Skip to main content

Installing an ifix With AIX Live Update

Chris Gibson explains how to install an AIX security ifix without a reboot

Gold padlock, light green and red lines against a dark green background

I recently received a notification that a new AIX security ifix had been released and was available for the AIX kernel. 
 
The fix addressed the following vulnerability: "IBM AIX could allow a non-privileged local user to exploit a vulnerability in the kernel to gain root privileges - CVSS Base score: 8.4." 
 
I wanted to install this fix ASAP to negate this vulnerability. Here’s how I did it:
 
As the fix related to the bos.mp64 fileset (i.e. the AIX kernel) it would require a reboot for it to take effect.
 
I chose to use AIX Live Update to install the ifix and avoid the reboot. My system was running AIX 7.2 TL5 SP2 (7200-05-02-2114).
 
I confirmed the ifix was, indeed, Live Update capable.
# oslevel -s
7200-05-02-2114
 
# emgr -pe IJ32631s2a.210805.epkg.Z | grep LU
LU CAPABLE:       yes
ATTENTION: system reboot will be required by the actual (not preview) operation.
Please see the "Reboot Processing" sections in the output above or in the
/var/adm/ras/emgr.log file.
I created a clone (backup) of the current rootvg.
# alt_disk_copy -Bd hdisk1
This ifix was installed using emgr.
 
# emgr -e IJ32631s2a.210805.epkg.Z
+-----------------------------------------------------------------------------+
Efix Manager Initialization
+-----------------------------------------------------------------------------+
Initializing log /var/adm/ras/emgr.log ...
Efix package file is: /cg/kernel_fix2/IJ32631s2a.210805.epkg.Z
MD5 generating command is /usr/bin/csum
MD5 checksum is 6f01ddfd29c0deb68013c5b7ccf279c0
Accessing efix metadata ...
Processing efix label "IJ32631s2a" ...
Verifying efix control file ...
 
+-----------------------------------------------------------------------------+
Installp Prerequisite Verification
+-----------------------------------------------------------------------------+
Verifying prerequisite file ...
Checking prerequisites ...
 
Prerequisite Number: 1
   Fileset: bos.mp64
   Minimal Level: 7.2.5.3
   Maximum Level: 7.2.5.3
   Actual Level: 7.2.5.3
   Type: PREREQ
   Requisite Met: yes
 
All prerequisites have been met.
 
+-----------------------------------------------------------------------------+
Processing APAR reference file
+-----------------------------------------------------------------------------+
ATTENTION: Interim fix is enabled for automatic removal by installp.
 
+-----------------------------------------------------------------------------+
Efix Attributes
+-----------------------------------------------------------------------------+
LABEL:            IJ32631s2a
PACKAGING DATE:   Thu Aug  5 12:25:45 CDT 2021
ABSTRACT:         IJ32631 - Security Vulnerability
PACKAGER VERSION: 7
VUID:             00F787C74C00080512084521
REBOOT REQUIRED:  yes
BUILD BOOT IMAGE: yes
LU CAPABLE:       yes
PRE-REQUISITES:   yes
SUPERSEDE:        no
PACKAGE LOCKS:    no
E2E PREREQS:      no
FIX TESTED:       no
ALTERNATE PATH:   None
EFIX FILES:       1
 
Install Scripts:
   PRE_INSTALL:   no
   POST_INSTALL:  no
   PRE_REMOVE:    no
   POST_REMOVE:   no
 
File Number:      1
   LOCATION:      /usr/lib/boot/unix_64
   FILE TYPE:     Standard (file or executable)
   INSTALLER:     installp
   SIZE:          88936
   ACL:           DEFAULT
   CKSUM:         31114
   PACKAGE:       bos.mp64
   MOUNT INST:    no
 
+-----------------------------------------------------------------------------+
Efix Description
+-----------------------------------------------------------------------------+
IJ32631 - Kernel security vulnerability
CVE-2021-29801
CVE-2021-29862
 
+-----------------------------------------------------------------------------+
Efix Lock Management
+-----------------------------------------------------------------------------+
Checking locks for file /usr/lib/boot/unix_64 ...
 
All files have passed lock checks.
 
+-----------------------------------------------------------------------------+
Space Requirements
+-----------------------------------------------------------------------------+
Checking space requirements ...
 
Space statistics (in 512 byte-blocks):
File system: /usr, Free: 281400, Required: 151452, Deficit: 0.
File system: /tmp, Free: 1848664, Required: 173131, Deficit: 0.
 
+-----------------------------------------------------------------------------+
Efix Installation Setup
+-----------------------------------------------------------------------------+
Unpacking efix package file ...
Initializing efix installation ...
 
