====== AIX update packages ======
===== Update efix (or ifix) =====
The tool is included with AIX 7.2 and AIX 7.3. It is delivered with the bos.rte.install AIX fileset. This requires an internet connection. It allows to download and install security fix
* **emgr_check_ifixes**
* **emgr_download_ifix**
* **emgr_sec_patch**
FIXME currently (02-2025) you can't set a proxy to download ! Only direct connections to internet are supported
# emgr_check_ifixes
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=apollo
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1 S IJ49378m1d 02/06/24 23:23:27 IJ49378 EFIXTOOLS MULTI-FIX
Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
Recommended ifixes, please wait..parsing
===============================================================================
38408m9a AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
CVE-2023-5363 AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
curl7791mb Multiple vulnerabilities in cURL libcurl affect AIX https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
Vulnerability fixes are not downloaded
**emgr_check_ifixes**
* **-D** automatically download the required fixes to the host in /tmp/ifix_${PID}
Download a specific efix
# emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P .
# emgr -lv3 | tail -18
APAR information:
=================
APAR number: IJ49378
APAR abstract: crl download fails after change in certificate server
APAR number: IJ49379
APAR abstract: emgr_download_ifix fails with ssl connection failed
APAR number: IJ49220
APAR abstract: default download path of emgr_check_ifixes is /tmp/ifix
Description:
============
IJ49378 - crl download fails after change in certificate server
IJ49379 - emgr_download_ifix fails with ssl connection failed
IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix
===== Efix detailed info =====
View the content of an efix package
[root@aix001]/export/software/efix/openssh_fix15> emgr -d -v3 -e 38408m9a.230811.epkg.Z
+-----------------------------------------------------------------------------+
Efix Manager Initialization
+-----------------------------------------------------------------------------+
Initializing log /var/adm/ras/emgr.log ...
Efix package file is: /export/software/efix/openssh_fix15/38408m9a.230811.epkg.Z
MD5 generating command is /usr/bin/csum
MD5 checksum is d44fd5020b283c0e3fc121daacabaa03
Accessing efix metadata ...
Verifying efix control file ...
Unpacking efix package file ...
+-----------------------------------------------------------------------------+
Efix Attributes
+-----------------------------------------------------------------------------+
LABEL: 38408m9a
PACKAGING DATE: Fri Aug 11 06:51:30 CDT 2023
ABSTRACT: Ifix for openssh vulnerabilities
PACKAGER VERSION: 7
VUID: 00F787C74C00081106082923
REBOOT REQUIRED: no
BUILD BOOT IMAGE: no
LU CAPABLE: yes
PRE-REQUISITES: yes
SUPERSEDE: no
PACKAGE LOCKS: no
E2E PREREQS: no
FIX TESTED: no
EFIX FILES: 11
Install Scripts:
PRE_INSTALL: no
POST_INSTALL: no
PRE_REMOVE: no
POST_REMOVE: no
File Number: 1
LOCATION: /usr/bin/ssh
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 5480
ACL: DEFAULT
CKSUM: 49408
PACKAGE: openssh.base.client
MOUNT INST: no
...
