Using emgr_check_ifixes on AIX 7.3
Using emgr_check_ifixes to automatically check for and download
AIX security interim fixes.
If your
AIX system has internet connectivity, you can use the emgr_check_ifixes
tool to check for the
availability of AIX security interim fixes (ifixes) for your current AIX
operating system level. The tool can also download the fixes to your AIX host.
It provides AIX administrators a convenient way to ensure their AIX systems
have known security fixes installed.
The
tool is included with AIX 7.2 and AIX 7.3. It is delivered with the bos.rte.install
AIX fileset.
# which_fileset
/usr/sbin/emgr_check_ifixes
/usr/sbin/emgr_check_ifixes bos.rte.install 7.3.0.0
There’s
also the companion tool, emgr_download_ifix,
which can be used to download specific security ifixes.
# which_fileset
/usr/sbin/emgr_download_ifix
/usr/sbin/emgr_download_ifix bos.rte.install 7.3.0.0
Here are
some examples of using the tool on an AIX system with internet access. All
testing was performed on an AIX LPAR running AIX 7.3 TL2 SP1.
# oslevel
-s
7300-02-01-2346
In this
example we will check for any available security ifixes for our AIX system. The
tool reports that there are none available to download and install for our
current AIX level.
# emgr_check_ifixes
Gathering
system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=mercury
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking
interim fixes on the system ...
+-----------------------------------------------------------------------------+
There
is no efix data on this system.
Searching
for AIX security fixes ...
+-----------------------------------------------------------------------------+
No
AIX security fixes are required at this time ...
#
Next we
will, again, check for any security ifixes that might be available for our AIX
system. In this example several ifixes were found that are NOT installed on my
AIX host. The tool displays a list of each of the security fixes that are
available for my AIX host, but they are not downloaded to the host.
# emgr_check_ifixes
Gathering
system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=apollo
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking
interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT
======
================ ================= ==========
======================================
1 S
IJ49378m1d 02/06/24 23:23:27
IJ49378 EFIXTOOLS MULTI-FIX
Searching
for AIX security fixes ...
+-----------------------------------------------------------------------------+
Recommended
ifixes, please wait..parsing
===============================================================================
38408m9a AIX is vulnerable to unauthorized file
access and arbitrary code execution due to OpenSSH
https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
CVE-2023-5363 AIX is vulnerable to a denial of service
(CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain
sensitive information (CVE-2023-5363) due to OpenSSL
https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
curl7791mb Multiple vulnerabilities in cURL libcurl affect AIX
https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
Vulnerability
fixes are not downloaded
#
Finally,
we check for security ifixes, and again, there are several security ifixes
found that are NOT installed on my AIX host. By specifying the -D flag we have chosen to
automatically download the required fixes to the host (in /tmp/ifix_ ${PID}, the default location).
#
emgr_check_ifixes -D
Gathering
system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=apollo
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking
interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT
======
================ ================= ==========
======================================
1 S
IJ49378m1d 02/06/24 23:23:27
IJ49378 EFIXTOOLS MULTI-FIX
Searching
for AIX security fixes ...
+-----------------------------------------------------------------------------+
Recommended
ifixes, please wait..parsing
===============================================================================
38408m9a AIX is vulnerable to unauthorized file
access and arbitrary code execution due to OpenSSH
https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
CVE-2023-5363 AIX is vulnerable to a denial of service
(CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain
sensitive information (CVE-2023-5363) due to OpenSSL
https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
curl7791mb Multiple vulnerabilities in cURL libcurl affect AIX
https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
Downloading
1 of 3 ...
Downloading
fix: https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
+-----------------------------------------------------------------------------+
Performing
certificate verification ...
OpenSSL
success!
Interim
fix openssh_fix15.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+
Downloading
2 of 3 ...
Downloading
fix: https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
+-----------------------------------------------------------------------------+
Performing
certificate verification ...
OpenSSL
success!
Interim
fix openssl_fix40.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+
Downloading
3 of 3 ...
Downloading
fix: https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
+-----------------------------------------------------------------------------+
Performing
certificate verification ...
OpenSSL
success!
Interim
fix curl_fix3.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+
#
The
ifixes are downloaded to the /tmp/ifix_15466784
directory, on the
AIX host.
# ls
-ltr /tmp/ifix_15466784
total
303424
-rw-r--r-- 1 root
system 1865 Feb 27 21:52
ssl_connection_flrt.log
-rw-r--r-- 1 root
system 9641 Feb 27 21:53 adv_file
-rw-r--r-- 1 root
system 256 Feb 27 21:53 adv_file.sig
-rw-r--r-- 1 root
system 27258880 Feb 27 21:53
openssh_fix15.tar
-rw-r--r-- 1 root
system 125890560 Feb 27 21:53
openssl_fix40.tar
-rw-r--r-- 1 root
system 2181120 Feb 27 21:54
curl_fix3.tar
Additionally,
if desired, the emgr_download_ifix
tool can be used to
download a specific fix. For example, to download the ntp_fix14.tar fix
to my current directory:
# emgr_download_ifix
-L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P .
Downloading
fix: https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar
+-----------------------------------------------------------------------------+
Performing
certificate verification ...
OpenSSL
success!
Interim
fix ntp_fix14.tar has been downloaded to . directory.
+-----------------------------------------------------------------------------+
#
# ls
-ltr ntp_fix14.tar
-rw-r--r-- 1 root
system 8355840 Feb 27 21:57
ntp_fix14.tar
Please
note that all our testing was done with an additional ifix installed for the
emgr_* tools. The necessary ifix is IJ49378m1d,
as shown below. You can obtain this ifix from the IBM AIX support team by opening
a new support case and requesting the fix for your specific AIX version and level.
# emgr
-l
ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT
======
================ ================= ========== ======================================
1 S IJ49378m1d
02/06/24 23:23:27 IJ49378
EFIXTOOLS MULTI-FIX
STATE
codes:
S = STABLE
M = MOUNTED
U = UNMOUNTED
Q = REBOOT REQUIRED
B = BROKEN
I = INSTALLING
R = REMOVING
T = TESTED
P = PATCHED
N = NOT PATCHED
SP = STABLE + PATCHED
SN = STABLE + NOT PATCHED
QP = BOOT IMAGE MODIFIED + PATCHED
QN = BOOT IMAGE MODIFIED + NOT PATCHED
RQ = REMOVING + REBOOT REQUIRED
# emgr
-lv3 | tail -18
APAR
information:
=================
APAR
number: IJ49378
APAR
abstract: crl
download fails after change in certificate server
APAR
number: IJ49379
APAR
abstract: emgr_download_ifix fails
with ssl connection failed
APAR
number: IJ49220
APAR
abstract: default download path of
emgr_check_ifixes is /tmp/ifix
Description:
============
IJ49378 - crl
download fails after change in certificate server
IJ49379 - emgr_download_ifix fails
with ssl connection failed
IJ49220 - default download path of
emgr_check_ifixes is /tmp/ifix
Please
refer to the command reference links (below) for more information on these
tools.
emgr_check_ifixes
Command
https://www.ibm.com/docs/en/aix/7.3?topic=e-emgr-check-ifixes-command
emgr_download_ifix
Command
https://www.ibm.com/docs/en/aix/7.2?topic=e-emgr-download-ifix-command