+-----------------------------------------------------------------------------+
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: INSTALLING
 
+-----------------------------------------------------------------------------+
File Archiving
+-----------------------------------------------------------------------------+
Saving all files that will be replaced ...
Save directory is: /usr/emgrdata/efixdata/IJ32631s2a/save
File 1: Saving /usr/lib/boot/unix_64 as EFSAVE1 ...
 
+-----------------------------------------------------------------------------+
Efix File Installation
+-----------------------------------------------------------------------------+
Installing all efix files:
Installing efix file #1 (File: /usr/lib/boot/unix_64) ...
 
Total number of efix files installed is 1.
All efix files installed successfully.
 
+-----------------------------------------------------------------------------+
Package Locking
+-----------------------------------------------------------------------------+
Processing package locking for all files.
File 1: locking installp fileset bos.mp64.
 
All package locks processed successfully.
 
+-----------------------------------------------------------------------------+
Reboot Processing
+-----------------------------------------------------------------------------+
 
*** NOTICE ***
This efix package requires the target system to be rebooted after the current
operation is complete. It is recommended that you reboot the target system as
soon as possible after installation to avoid disruption of current functionality.
 
+-----------------------------------------------------------------------------+
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: REBOOT REQUIRED
 
+-----------------------------------------------------------------------------+
Boot Image Processing
+-----------------------------------------------------------------------------+
Rebuilding boot image ...
bosboot: Boot image is 61468 512 byte blocks.
Successfully rebuilt boot image.
 
+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log
 
EPKG NUMBER       LABEL               OPERATION              RESULT
===========       ==============      =================      ==============
1                 IJ32631s2a          INSTALL                SUCCESS
 
ATTENTION: system reboot is required. Please see the "Reboot Processing"
sections in the output above or in the /var/adm/ras/emgr.log file.
 
Return Status = SUCCESS
 
After the ifix was installed, its STATE reported as *Q* (REBOOT REQUIRED). 
 
# emgr -l
 
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
=== ===== ========== ================= ========== ======================================
1   *Q*   IJ32631s2a 08/25/21 18:15:09            IJ32631 - Security Vulnerability
 
STATE codes:
 S = STABLE
 M = MOUNTED
 U = UNMOUNTED
 Q = REBOOT REQUIRED
 B = BROKEN
 I = INSTALLING
 R = REMOVING
 T = TESTED
 P = PATCHED
 N = NOT PATCHED
 SP = STABLE + PATCHED
 SN = STABLE + NOT PATCHED
 QP = BOOT IMAGE MODIFIED + PATCHED
 QN = BOOT IMAGE MODIFIED + NOT PATCHED
 RQ = REMOVING + REBOOT REQUIRED
 
I authenticated with my PowerVC server.
 
# pvcauth -u pvcadmin -p abc123 -a pvc1
# pvcauth -l
Address  : 10.1.1.50
User name: root
Project  : ibm-default
Port     : 5000
TTL      : 5:58:59
 
I performed a Live Update preview operation to confirm the environment was ready to support a Live Update operation.
 
# geninstall -kp
 
*******************************************************************************
Live Update PREVIEW:  Live Update operation will not actually occur.
*******************************************************************************
 
+-----------------------------------------------------------------------------+
                    Pre-Live Update Verification...
+-----------------------------------------------------------------------------+
Verifying environment...done
Verifying /var/adm/ras/liveupdate/lvupdate.data file...done
Computing the estimated time for the live update operation...done
Results...
 
EXECUTION INFORMATION
---------------------
  LPAR: aixlpar1
  PowerVC: 10.1.1.50
  user: root
 
  Blackout time(in seconds): 21
  Total operation time(in seconds): 1404
 
  << End of Information Section >>
 
+-----------------------------------------------------------------------------+
                    Live Update Requirement Verification...
+-----------------------------------------------------------------------------+
 
INFORMATION
-----------
INFO: Any system dumps present in the current dump logical volumes will not be available after live update is complete.
 
  << End of Information Section >>
 
+-----------------------------------------------------------------------------+
                    Live Update Preview Summary...
+-----------------------------------------------------------------------------+
The live update preview succeeded.
 
*******************************************************************************
End of Live Update PREVIEW:  No Live Update operation has actually occurred.
*******************************************************************************
 
I performed the Live Update operation.
 
# geninstall -k
 
+-----------------------------------------------------------------------------+
                    Pre-Live Update Verification...
+-----------------------------------------------------------------------------+
Verifying environment...done
Verifying /var/adm/ras/liveupdate/lvupdate.data file...done
Computing the estimated time for the live update operation...done
Results...
 
