The tool is included with AIX 7.2 and AIX 7.3. It is delivered with the bos.rte.install AIX fileset. This requires an internet connection. It allows to download and install security fix

• emgr_check_ifixes
• emgr_download_ifix
• emgr_sec_patch

currently (02-2025) you can't set a proxy to download ! Only direct connections to internet are supported

# emgr_check_ifixes
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=apollo
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX
Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
Recommended ifixes, please wait..parsing
===============================================================================
38408m9a        AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH        https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
CVE-2023-5363   AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL     https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
curl7791mb      Multiple vulnerabilities in cURL libcurl affect AIX      https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar

Vulnerability fixes are not downloaded

emgr_check_ifixes

• -D automatically download the required fixes to the host in /tmp/ifix_${PID}

Download a specific efix

# emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P .

# emgr -lv3 | tail -18

APAR information:
=================
APAR number:      IJ49378
APAR abstract:    crl download fails after change in certificate server
APAR number:      IJ49379
APAR abstract:    emgr_download_ifix fails with ssl connection failed
APAR number:      IJ49220
APAR abstract:    default download path of emgr_check_ifixes is /tmp/ifix

Description:
============
IJ49378 - crl download fails after change in certificate server
IJ49379 - emgr_download_ifix fails with ssl connection failed
IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix

View the content of an efix package

[root@aix001]/export/software/efix/openssh_fix15> emgr -d -v3 -e 38408m9a.230811.epkg.Z
+-----------------------------------------------------------------------------+
Efix Manager Initialization
+-----------------------------------------------------------------------------+
Initializing log /var/adm/ras/emgr.log ...
Efix package file is: /export/software/efix/openssh_fix15/38408m9a.230811.epkg.Z
MD5 generating command is /usr/bin/csum
MD5 checksum is d44fd5020b283c0e3fc121daacabaa03
Accessing efix metadata ...
Verifying efix control file ...
Unpacking efix package file ...

+-----------------------------------------------------------------------------+
Efix Attributes
+-----------------------------------------------------------------------------+
LABEL:            38408m9a
PACKAGING DATE:   Fri Aug 11 06:51:30 CDT 2023
ABSTRACT:         Ifix for openssh vulnerabilities
PACKAGER VERSION: 7
VUID:             00F787C74C00081106082923
REBOOT REQUIRED:  no
BUILD BOOT IMAGE: no
LU CAPABLE:       yes
PRE-REQUISITES:   yes
SUPERSEDE:        no
PACKAGE LOCKS:    no
E2E PREREQS:      no
FIX TESTED:       no
EFIX FILES:       11

Install Scripts:
   PRE_INSTALL:   no
   POST_INSTALL:  no
   PRE_REMOVE:    no
   POST_REMOVE:   no

File Number:      1
   LOCATION:      /usr/bin/ssh
   FILE TYPE:     Standard (file or executable)
   INSTALLER:     installp
   SIZE:          5480
   ACL:           DEFAULT
   CKSUM:         49408
   PACKAGE:       openssh.base.client
   MOUNT INST:    no

...

+-----------------------------------------------------------------------------+
Efix Description
+-----------------------------------------------------------------------------+
Ifix for CVE_2023_38408 and fix for sftp Allow/Deny Files Security Vulnerability

+-----------------------------------------------------------------------------+
Displaying Configuration File "PREREQ"
+-----------------------------------------------------------------------------+
openssh.base.client 8.1.102.2106 8.1.102.2106
openssh.base.server 8.1.102.2106 8.1.102.2106

+-----------------------------------------------------------------------------+
Displaying Configuration File "APARREF"
+-----------------------------------------------------------------------------+
NONE

+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log

EPKG NUMBER       LABEL               OPERATION              RESULT
===========       ==============      =================      ==============
1                 38408m9a            DISPLAY                SUCCESS

Return Status = SUCCESS

View the content of an installed efix

[root@aix001]/root> emgr -P

PACKAGE                                                  INSTALLER   LABEL
======================================================== =========== ==========
invscout.rte                                             installp    is22026s1a
oss.lib.libcurl                                          installp    853sa
openssh.base.client                                      installp    9211224a
openssh.base.server                                      installp    9211224a
openssl.base                                             installp    3013sa

