Installing an ifix With AIX Live Update
Chris Gibson explains how to install an AIX security ifix without a reboot
I recently received a notification that a new AIX security ifix had been released and was available for the AIX kernel.
The fix addressed the following vulnerability: “IBM AIX could allow a non-privileged local user to exploit a vulnerability in the kernel to gain root privileges – CVSS Base score: 8.4.”
I wanted to install this fix ASAP to negate this vulnerability. Here’s how I did it:
As the fix related to the bos.mp64 fileset (i.e. the AIX kernel) it would require a reboot for it to take effect.
I chose to use AIX Live Update to install the ifix and avoid the reboot. My system was running AIX 7.2 TL5 SP2 (7200-05-02-2114).
I confirmed the ifix was, indeed, Live Update capable.
# oslevel -s 7200-05-02-2114 # emgr -pe IJ32631s2a.210805.epkg.Z | grep LU LU CAPABLE: yes ATTENTION: system reboot will be required by the actual (not preview) operation. Please see the "Reboot Processing" sections in the output above or in the /var/adm/ras/emgr.log file.
I created a clone (backup) of the current rootvg.
# alt_disk_copy -Bd hdisk1
This ifix was installed using emgr.
# emgr -e IJ32631s2a.210805.epkg.Z +-----------------------------------------------------------------------------+ Efix Manager Initialization +-----------------------------------------------------------------------------+ Initializing log /var/adm/ras/emgr.log ... Efix package file is: /cg/kernel_fix2/IJ32631s2a.210805.epkg.Z MD5 generating command is /usr/bin/csum MD5 checksum is 6f01ddfd29c0deb68013c5b7ccf279c0 Accessing efix metadata ... Processing efix label "IJ32631s2a" ... Verifying efix control file ... +-----------------------------------------------------------------------------+ Installp Prerequisite Verification +-----------------------------------------------------------------------------+ Verifying prerequisite file ... Checking prerequisites ... Prerequisite Number: 1 Fileset: bos.mp64 Minimal Level: 7.2.5.3 Maximum Level: 7.2.5.3 Actual Level: 7.2.5.3 Type: PREREQ Requisite Met: yes All prerequisites have been met. +-----------------------------------------------------------------------------+ Processing APAR reference file +-----------------------------------------------------------------------------+ ATTENTION: Interim fix is enabled for automatic removal by installp. +-----------------------------------------------------------------------------+ Efix Attributes +-----------------------------------------------------------------------------+ LABEL: IJ32631s2a PACKAGING DATE: Thu Aug 5 12:25:45 CDT 2021 ABSTRACT: IJ32631 - Security Vulnerability PACKAGER VERSION: 7 VUID: 00F787C74C00080512084521 REBOOT REQUIRED: yes BUILD BOOT IMAGE: yes LU CAPABLE: yes PRE-REQUISITES: yes SUPERSEDE: no PACKAGE LOCKS: no E2E PREREQS: no FIX TESTED: no ALTERNATE PATH: None EFIX FILES: 1 Install Scripts: PRE_INSTALL: no POST_INSTALL: no PRE_REMOVE: no POST_REMOVE: no File Number: 1 LOCATION: /usr/lib/boot/unix_64 FILE TYPE: Standard (file or executable) INSTALLER: installp SIZE: 88936 ACL: DEFAULT CKSUM: 31114 PACKAGE: bos.mp64 MOUNT INST: no +-----------------------------------------------------------------------------+ Efix Description +-----------------------------------------------------------------------------+ IJ32631 - Kernel security vulnerability CVE-2021-29801 CVE-2021-29862 +-----------------------------------------------------------------------------+ Efix Lock Management +-----------------------------------------------------------------------------+ Checking locks for file /usr/lib/boot/unix_64 ... All files have passed lock checks. +-----------------------------------------------------------------------------+ Space Requirements +-----------------------------------------------------------------------------+ Checking space requirements ... Space statistics (in 512 byte-blocks): File system: /usr, Free: 281400, Required: 151452, Deficit: 0. File system: /tmp, Free: 1848664, Required: 173131, Deficit: 0. +-----------------------------------------------------------------------------+ Efix Installation Setup +-----------------------------------------------------------------------------+ Unpacking efix package file ... Initializing efix installation ... +-----------------------------------------------------------------------------+ Efix State +-----------------------------------------------------------------------------+ Setting efix state to: INSTALLING +-----------------------------------------------------------------------------+ File Archiving +-----------------------------------------------------------------------------+ Saving all files that will be replaced ... Save directory is: /usr/emgrdata/efixdata/IJ32631s2a/save File 1: Saving /usr/lib/boot/unix_64 as EFSAVE1 ... +-----------------------------------------------------------------------------+ Efix File Installation +-----------------------------------------------------------------------------+ Installing all efix files: Installing efix file #1 (File: /usr/lib/boot/unix_64) ... Total number of efix files installed is 1. All efix files installed successfully. +-----------------------------------------------------------------------------+ Package Locking +-----------------------------------------------------------------------------+ Processing package locking for all files. File 1: locking installp fileset bos.mp64. All package locks processed successfully. +-----------------------------------------------------------------------------+ Reboot Processing +-----------------------------------------------------------------------------+ *** NOTICE *** This efix package requires the target system to be rebooted after the current operation is complete. It is recommended that you reboot the target system as soon as possible after installation to avoid disruption of current functionality. +-----------------------------------------------------------------------------+ Efix State +-----------------------------------------------------------------------------+ Setting efix state to: REBOOT REQUIRED +-----------------------------------------------------------------------------+ Boot Image Processing +-----------------------------------------------------------------------------+ Rebuilding boot image ... bosboot: Boot image is 61468 512 byte blocks. Successfully rebuilt boot image. +-----------------------------------------------------------------------------+ Operation Summary +-----------------------------------------------------------------------------+ Log file is /var/adm/ras/emgr.log EPKG NUMBER LABEL OPERATION RESULT =========== ============== ================= ============== 1 IJ32631s2a INSTALL SUCCESS ATTENTION: system reboot is required. Please see the "Reboot Processing" sections in the output above or in the /var/adm/ras/emgr.log file. Return Status = SUCCESS
After the ifix was installed, its STATE reported as *Q* (REBOOT REQUIRED).
