Installing an ifix with AIX Live Update

Chris Gibson, cgibson@au1.ibm (27/08/2021)

 

We received a notification that a new AIX security ifix had been released and was available for the AIX kernel.

 

The fix addressed the following vulnerability: "IBM AIX could allow a non-privileged local user to exploit a vulnerability in the kernel to gain root privileges - CVSS Base score: 8.4".

 

We wanted to install this fix ASAP to negate this vulnerability.

 

As the fix related to the bos.mp64 fileset (i.e. the AIX kernel) it would require a reboot for it to take effect.

 

We chose to use AIX Live Update to install the ifix and avoid the reboot. Our system was running AIX 7.2 TL5 SP2 (7200-05-02-2114).

 

We performed the following steps.

 

We confirmed the ifix was, indeed, Live Update capable.

 

# oslevel -s

7200-05-02-2114

 

# emgr -pe IJ32631s2a.210805.epkg.Z | grep LU

LU CAPABLE:       yes

ATTENTION: system reboot will be required by the actual (not preview) operation.

Please see the "Reboot Processing" sections in the output above or in the

/var/adm/ras/emgr.log file.

 

We created a clone (backup) of the current rootvg.

 

# alt_disk_copy -Bd hdisk1

 

This ifix was installed using emgr.

 

# emgr -e IJ32631s2a.210805.epkg.Z

+-----------------------------------------------------------------------------+

Efix Manager Initialization

+-----------------------------------------------------------------------------+

Initializing log /var/adm/ras/emgr.log ...

Efix package file is: /cg/kernel_fix2/IJ32631s2a.210805.epkg.Z

MD5 generating command is /usr/bin/csum

MD5 checksum is 6f01ddfd29c0deb68013c5b7ccf279c0

Accessing efix metadata ...

Processing efix label "IJ32631s2a" ...

Verifying efix control file ...

 

+-----------------------------------------------------------------------------+

Installp Prerequisite Verification

+-----------------------------------------------------------------------------+

Verifying prerequisite file ...

Checking prerequisites ...

 

Prerequisite Number: 1

   Fileset: bos.mp64

   Minimal Level: 7.2.5.3

   Maximum Level: 7.2.5.3

   Actual Level: 7.2.5.3

   Type: PREREQ

   Requisite Met: yes

 

All prerequisites have been met.

 

+-----------------------------------------------------------------------------+

Processing APAR reference file

+-----------------------------------------------------------------------------+

ATTENTION: Interim fix is enabled for automatic removal by installp.

 

+-----------------------------------------------------------------------------+

Efix Attributes

+-----------------------------------------------------------------------------+

LABEL:            IJ32631s2a

PACKAGING DATE:   Thu Aug  5 12:25:45 CDT 2021

ABSTRACT:         IJ32631 - Security Vulnerability

PACKAGER VERSION: 7

VUID:             00F787C74C00080512084521

REBOOT REQUIRED:  yes

BUILD BOOT IMAGE: yes

LU CAPABLE:       yes

PRE-REQUISITES:   yes

SUPERSEDE:        no

PACKAGE LOCKS:    no

E2E PREREQS:      no

FIX TESTED:       no

ALTERNATE PATH:   None

EFIX FILES:       1

 

Install Scripts:

   PRE_INSTALL:   no

   POST_INSTALL:  no

   PRE_REMOVE:    no

   POST_REMOVE:   no

 

File Number:      1

   LOCATION:      /usr/lib/boot/unix_64

   FILE TYPE:     Standard (file or executable)

   INSTALLER:     installp

   SIZE:          88936

   ACL:           DEFAULT

   CKSUM:         31114

   PACKAGE:       bos.mp64

   MOUNT INST:    no

 

+-----------------------------------------------------------------------------+

Efix Description

+-----------------------------------------------------------------------------+

IJ32631 - Kernel security vulnerability

CVE-2021-29801

CVE-2021-29862

 

+-----------------------------------------------------------------------------+

Efix Lock Management

+-----------------------------------------------------------------------------+

Checking locks for file /usr/lib/boot/unix_64 ...

 

All files have passed lock checks.

 

+-----------------------------------------------------------------------------+

Space Requirements

+-----------------------------------------------------------------------------+

Checking space requirements ...

 

Space statistics (in 512 byte-blocks):

File system: /usr, Free: 281400, Required: 151452, Deficit: 0.

File system: /tmp, Free: 1848664, Required: 173131, Deficit: 0.

 

+-----------------------------------------------------------------------------+

Efix Installation Setup

+-----------------------------------------------------------------------------+

Unpacking efix package file ...

Initializing efix installation ...

