Using emgr_check_ifixes on AIX 7.3
IBM's Chris Gibson explains how to use emgr_check_ifixes to automatically check for and download AIX security interim fixes
If your AIX system has internet connectivity, you can use the emgr_check_ifixes tool to check for the availability of AIX security interim fixes (ifixes) for your current AIX operating system level. The tool can also download the fixes to your AIX host. It provides AIX administrators a convenient way to ensure their AIX systems have known security fixes installed.
How to Use emgr_check_ifixes
The tool is included with AIX 7.2 and AIX 7.3. It is delivered with the bos.rte.install AIX fileset.
# which_fileset /usr/sbin/emgr_check_ifixes /usr/sbin/emgr_check_ifixes bos.rte.install 7.3.0.0
There’s also the companion tool, emgr_download_ifix, which can be used to download specific security ifixes.
# which_fileset /usr/sbin/emgr_download_ifix
/usr/sbin/emgr_download_ifix bos.rte.install 7.3.0.0
Here are some examples of using the tool on an AIX system with internet access. All testing was performed on an AIX LPAR running AIX 7.3 TL2 SP1.
# oslevel -s
7300-02-01-2346
In this example we will check for any available security ifixes for our AIX system. The tool reports that there are none available to download and install for our current AIX level.
# emgr_check_ifixes
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=mercury
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
There is no efix data on this system.
Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
No AIX security fixes are required at this time ...
#
Next we will, again, check for any security ifixes that might be available for our AIX system. In this example several ifixes were found that are NOT installed on my AIX host. The tool displays a list of each of the security fixes that are available for my AIX host, but they are not downloaded to the host.
# emgr_check_ifixes
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=apollo
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1 S IJ49378m1d 02/06/24 23:23:27 IJ49378 EFIXTOOLS MULTI-FIX
Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
Recommended ifixes, please wait..parsing
===============================================================================
38408m9a AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
CVE-2023-5363 AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
curl7791mb Multiple vulnerabilities in cURL libcurl affect AIX https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
Vulnerability fixes are not downloaded
#
Finally, we check for security ifixes, and again, there are several security ifixes found that are NOT installed on my AIX host. By specifying the -D flag we have chosen to automatically download the required fixes to the host (in /tmp/ifix_ ${PID}, the default location).
# emgr_check_ifixes -D
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=apollo
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1 S IJ49378m1d 02/06/24 23:23:27 IJ49378 EFIXTOOLS MULTI-FIX
Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
Recommended ifixes, please wait..parsing
===============================================================================
38408m9a AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
CVE-2023-5363 AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
curl7791mb Multiple vulnerabilities in cURL libcurl affect AIX https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
Downloading 1 of 3 ...
Downloading fix: https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
+-----------------------------------------------------------------------------+
Performing certificate verification ...
OpenSSL success!
Interim fix openssh_fix15.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+
Downloading 2 of 3 ...
Downloading fix: https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
+-----------------------------------------------------------------------------+
Performing certificate verification ...
OpenSSL success!
Interim fix openssl_fix40.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+
Downloading 3 of 3 ...
Downloading fix: https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
+-----------------------------------------------------------------------------+
Performing certificate verification ...
OpenSSL success!
Interim fix curl_fix3.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+
#
The ifixes are downloaded to the /tmp/ifix_15466784 directory on the AIX host.
# ls -ltr /tmp/ifix_15466784
total 303424
-rw-r--r-- 1 root system 1865 Feb 27 21:52 ssl_connection_flrt.log
-rw-r--r-- 1 root system 9641 Feb 27 21:53 adv_file
-rw-r--r-- 1 root system 256 Feb 27 21:53 adv_file.sig
-rw-r--r-- 1 root system 27258880 Feb 27 21:53 openssh_fix15.tar
-rw-r--r-- 1 root system 125890560 Feb 27 21:53 openssl_fix40.tar
-rw-r--r-- 1 root system 2181120 Feb 27 21:54 curl_fix3.tar
Additionally, if desired, the emgr_download_ifix tool can be used to download a specific fix. For example, to download the ntp_fix14.tar fix to my current directory:
# emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P .
Downloading fix: https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar
+-----------------------------------------------------------------------------+
Performing certificate verification ...
OpenSSL success!
Interim fix ntp_fix14.tar has been downloaded to . directory.
+-----------------------------------------------------------------------------+
#
# ls -ltr ntp_fix14.tar
-rw-r--r-- 1 root system 8355840 Feb 27 21:57 ntp_fix14.tar
Please note that all our testing was done with an additional ifix installed for the emgr_* tools. The necessary ifix is IJ49378m1d, as shown below. You can obtain this ifix from the IBM AIX support team by opening a new support case and requesting the fix for your specific AIX version and level.
# emgr -l
ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1 S IJ49378m1d 02/06/24 23:23:27 IJ49378 EFIXTOOLS MULTI-FIX
STATE codes:
S = STABLE
M = MOUNTED
U = UNMOUNTED
Q = REBOOT REQUIRED
B = BROKEN
I = INSTALLING
R = REMOVING
T = TESTED
P = PATCHED
N = NOT PATCHED
SP = STABLE + PATCHED
SN = STABLE + NOT PATCHED
QP = BOOT IMAGE MODIFIED + PATCHED
QN = BOOT IMAGE MODIFIED + NOT PATCHED
RQ = REMOVING + REBOOT REQUIRED
# emgr -lv3 | tail -18
APAR information:
=================
APAR number: IJ49378
APAR abstract: crl download fails after change in certificate server
APAR number: IJ49379
APAR abstract: emgr_download_ifix fails with ssl connection failed
APAR number: IJ49220
APAR abstract: default download path of emgr_check_ifixes is /tmp/ifix
Description:
============
IJ49378 - crl download fails after change in certificate server
IJ49379 - emgr_download_ifix fails with ssl connection failed
IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix
Please refer to the command reference links (below) for more information on these tools.