[root@aix001]/root> emgr -l -v3 -L is22026s1a
+-----------------------------------------------------------------------------+
EFIX ID: 1
EFIX LABEL: is22026s1a
+-----------------------------------------------------------------------------+
LABEL:                  is22026s1a
STATE:                  STABLE
UPDATED BY:
ABSTRACT:               invscout fix for CVE-2024-27260
VUID:                   00F7CD554C00051412053724
PACKAGER VERSION:       7
INSTALL DATE:           08/01/24 13:47:05
EPKG VERSION:           7
REBOOT REQUIRED:        no
BUILD BOOT IMAGE:       no
LU CAPABLE:             yes
PACKAGE LOCKS:          no
SUPERSEDE:              no
INSTALLP PREREQUISITES: yes
E2E PREREQUISITES:      no
FIX TESTED:             no
FILES:                  1

Install Scripts
===============
PRE_INSTALL:            no
POST_INSTALL:           no
PRE_REMOVE:             no
POST_REMOVE:            no

FILE NUMBER:      1
   LOCATION:      /usr/sbin/invscout
   FILE TYPE:     Standard (file or executable)
   INSTALLER:     installp
   SIZE:          1044
   CKSUM:         51101
   ACL:           DEFAULT
   PACKAGE:       invscout.rte
   MOUNT INST:    no

Installp Prerequisite Information:
==================================
PREREQUISITE NUM:      1
   FILESET:            invscout.rte
   MINIMAL LEVEL:      2.2.0.25
   MAXIMUM LEVEL:      2.2.0.26
   TYPE:               PREREQ
   LEVEL AT INSTALL:   2.2.0.26

Efix to Efix Prerequisite Information:
======================================
No efix to efix prerequisites data.

APAR information:
=================
No APAR numbers listed.

Description:
============
invscout fix - CVE-2024-27260

Efix inventory is stored in a text file: “/usr/emgrdata/DBS/efix.db” and “/usr/emgrdata/DBS/pkglck.db”

[root@aix01]/root# cat /usr/emgrdata/DBS/efix.db
IJ36810s3a|:|IJ36810 Potential security issue|:|.|:|.|:|.|:|.|:|0|:|1|:|00F7CD554C00121710122121|:|1|:|05/02/22 12:21:09|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|.
1022103a|:|Ifix for Openssl CVE-2022-0778|:|.|:|.|:|.|:|.|:|0|:|1|:|00F787C74C00042206045322|:|5|:|06/30/22 08:52:53|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|.

[root@aix01]/root# cat /usr/emgrdata/DBS/pkglck.db
IJ36810s3a|:|1|:|/usr/bin/lscore|:|bos.rte.security|:|1|:|1|:|050212051122|:|7.2.5.101
1022103a|:|1|:|/usr/lib/libcrypto.a|:|openssl.base|:|1|:|5|:|063008060322|:|1.0.2.2103
1022103a|:|2|:|/usr/lib/libssl.a|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|3|:|/usr/lib/libcrypto.a.min|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|4|:|/usr/bin/openssl|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|5|:|/usr/bin/openssl64|:|openssl.base|:|1|:|5|:|063008060522|:|1.0.2.2103

To install an efix based on TAR efix package, use the following command

# /usr/sbin/emgr_sec_patch kernext_fix.tar
...
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: STABLE

+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log

EPKG NUMBER       LABEL               OPERATION              RESULT
===========       ==============      =================      ==============
1                 IJ52610m2a          INSTALL                SUCCESS

Return Status = SUCCESS
Done
em+-----------------------------------------------------------------------------+
Checking System Level Prerequisites
+-----------------------------------------------------------------------------+
calling emgr -p -e /tmp/emgr_12321112/kernext_fix/IJ52977s2a.241113.epkg.Z
gr -PSkipping ifix
See /var/adm/ras/emgr.log for more details

+-----------------------------------------------------------------------------+
Checking System Level Prerequisites
+-----------------------------------------------------------------------------+
calling emgr -p -e /tmp/emgr_12321112/kernext_fix/IJ52977s3a.241113.epkg.Z
Skipping ifix
See /var/adm/ras/emgr.log for more details