Using emgr_check_ifixes on AIX 7.3

Using emgr_check_ifixes to automatically check for and download AIX security interim fixes.

 

If your AIX system has internet connectivity, you can use the emgr_check_ifixes tool to check for the availability of AIX security interim fixes (ifixes) for your current AIX operating system level. The tool can also download the fixes to your AIX host. It provides AIX administrators a convenient way to ensure their AIX systems have known security fixes installed.

 

The tool is included with AIX 7.2 and AIX 7.3. It is delivered with the bos.rte.install AIX fileset.

 

# which_fileset /usr/sbin/emgr_check_ifixes

/usr/sbin/emgr_check_ifixes             bos.rte.install 7.3.0.0

 

There’s also the companion tool, emgr_download_ifix, which can be used to download specific security ifixes.

 

# which_fileset /usr/sbin/emgr_download_ifix

/usr/sbin/emgr_download_ifix            bos.rte.install 7.3.0.0

 

Here are some examples of using the tool on an AIX system with internet access. All testing was performed on an AIX LPAR running AIX 7.3 TL2 SP1.

 

# oslevel -s

7300-02-01-2346

 

In this example we will check for any available security ifixes for our AIX system. The tool reports that there are none available to download and install for our current AIX level.

 

# emgr_check_ifixes

Gathering system information

+-----------------------------------------------------------------------------+

p0.mtm=8284-22A

p0.fw=SV860_212

p0.parnm=mercury

p0.os=aix

p0.aix=7300-02-01-2346

+-----------------------------------------------------------------------------+

Checking interim fixes on the system ...

+-----------------------------------------------------------------------------+

There is no efix data on this system.

 

Searching for AIX security fixes ...

+-----------------------------------------------------------------------------+

No AIX security fixes are required at this time ...

#

 

Next we will, again, check for any security ifixes that might be available for our AIX system. In this example several ifixes were found that are NOT installed on my AIX host. The tool displays a list of each of the security fixes that are available for my AIX host, but they are not downloaded to the host.

 

# emgr_check_ifixes

Gathering system information

+-----------------------------------------------------------------------------+

p0.mtm=8284-22A

p0.fw=SV860_212

p0.parnm=apollo

p0.os=aix

p0.aix=7300-02-01-2346

+-----------------------------------------------------------------------------+

Checking interim fixes on the system ...

+-----------------------------------------------------------------------------+

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

====== ================ ================= ========== ======================================

1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX

 

 

Searching for AIX security fixes ...

+-----------------------------------------------------------------------------+

Recommended ifixes, please wait..parsing

===============================================================================

38408m9a        AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH        https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar

CVE-2023-5363   AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL     https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar

curl7791mb      Multiple vulnerabilities in cURL libcurl affect AIX      https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar

 

Vulnerability fixes are not downloaded

#

 

Finally, we check for security ifixes, and again, there are several security ifixes found that are NOT installed on my AIX host. By specifying the -D flag we have chosen to automatically download the required fixes to the host (in /tmp/ifix_ ${PID}, the default location).

 

# emgr_check_ifixes -D

Gathering system information

+-----------------------------------------------------------------------------+

p0.mtm=8284-22A

p0.fw=SV860_212

p0.parnm=apollo

p0.os=aix

p0.aix=7300-02-01-2346

+-----------------------------------------------------------------------------+

Checking interim fixes on the system ...

+-----------------------------------------------------------------------------+

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

====== ================ ================= ========== ======================================

1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX

 

 

Searching for AIX security fixes ...

+-----------------------------------------------------------------------------+

Recommended ifixes, please wait..parsing

===============================================================================

38408m9a        AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH        https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar

CVE-2023-5363   AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL     https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar

curl7791mb      Multiple vulnerabilities in cURL libcurl affect AIX      https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar

 

Downloading 1 of 3 ...

Downloading fix: https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar

+-----------------------------------------------------------------------------+

 

Performing certificate verification ...

