (6 cores/3.4Ghz / 37.5Mb cache / 155W)

 

FIXES:

• Addressed the GHOST (GetHostByName) CVE-2015-0235 vulnerability
• NTP was upgraded in this version to address the CVE-2014-9295 vulnerability
• Addressed the OpenSSL Poodle (Padding Oracle on Downgraded Legacy Encryption) vulnerability  CVE-2014-3566 in Superdome X OA
• Fixed issues that prevented some Superdome X servers to be discovered by HP Insight Remote Support
• Remote Windows Operating System installation may now be done using PXE boot (Pre-Boot eXecution Environment)
• Fixed an issue where rebooting partitions without a power cycle could result in de-configured CPU sockets and/or blades and in a failure to boot
• CAE event 7008 is now reported if multiple DIMM failures on the same DDR channel are detected during memory initialization at partition boot
• Erasure is no longer requested multiple times for the same failing device
• In the OA GUI, after selecting ""Local User" and then "User information", Interconnect Bay Access is now shown for all bays, including Bay 5 to Bay 8
• An Onboard Administrator board with firmware version 1.3.1 can now be updated to the latest version using the standard firmware update process

Version 5.73.0:
ENHANCEMENTS:
Changes included in bundle version 5.73.0(b):

• Added support for Windows 2012 R2 with minimum Superdome X server firmware 5.73.0

 

Changes included in bundle version 5.73.0(a):

• The release notes were updated in version 5.73.0(a), to add the Poodle security vulnerability to the list of Known Issues

 

Changes included in bundle version 5.73.0:

• Starting with firmware version 5.73.0, the HP Integrity Superdome X Server supports 2S, 4S, 8S and 16S nPartitions. For information about creating and managing partitions, see the HP Integrity Superdome X partitioning white paper under the Superdome X server Manuals section on http://www.hp.com/go/hpsc.
• Note: Maximum 4 TB memory is supported with Windows (see server QuickSpecs for more details)

FIXES:
Fixes included in bundle version 5.73.0(a), 5.73.0(b):

• None (release notes update only)

Fixes included in bundle version 5.73.0:

• The bash Shellshock vulnerability has been fixed in the OA version included in this firmware. Firmware versions prior to 5.73.0 could be exploited remotely to allow execution of code. For details on this issue, please refer to CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187.
• Addressed SSL/TLS MITM Vulnerability CVE-2014-0224
• During boot, the partition fans would unnecessarily run at maximum speed, making the enclosure very noisy, until partition completed boot to UEFI.
• Correctable errors coming from multiple failing ranks on a single DIMM could inadvertently result in the entire Blade being indicted (event 7005).
• If a partition was forced to power off, stale data from the prior session would sometimes be displayed on the console when the partition was powered back on and remained visible until it began booting. These stale data could be ignored.
• The OA CLI did not allow setting the EBIPA (Enclosure Bay IP Addressing page) for interconnect modules. The operation failed with the message "Cannot issue command for non-monarch blade".
• After an OA restart or DVD replacement, the DVD health LED would often be seen amber and blinking. If the command SHOW DVD status or related views reported the status as OK, you could safely ignore the amber blinking LED.
• A transient USB connection would sometimes generate transient errors and an event DVD/GPSM_MODULE_USB_DISCONNECT (CAE id 12119). This event could safely be ignored if the complex was not marked as degraded and no hardware was indicted.
• If you tried connecting the enclosure DVD from the CLI using the command "set partition DVD connect <npar>", with a remote DVD media already connected via GUI using iLO IRC to the same partition, the CLI command did not return a failure message saying that the same type of DVD drive was already connected.
• There were several issues with the UEFI shell 2.0 behavior. In particular, the command option b (page break) did not always work correctly. The prompt Press ENTER to continue or Q break could be inserted in the middle of output text instead of starting at a new line or overwrite text that should have been displayed on the next line.
• When a blade was removed slowly from the chassis, global clock failure events (CFW_GCLK_0_NOT_AVAIL and/or CFW_GCLK_1_NOT_AVAIL) would rarely be generated prior to the blade removal event (BLADE_REMOVED_SD2) due to noise on the clock signal caused by the removal. These clock failure events could safely be ignored during blade removal.
• After making a PXE boot request, if the user decided not to proceed with PXE boot (e.g. exit from the PXE menu to return to the UEFI prompt), any attempt to boot would still result in PXE boot regardless of what the user selected, because the PXE driver was still loaded.