Installing an ifix with AIX Live Update
Chris Gibson, cgibson@au1.ibm (27/08/2021)
We received
a notification that a new AIX security ifix had been released and was available
for the AIX kernel.
The fix
addressed the following vulnerability: "IBM AIX could allow a
non-privileged local user to exploit a vulnerability in the kernel to gain root
privileges - CVSS Base score: 8.4".
We wanted
to install this fix ASAP to negate this vulnerability.
As the fix related
to the bos.mp64 fileset (i.e. the AIX kernel) it would require a reboot
for it to take effect.
We chose to
use AIX Live Update to install the ifix and avoid the reboot. Our system was running AIX
7.2 TL5 SP2 (7200-05-02-2114).
We
performed the following steps.
We
confirmed the ifix was, indeed, Live Update capable.
# oslevel -s
7200-05-02-2114
# emgr -pe
IJ32631s2a.210805.epkg.Z | grep LU
LU CAPABLE: yes
ATTENTION: system reboot will be required by the
actual (not preview) operation.
Please see the "Reboot Processing" sections
in the output above or in the
/var/adm/ras/emgr.log file.
We created a
clone (backup) of the current rootvg.
# alt_disk_copy -Bd hdisk1
This ifix
was installed using emgr.
# emgr -e IJ32631s2a.210805.epkg.Z
+-----------------------------------------------------------------------------+
Efix Manager Initialization
+-----------------------------------------------------------------------------+
Initializing log /var/adm/ras/emgr.log ...
Efix package file is:
/cg/kernel_fix2/IJ32631s2a.210805.epkg.Z
MD5 generating command is /usr/bin/csum
MD5 checksum is 6f01ddfd29c0deb68013c5b7ccf279c0
Accessing efix metadata ...
Processing efix label "IJ32631s2a" ...
Verifying efix control file ...
+-----------------------------------------------------------------------------+
Installp Prerequisite Verification
+-----------------------------------------------------------------------------+
Verifying prerequisite file ...
Checking prerequisites ...
Prerequisite Number: 1
Fileset: bos.mp64
Minimal
Level: 7.2.5.3
Maximum
Level: 7.2.5.3
Actual Level:
7.2.5.3
Type: PREREQ
Requisite
Met: yes
All prerequisites have been met.
+-----------------------------------------------------------------------------+
Processing APAR reference file
+-----------------------------------------------------------------------------+
ATTENTION: Interim fix is enabled for automatic
removal by installp.
+-----------------------------------------------------------------------------+
Efix Attributes
+-----------------------------------------------------------------------------+
LABEL:
IJ32631s2a
PACKAGING DATE:
Thu Aug 5 12:25:45 CDT 2021
ABSTRACT:
IJ32631 - Security Vulnerability
PACKAGER VERSION: 7
VUID:
00F787C74C00080512084521
REBOOT REQUIRED:
yes
BUILD BOOT IMAGE: yes
LU CAPABLE:
yes
PRE-REQUISITES:
yes
SUPERSEDE:
no
PACKAGE LOCKS:
no
E2E PREREQS:
no
FIX TESTED:
no
ALTERNATE PATH:
None
EFIX FILES:
1
Install Scripts:
PRE_INSTALL: no
POST_INSTALL: no
PRE_REMOVE: no
POST_REMOVE: no
File Number:
1
LOCATION:
/usr/lib/boot/unix_64
FILE
TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 88936
ACL: DEFAULT
CKSUM: 31114
PACKAGE: bos.mp64
MOUNT
INST: no
+-----------------------------------------------------------------------------+
Efix Description
+-----------------------------------------------------------------------------+
IJ32631 - Kernel security vulnerability
CVE-2021-29801
CVE-2021-29862
+-----------------------------------------------------------------------------+
Efix Lock Management
+-----------------------------------------------------------------------------+
Checking locks for file /usr/lib/boot/unix_64 ...
All files have passed lock checks.
+-----------------------------------------------------------------------------+
Space Requirements
+-----------------------------------------------------------------------------+
Checking space requirements ...
Space statistics (in 512 byte-blocks):
File system: /usr, Free: 281400, Required: 151452,
Deficit: 0.
File system: /tmp, Free: 1848664, Required: 173131,
Deficit: 0.
+-----------------------------------------------------------------------------+
Efix Installation Setup
+-----------------------------------------------------------------------------+
Unpacking efix package file ...
Initializing efix installation ...