 

+-----------------------------------------------------------------------------+

Efix State

+-----------------------------------------------------------------------------+

Setting efix state to: INSTALLING

 

+-----------------------------------------------------------------------------+

File Archiving

+-----------------------------------------------------------------------------+

Saving all files that will be replaced ...

Save directory is: /usr/emgrdata/efixdata/IJ32631s2a/save

File 1: Saving /usr/lib/boot/unix_64 as EFSAVE1 ...

 

+-----------------------------------------------------------------------------+

Efix File Installation

+-----------------------------------------------------------------------------+

Installing all efix files:

Installing efix file #1 (File: /usr/lib/boot/unix_64) ...

 

Total number of efix files installed is 1.

All efix files installed successfully.

 

+-----------------------------------------------------------------------------+

Package Locking

+-----------------------------------------------------------------------------+

Processing package locking for all files.

File 1: locking installp fileset bos.mp64.

 

All package locks processed successfully.

 

+-----------------------------------------------------------------------------+

Reboot Processing

+-----------------------------------------------------------------------------+

 

*** NOTICE ***

This efix package requires the target system to be rebooted after the current

operation is complete. It is recommended that you reboot the target system as

soon as possible after installation to avoid disruption of current functionality.

 

+-----------------------------------------------------------------------------+

Efix State

+-----------------------------------------------------------------------------+

Setting efix state to: REBOOT REQUIRED

 

+-----------------------------------------------------------------------------+

Boot Image Processing

+-----------------------------------------------------------------------------+

Rebuilding boot image ...

bosboot: Boot image is 61468 512 byte blocks.

Successfully rebuilt boot image.

 

+-----------------------------------------------------------------------------+

Operation Summary

+-----------------------------------------------------------------------------+

Log file is /var/adm/ras/emgr.log

 

EPKG NUMBER       LABEL               OPERATION              RESULT

===========       ==============      =================      ==============

1                 IJ32631s2a          INSTALL                SUCCESS

 

ATTENTION: system reboot is required. Please see the "Reboot Processing"

sections in the output above or in the /var/adm/ras/emgr.log file.

 

Return Status = SUCCESS

 

After the ifix was installed, its STATE reported as *Q* (REBOOT REQUIRED).

 

# emgr -l

 

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

=== ===== ========== ================= ========== ======================================

1   *Q*   IJ32631s2a 08/25/21 18:15:09            IJ32631 - Security Vulnerability

 

STATE codes:

 S = STABLE

 M = MOUNTED

 U = UNMOUNTED

 Q = REBOOT REQUIRED

 B = BROKEN

 I = INSTALLING

 R = REMOVING

 T = TESTED

 P = PATCHED

 N = NOT PATCHED

 SP = STABLE + PATCHED

 SN = STABLE + NOT PATCHED

 QP = BOOT IMAGE MODIFIED + PATCHED

 QN = BOOT IMAGE MODIFIED + NOT PATCHED

 RQ = REMOVING + REBOOT REQUIRED

 

We authenticated with our PowerVC server.

 

# pvcauth -u pvcadmin -p abc123 -a pvc1

# pvcauth -l

Address  : 10.1.1.50

User name: root

Project  : ibm-default

Port     : 5000

TTL      : 5:58:59

 

We performed a Live Update preview operation to confirm the environment was ready to support a Live Update operation.

 

# geninstall -kp

 

*******************************************************************************

Live Update PREVIEW:  Live Update operation will not actually occur.

*******************************************************************************

 

+-----------------------------------------------------------------------------+

                    Pre-Live Update Verification...

+-----------------------------------------------------------------------------+

Verifying environment...done

Verifying /var/adm/ras/liveupdate/lvupdate.data file...done

Computing the estimated time for the live update operation...done

Results...

 

EXECUTION INFORMATION

---------------------

  LPAR: aixlpar1

  PowerVC: 10.1.1.50

  user: root

 

  Blackout time(in seconds): 21

  Total operation time(in seconds): 1404

 

  << End of Information Section >>

 

+-----------------------------------------------------------------------------+

                    Live Update Requirement Verification...

+-----------------------------------------------------------------------------+

 

INFORMATION

-----------

INFO: Any system dumps present in the current dump logical volumes will not be available after live update is complete.

 

  << End of Information Section >>

 

+-----------------------------------------------------------------------------+

                    Live Update Preview Summary...

+-----------------------------------------------------------------------------+

The live update preview succeeded.

 

*******************************************************************************

End of Live Update PREVIEW:  No Live Update operation has actually occurred.

*******************************************************************************

 

We performed the Live Update operation.

 

# geninstall -k

 

+-----------------------------------------------------------------------------+

                    Pre-Live Update Verification...

+-----------------------------------------------------------------------------+

Verifying environment...done

Verifying /var/adm/ras/liveupdate/lvupdate.data file...done

Computing the estimated time for the live update operation...done

Results...