EXECUTION INFORMATION
---------------------
  LPAR: aixlpar1
  PowerVC: 10.1.1.50
  user: root
 
  Blackout time(in seconds): 22
  Total operation time(in seconds): 1528
 
  << End of Information Section >>
 
+-----------------------------------------------------------------------------+
                    Live Update Requirement Verification...
+-----------------------------------------------------------------------------+
 
INFORMATION
-----------
INFO: Any system dumps present in the current dump logical volumes will not be available after live update is complete.
 
  << End of Information Section >>
 
+-----------------------------------------------------------------------------+
                    Live Update Preview Summary...
+-----------------------------------------------------------------------------+
The live update preview succeeded.
 
Non-interruptable live update operation begins in 10 seconds.
 
 
Broadcast message from root@aixlpar1 (pts/0) at 18:20:02 ...
 
Live AIX update in progress.
 
 
Initializing live update on original LPAR.
 
Validating original LPAR environment.
 
Beginning live update operation on original LPAR.
 
Requesting resources required for live update.
................
Notifying applications of impending live update.
 
Creating rootvg for boot of surrogate.
................................................................
Starting the surrogate LPAR.
................................................................................................................................................................................
Creating mirror of original LPAR's rootvg.
............................
Moving workload to surrogate LPAR.
............
        Blackout Time started.
 
        Blackout Time end.
 
Workload is running on surrogate LPAR.
........................................................................................
Shutting down the Original LPAR.
............................................................................The live update operation succeeded.
 
 
Broadcast message from root@aixlpar1 (pts/0) at 18:41:04 ...
 
Live AIX update completed.
 
Live Update completed successfully.
 
The ifix STATE showed S (STABLE).
 
# emgr -l
 
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
=== ===== ========== ================= ========== ======================================
1    S    IJ32631s2a 08/25/21 18:15:09            IJ32631 - Security Vulnerability
 
STATE codes:
 S = STABLE
 M = MOUNTED
 U = UNMOUNTED
 Q = REBOOT REQUIRED
 B = BROKEN
 I = INSTALLING
 R = REMOVING
 T = TESTED
 P = PATCHED
 N = NOT PATCHED
 SP = STABLE + PATCHED
 SN = STABLE + NOT PATCHED
 QP = BOOT IMAGE MODIFIED + PATCHED
 QN = BOOT IMAGE MODIFIED + NOT PATCHED
 RQ = REMOVING + REBOOT REQUIRED
 
# emgr -lv3
+-----------------------------------------------------------------------------+
EFIX ID: 1
EFIX LABEL: IJ32631s2a
+-----------------------------------------------------------------------------+
LABEL:                  IJ32631s2a
STATE:                  STABLE
UPDATED BY:
ABSTRACT:               IJ32631 - Security Vulnerability
VUID:                   00F787C74C00080512084521
PACKAGER VERSION:       7
INSTALL DATE:           08/25/21 18:15:09
EPKG VERSION:           7
REBOOT REQUIRED:        yes
BUILD BOOT IMAGE:       yes
LU CAPABLE:             yes
PACKAGE LOCKS:          no
SUPERSEDE:              no
INSTALLP PREREQUISITES: yes
E2E PREREQUISITES:      no
FIX TESTED:             no
FILES:                  1
 
Install Scripts
===============
PRE_INSTALL:            no
POST_INSTALL:           no
PRE_REMOVE:             no
POST_REMOVE:            no
 
FILE NUMBER:      1
   LOCATION:      /usr/lib/boot/unix_64
   FILE TYPE:     Standard (file or executable)
   INSTALLER:     installp
   SIZE:          88936
   CKSUM:         31114
   ACL:           DEFAULT
   PACKAGE:       bos.mp64
   MOUNT INST:    no
 
Installp Prerequisite Information:
==================================
PREREQUISITE NUM:      1
   FILESET:            bos.mp64
   MINIMAL LEVEL:      7.2.5.3
   MAXIMUM LEVEL:      7.2.5.3
   TYPE:               PREREQ
   LEVEL AT INSTALL:   7.2.5.3
 
Efix to Efix Prerequisite Information:
======================================
No efix to efix prerequisites data.
 
APAR information:
=================
 
APAR number:      IJ34076
APAR abstract:    A POTENTIAL SECURITY ISSUE EXISTS
 
APAR number:      IJ32631
APAR abstract:    FIX ISSUES FOUND WITH THE THRASHER TEST
 
Description:
============
IJ32631 - Kernel security vulnerability
CVE-2021-29801
CVE-2021-29862
 
I installed this AIX ifix successfully, without a reboot!
Webinars

Stay on top of all things tech!
View upcoming & on-demand webinars →