+-----------------------------------------------------------------------------+
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: INSTALLING
+-----------------------------------------------------------------------------+
File Archiving
+-----------------------------------------------------------------------------+
Saving all files that will be replaced ...
Save directory is: /usr/emgrdata/efixdata/IJ32631s2a/save
File 1: Saving /usr/lib/boot/unix_64 as EFSAVE1 ...
+-----------------------------------------------------------------------------+
Efix File Installation
+-----------------------------------------------------------------------------+
Installing all efix files:
Installing efix file #1 (File: /usr/lib/boot/unix_64)
...
Total number of efix files installed is 1.
All efix files installed successfully.
+-----------------------------------------------------------------------------+
Package Locking
+-----------------------------------------------------------------------------+
Processing package locking for all files.
File 1: locking installp fileset bos.mp64.
All package locks processed successfully.
+-----------------------------------------------------------------------------+
Reboot Processing
+-----------------------------------------------------------------------------+
*** NOTICE ***
This efix package requires the target system to be
rebooted after the current
operation is complete. It is recommended that you
reboot the target system as
soon as possible after installation to avoid
disruption of current functionality.
+-----------------------------------------------------------------------------+
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: REBOOT REQUIRED
+-----------------------------------------------------------------------------+
Boot Image Processing
+-----------------------------------------------------------------------------+
Rebuilding boot image ...
bosboot: Boot image is 61468 512 byte blocks.
Successfully rebuilt boot image.
+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log
EPKG NUMBER
LABEL OPERATION RESULT
===========
==============
=================
==============
1 IJ32631s2a INSTALL SUCCESS
ATTENTION: system reboot is required. Please see the
"Reboot Processing"
sections in the output above or in the
/var/adm/ras/emgr.log file.
Return Status =
SUCCESS
After the
ifix was installed, its STATE reported as *Q* (REBOOT REQUIRED).
# emgr -l
ID STATE
LABEL INSTALL TIME UPDATED BY ABSTRACT
=== ===== ========== ================= ==========
======================================
1 *Q*
IJ32631s2a 08/25/21 18:15:09 IJ32631 - Security Vulnerability
STATE codes:
S = STABLE
M = MOUNTED
U = UNMOUNTED
Q = REBOOT REQUIRED
B = BROKEN
I = INSTALLING
R = REMOVING
T = TESTED
P = PATCHED
N = NOT PATCHED
SP = STABLE +
PATCHED
SN = STABLE +
NOT PATCHED
QP = BOOT IMAGE
MODIFIED + PATCHED
QN = BOOT IMAGE
MODIFIED + NOT PATCHED
RQ = REMOVING +
REBOOT REQUIRED
We
authenticated with our PowerVC server.
# pvcauth -u pvcadmin -p abc123 -a pvc1
# pvcauth -l
Address :
10.1.1.50
User name: root
Project :
ibm-default
Port : 5000
TTL :
5:58:59
We
performed a Live Update preview operation to confirm the environment was
ready to support a Live Update operation.
# geninstall -kp
*******************************************************************************
Live Update PREVIEW:
Live Update operation will not actually occur.
*******************************************************************************
+-----------------------------------------------------------------------------+
Pre-Live Update Verification...
+-----------------------------------------------------------------------------+
Verifying environment...done
Verifying /var/adm/ras/liveupdate/lvupdate.data
file...done
Computing the estimated time for the live update
operation...done
Results...
EXECUTION INFORMATION
---------------------
LPAR: aixlpar1
PowerVC:
10.1.1.50
user: root
Blackout
time(in seconds): 21
Total
operation time(in seconds): 1404
<< End
of Information Section >>
+-----------------------------------------------------------------------------+
Live Update Requirement Verification...
+-----------------------------------------------------------------------------+
INFORMATION
-----------
INFO: Any system dumps present in the current dump
logical volumes will not be available after live update is complete.
<< End
of Information Section >>
+-----------------------------------------------------------------------------+
Live Update Preview Summary...
+-----------------------------------------------------------------------------+
The live update
preview succeeded.
*******************************************************************************
End of Live Update PREVIEW: No Live Update operation has actually
occurred.
*******************************************************************************
We
performed the Live Update operation.
# geninstall -k
+-----------------------------------------------------------------------------+
Pre-Live Update Verification...
+-----------------------------------------------------------------------------+
Verifying environment...done
Verifying /var/adm/ras/liveupdate/lvupdate.data
file...done
Computing the estimated time for the live update
operation...done
Results...