 

EXECUTION INFORMATION

---------------------

  LPAR: aixlpar1

  PowerVC: 10.1.1.50

  user: root

 

  Blackout time(in seconds): 22

  Total operation time(in seconds): 1528

 

  << End of Information Section >>

 

+-----------------------------------------------------------------------------+

                    Live Update Requirement Verification...

+-----------------------------------------------------------------------------+

 

INFORMATION

-----------

INFO: Any system dumps present in the current dump logical volumes will not be available after live update is complete.

 

  << End of Information Section >>

 

+-----------------------------------------------------------------------------+

                    Live Update Preview Summary...

+-----------------------------------------------------------------------------+

The live update preview succeeded.

 

Non-interruptable live update operation begins in 10 seconds.

 

 

Broadcast message from root@aixlpar1 (pts/0) at 18:20:02 ...

 

Live AIX update in progress.

 

 

Initializing live update on original LPAR.

 

Validating original LPAR environment.

 

Beginning live update operation on original LPAR.

 

Requesting resources required for live update.

................

Notifying applications of impending live update.

 

Creating rootvg for boot of surrogate.

................................................................

Starting the surrogate LPAR.

................................................................................................................................................................................

Creating mirror of original LPAR's rootvg.

............................

Moving workload to surrogate LPAR.

............

        Blackout Time started.

 

        Blackout Time end.

 

Workload is running on surrogate LPAR.

........................................................................................

Shutting down the Original LPAR.

............................................................................The live update operation succeeded.

 

 

Broadcast message from root@aixlpar1 (pts/0) at 18:41:04 ...

 

Live AIX update completed.

 

Live Update completed successfully.

 

The ifix STATE showed S (STABLE).

 

# emgr -l

 

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

=== ===== ========== ================= ========== ======================================

1    S    IJ32631s2a 08/25/21 18:15:09            IJ32631 - Security Vulnerability

 

STATE codes:

 S = STABLE

 M = MOUNTED

 U = UNMOUNTED

 Q = REBOOT REQUIRED

 B = BROKEN

 I = INSTALLING

 R = REMOVING

 T = TESTED

 P = PATCHED

 N = NOT PATCHED

 SP = STABLE + PATCHED

 SN = STABLE + NOT PATCHED

 QP = BOOT IMAGE MODIFIED + PATCHED

 QN = BOOT IMAGE MODIFIED + NOT PATCHED

 RQ = REMOVING + REBOOT REQUIRED

 

# emgr -lv3

+-----------------------------------------------------------------------------+

EFIX ID: 1

EFIX LABEL: IJ32631s2a

+-----------------------------------------------------------------------------+

LABEL:                  IJ32631s2a

STATE:                  STABLE

UPDATED BY:

ABSTRACT:               IJ32631 - Security Vulnerability

VUID:                   00F787C74C00080512084521

PACKAGER VERSION:       7

INSTALL DATE:           08/25/21 18:15:09

EPKG VERSION:           7

REBOOT REQUIRED:        yes

BUILD BOOT IMAGE:       yes

LU CAPABLE:             yes

PACKAGE LOCKS:          no

SUPERSEDE:              no

INSTALLP PREREQUISITES: yes

E2E PREREQUISITES:      no

FIX TESTED:             no

FILES:                  1

 

Install Scripts

===============

PRE_INSTALL:            no

POST_INSTALL:           no

PRE_REMOVE:             no

POST_REMOVE:            no

 

FILE NUMBER:      1

   LOCATION:      /usr/lib/boot/unix_64

   FILE TYPE:     Standard (file or executable)

   INSTALLER:     installp

   SIZE:          88936

   CKSUM:         31114

   ACL:           DEFAULT

   PACKAGE:       bos.mp64

   MOUNT INST:    no

 

Installp Prerequisite Information:

==================================

PREREQUISITE NUM:      1

   FILESET:            bos.mp64

   MINIMAL LEVEL:      7.2.5.3

   MAXIMUM LEVEL:      7.2.5.3

   TYPE:               PREREQ

   LEVEL AT INSTALL:   7.2.5.3

 

Efix to Efix Prerequisite Information:

======================================

No efix to efix prerequisites data.

 

APAR information:

=================

 

APAR number:      IJ34076

APAR abstract:    A POTENTIAL SECURITY ISSUE EXISTS

 

APAR number:      IJ32631

APAR abstract:    FIX ISSUES FOUND WITH THE THRASHER TEST

 

Description:

============

IJ32631 - Kernel security vulnerability

CVE-2021-29801

CVE-2021-29862

 

We installed this AIX ifix successfully, WITHOUT A REBOOT!