OpenSSL success!

Interim fix openssh_fix15.tar has been downloaded to /tmp/ifix_15466784 directory.

+-----------------------------------------------------------------------------+

 

Downloading 2 of 3 ...

Downloading fix: https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar

+-----------------------------------------------------------------------------+

 

Performing certificate verification ...

OpenSSL success!

Interim fix openssl_fix40.tar has been downloaded to /tmp/ifix_15466784 directory.

+-----------------------------------------------------------------------------+

 

Downloading 3 of 3 ...

Downloading fix: https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar

+-----------------------------------------------------------------------------+

 

Performing certificate verification ...

OpenSSL success!

Interim fix curl_fix3.tar has been downloaded to /tmp/ifix_15466784 directory.

+-----------------------------------------------------------------------------+

#

 

The ifixes are downloaded to the /tmp/ifix_15466784 directory, on the AIX host.

 

# ls -ltr /tmp/ifix_15466784

total 303424

-rw-r--r--    1 root     system         1865 Feb 27 21:52 ssl_connection_flrt.log

-rw-r--r--    1 root     system         9641 Feb 27 21:53 adv_file

-rw-r--r--    1 root     system          256 Feb 27 21:53 adv_file.sig

-rw-r--r--    1 root     system     27258880 Feb 27 21:53 openssh_fix15.tar

-rw-r--r--    1 root     system    125890560 Feb 27 21:53 openssl_fix40.tar

-rw-r--r--    1 root     system      2181120 Feb 27 21:54 curl_fix3.tar

 

Additionally, if desired, the emgr_download_ifix tool can be used to download a specific fix. For example, to download the ntp_fix14.tar fix to my current directory:

 

# emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P .

Downloading fix: https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar

+-----------------------------------------------------------------------------+

 

Performing certificate verification ...

OpenSSL success!

Interim fix ntp_fix14.tar has been downloaded to . directory.

+-----------------------------------------------------------------------------+

#

# ls -ltr ntp_fix14.tar

-rw-r--r--    1 root     system      8355840 Feb 27 21:57 ntp_fix14.tar

 

Please note that all our testing was done with an additional ifix installed for the emgr_* tools. The necessary ifix is IJ49378m1d, as shown below. You can obtain this ifix from the IBM AIX support team by opening a new support case and requesting the fix for your specific AIX version and level.

 

# emgr -l

 

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

====== ================ ================= ========== ======================================

1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX

 

STATE codes:

 S = STABLE

 M = MOUNTED

 U = UNMOUNTED

 Q = REBOOT REQUIRED

 B = BROKEN

 I = INSTALLING

 R = REMOVING

 T = TESTED

 P = PATCHED

 N = NOT PATCHED

 SP = STABLE + PATCHED

 SN = STABLE + NOT PATCHED

 QP = BOOT IMAGE MODIFIED + PATCHED

 QN = BOOT IMAGE MODIFIED + NOT PATCHED

 RQ = REMOVING + REBOOT REQUIRED

 

# emgr -lv3 | tail -18

 

APAR information:

=================

 

APAR number:      IJ49378

APAR abstract:    crl download fails after change in certificate server

 

APAR number:      IJ49379

APAR abstract:    emgr_download_ifix fails with ssl connection failed

 

APAR number:      IJ49220

APAR abstract:    default download path of emgr_check_ifixes is /tmp/ifix

 

Description:

============

IJ49378 - crl download fails after change in certificate server

IJ49379 - emgr_download_ifix fails with ssl connection failed

IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix

 

Please refer to the command reference links (below) for more information on these tools.

 

emgr_check_ifixes Command

https://www.ibm.com/docs/en/aix/7.3?topic=e-emgr-check-ifixes-command

 

emgr_download_ifix Command

https://www.ibm.com/docs/en/aix/7.2?topic=e-emgr-download-ifix-command