EXECUTION INFORMATION
---------------------
LPAR: aixlpar1
PowerVC:
10.1.1.50
user: root
Blackout time(in seconds): 22
Total
operation time(in seconds): 1528
<< End
of Information Section >>
+-----------------------------------------------------------------------------+
Live Update Requirement Verification...
+-----------------------------------------------------------------------------+
INFORMATION
-----------
INFO: Any system dumps present in the current dump
logical volumes will not be available after live update is complete.
<< End
of Information Section >>
+-----------------------------------------------------------------------------+
Live Update Preview Summary...
+-----------------------------------------------------------------------------+
The live update preview succeeded.
Non-interruptable live update operation begins in 10
seconds.
Broadcast message from root@aixlpar1 (pts/0) at
18:20:02 ...
Live AIX update
in progress.
Initializing live update on original LPAR.
Validating original LPAR environment.
Beginning live update operation on original LPAR.
Requesting resources required for live update.
................
Notifying applications of impending live update.
Creating rootvg for boot of surrogate.
................................................................
Starting the surrogate LPAR.
................................................................................................................................................................................
Creating mirror of original LPAR's rootvg.
............................
Moving workload to surrogate LPAR.
............
Blackout
Time started.
Blackout
Time end.
Workload is running on surrogate LPAR.
........................................................................................
Shutting down the Original LPAR.
............................................................................The live update operation succeeded.
Broadcast message from root@aixlpar1 (pts/0) at
18:41:04 ...
Live AIX update
completed.
Live Update
completed successfully.
The ifix
STATE showed S (STABLE).
# emgr -l
ID STATE
LABEL INSTALL TIME UPDATED BY ABSTRACT
=== ===== ========== ================= ==========
======================================
1 S IJ32631s2a 08/25/21 18:15:09 IJ32631 - Security Vulnerability
STATE codes:
S = STABLE
M = MOUNTED
U = UNMOUNTED
Q = REBOOT
REQUIRED
B = BROKEN
I = INSTALLING
R = REMOVING
T = TESTED
P = PATCHED
N = NOT PATCHED
SP = STABLE +
PATCHED
SN = STABLE +
NOT PATCHED
QP = BOOT IMAGE
MODIFIED + PATCHED
QN = BOOT IMAGE
MODIFIED + NOT PATCHED
RQ = REMOVING +
REBOOT REQUIRED
# emgr -lv3
+-----------------------------------------------------------------------------+
EFIX ID: 1
EFIX LABEL: IJ32631s2a
+-----------------------------------------------------------------------------+
LABEL:
IJ32631s2a
STATE:
STABLE
UPDATED BY:
ABSTRACT:
IJ32631 - Security Vulnerability
VUID:
00F787C74C00080512084521
PACKAGER VERSION:
7
INSTALL DATE:
08/25/21 18:15:09
EPKG VERSION:
7
REBOOT REQUIRED:
yes
BUILD BOOT IMAGE:
yes
LU CAPABLE:
yes
PACKAGE LOCKS:
no
SUPERSEDE:
no
INSTALLP PREREQUISITES: yes
E2E PREREQUISITES:
no
FIX TESTED:
no
FILES:
1
Install Scripts
===============
PRE_INSTALL:
no
POST_INSTALL:
no
PRE_REMOVE:
no
POST_REMOVE:
no
FILE NUMBER:
1
LOCATION:
/usr/lib/boot/unix_64
FILE
TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 88936
CKSUM: 31114
ACL: DEFAULT
PACKAGE: bos.mp64
MOUNT
INST: no
Installp Prerequisite Information:
==================================
PREREQUISITE NUM:
1
FILESET: bos.mp64
MINIMAL
LEVEL: 7.2.5.3
MAXIMUM
LEVEL: 7.2.5.3
TYPE: PREREQ
LEVEL AT
INSTALL: 7.2.5.3
Efix to Efix Prerequisite Information:
======================================
No efix to efix prerequisites data.
APAR information:
=================
APAR number:
IJ34076
APAR abstract:
A POTENTIAL SECURITY ISSUE EXISTS
APAR number:
IJ32631
APAR abstract:
FIX ISSUES FOUND WITH THE THRASHER TEST
Description:
============
IJ32631 - Kernel
security vulnerability
CVE-2021-29801
CVE-2021-29862
We
installed this AIX ifix successfully, WITHOUT A
REBOOT!