+-----------------------------------------------------------------------------+
Efix Description
+-----------------------------------------------------------------------------+
Ifix for CVE_2023_38408 and fix for sftp Allow/Deny Files Security Vulnerability
+-----------------------------------------------------------------------------+
Displaying Configuration File "PREREQ"
+-----------------------------------------------------------------------------+
openssh.base.client 8.1.102.2106 8.1.102.2106
openssh.base.server 8.1.102.2106 8.1.102.2106
+-----------------------------------------------------------------------------+
Displaying Configuration File "APARREF"
+-----------------------------------------------------------------------------+
NONE
+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log
EPKG NUMBER LABEL OPERATION RESULT
=========== ============== ================= ==============
1 38408m9a DISPLAY SUCCESS
Return Status = SUCCESS
View the content of an installed efix
[root@aix001]/root> emgr -P
PACKAGE INSTALLER LABEL
======================================================== =========== ==========
invscout.rte installp is22026s1a
oss.lib.libcurl installp 853sa
openssh.base.client installp 9211224a
openssh.base.server installp 9211224a
openssl.base installp 3013sa
[root@aix001]/root> emgr -l -v3 -L is22026s1a
+-----------------------------------------------------------------------------+
EFIX ID: 1
EFIX LABEL: is22026s1a
+-----------------------------------------------------------------------------+
LABEL: is22026s1a
STATE: STABLE
UPDATED BY:
ABSTRACT: invscout fix for CVE-2024-27260
VUID: 00F7CD554C00051412053724
PACKAGER VERSION: 7
INSTALL DATE: 08/01/24 13:47:05
EPKG VERSION: 7
REBOOT REQUIRED: no
BUILD BOOT IMAGE: no
LU CAPABLE: yes
PACKAGE LOCKS: no
SUPERSEDE: no
INSTALLP PREREQUISITES: yes
E2E PREREQUISITES: no
FIX TESTED: no
FILES: 1
Install Scripts
===============
PRE_INSTALL: no
POST_INSTALL: no
PRE_REMOVE: no
POST_REMOVE: no
FILE NUMBER: 1
LOCATION: /usr/sbin/invscout
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 1044
CKSUM: 51101
ACL: DEFAULT
PACKAGE: invscout.rte
MOUNT INST: no
Installp Prerequisite Information:
==================================
PREREQUISITE NUM: 1
FILESET: invscout.rte
MINIMAL LEVEL: 2.2.0.25
MAXIMUM LEVEL: 2.2.0.26
TYPE: PREREQ
LEVEL AT INSTALL: 2.2.0.26
Efix to Efix Prerequisite Information:
======================================
No efix to efix prerequisites data.
APAR information:
=================
No APAR numbers listed.
Description:
============
invscout fix - CVE-2024-27260
===== Efix DB location =====
Efix inventory is stored in a text file: “/usr/emgrdata/DBS/efix.db” and “/usr/emgrdata/DBS/pkglck.db”
[root@aix01]/root# cat /usr/emgrdata/DBS/efix.db
IJ36810s3a|:|IJ36810 Potential security issue|:|.|:|.|:|.|:|.|:|0|:|1|:|00F7CD554C00121710122121|:|1|:|05/02/22 12:21:09|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|.
1022103a|:|Ifix for Openssl CVE-2022-0778|:|.|:|.|:|.|:|.|:|0|:|1|:|00F787C74C00042206045322|:|5|:|06/30/22 08:52:53|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|.
[root@aix01]/root# cat /usr/emgrdata/DBS/pkglck.db
IJ36810s3a|:|1|:|/usr/bin/lscore|:|bos.rte.security|:|1|:|1|:|050212051122|:|7.2.5.101
1022103a|:|1|:|/usr/lib/libcrypto.a|:|openssl.base|:|1|:|5|:|063008060322|:|1.0.2.2103
1022103a|:|2|:|/usr/lib/libssl.a|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|3|:|/usr/lib/libcrypto.a.min|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|4|:|/usr/bin/openssl|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
1022103a|:|5|:|/usr/bin/openssl64|:|openssl.base|:|1|:|5|:|063008060522|:|1.0.2.2103
===== Efix TAR installation =====
To install an efix based on TAR efix package, use the following command
# /usr/sbin/emgr_sec_patch kernext_fix.tar
...
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: STABLE
+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log
EPKG NUMBER LABEL OPERATION RESULT
=========== ============== ================= ==============
1 IJ52610m2a INSTALL SUCCESS
Return Status = SUCCESS
Done
em+-----------------------------------------------------------------------------+
Checking System Level Prerequisites
+-----------------------------------------------------------------------------+
calling emgr -p -e /tmp/emgr_12321112/kernext_fix/IJ52977s2a.241113.epkg.Z
gr -PSkipping ifix
See /var/adm/ras/emgr.log for more details
+-----------------------------------------------------------------------------+
Checking System Level Prerequisites
+-----------------------------------------------------------------------------+
calling emgr -p -e /tmp/emgr_12321112/kernext_fix/IJ52977s3a.241113.epkg.Z
Skipping ifix
See /var/adm/ras/emgr.log for more details