# emgr -l ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT === ===== ========== ================= ========== ====================================== 1 *Q* IJ32631s2a 08/25/21 18:15:09 IJ32631 - Security Vulnerability STATE codes: S = STABLE M = MOUNTED U = UNMOUNTED Q = REBOOT REQUIRED B = BROKEN I = INSTALLING R = REMOVING T = TESTED P = PATCHED N = NOT PATCHED SP = STABLE + PATCHED SN = STABLE + NOT PATCHED QP = BOOT IMAGE MODIFIED + PATCHED QN = BOOT IMAGE MODIFIED + NOT PATCHED RQ = REMOVING + REBOOT REQUIRED
I authenticated with my PowerVC server.
# pvcauth -u pvcadmin -p abc123 -a pvc1 # pvcauth -l Address : 10.1.1.50 User name: root Project : ibm-default Port : 5000 TTL : 5:58:59
I performed a Live Update preview operation to confirm the environment was ready to support a Live Update operation.
# geninstall -kp
*******************************************************************************
Live Update PREVIEW: Live Update operation will not actually occur.
*******************************************************************************
+-----------------------------------------------------------------------------+
Pre-Live Update Verification...
+-----------------------------------------------------------------------------+
Verifying environment...done
Verifying /var/adm/ras/liveupdate/lvupdate.data file...done
Computing the estimated time for the live update operation...done
Results...
EXECUTION INFORMATION
---------------------
LPAR: aixlpar1
PowerVC: 10.1.1.50
user: root
Blackout time(in seconds): 21
Total operation time(in seconds): 1404
<< End of Information Section >>
+-----------------------------------------------------------------------------+
Live Update Requirement Verification...
+-----------------------------------------------------------------------------+
INFORMATION
-----------
INFO: Any system dumps present in the current dump logical volumes will not be available after live update is complete.
<< End of Information Section >>
+-----------------------------------------------------------------------------+
Live Update Preview Summary...
+-----------------------------------------------------------------------------+
The live update preview succeeded.
*******************************************************************************
End of Live Update PREVIEW: No Live Update operation has actually occurred.
*******************************************************************************
I performed the Live Update operation.
# geninstall -k
+-----------------------------------------------------------------------------+
Pre-Live Update Verification...
+-----------------------------------------------------------------------------+
Verifying environment...done
Verifying /var/adm/ras/liveupdate/lvupdate.data file...done
Computing the estimated time for the live update operation...done
Results...
EXECUTION INFORMATION
---------------------
LPAR: aixlpar1
PowerVC: 10.1.1.50
user: root
Blackout time(in seconds): 22
Total operation time(in seconds): 1528
<< End of Information Section >>
+-----------------------------------------------------------------------------+
Live Update Requirement Verification...
+-----------------------------------------------------------------------------+
INFORMATION
-----------
INFO: Any system dumps present in the current dump logical volumes will not be available after live update is complete.
<< End of Information Section >>
+-----------------------------------------------------------------------------+
Live Update Preview Summary...
+-----------------------------------------------------------------------------+
The live update preview succeeded.
Non-interruptable live update operation begins in 10 seconds.
Broadcast message from root@aixlpar1 (pts/0) at 18:20:02 ...
Live AIX update in progress.
Initializing live update on original LPAR.
Validating original LPAR environment.
Beginning live update operation on original LPAR.
Requesting resources required for live update.
................
Notifying applications of impending live update.
Creating rootvg for boot of surrogate.
................................................................
Starting the surrogate LPAR.
................................................................................................................................................................................
Creating mirror of original LPAR's rootvg.
............................
Moving workload to surrogate LPAR.
............
Blackout Time started.
Blackout Time end.
Workload is running on surrogate LPAR.
........................................................................................
Shutting down the Original LPAR.
............................................................................The live update operation succeeded.
Broadcast message from root@aixlpar1 (pts/0) at 18:41:04 ...
Live AIX update completed.
Live Update completed successfully.
The ifix STATE showed S (STABLE).
# emgr -l ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT === ===== ========== ================= ========== ====================================== 1 S IJ32631s2a 08/25/21 18:15:09 IJ32631 - Security Vulnerability STATE codes: S = STABLE M = MOUNTED U = UNMOUNTED Q = REBOOT REQUIRED B = BROKEN I = INSTALLING R = REMOVING T = TESTED P = PATCHED N = NOT PATCHED SP = STABLE + PATCHED SN = STABLE + NOT PATCHED QP = BOOT IMAGE MODIFIED + PATCHED QN = BOOT IMAGE MODIFIED + NOT PATCHED RQ = REMOVING + REBOOT REQUIRED # emgr -lv3 +-----------------------------------------------------------------------------+ EFIX ID: 1 EFIX LABEL: IJ32631s2a +-----------------------------------------------------------------------------+ LABEL: IJ32631s2a STATE: STABLE UPDATED BY: ABSTRACT: IJ32631 - Security Vulnerability VUID: 00F787C74C00080512084521 PACKAGER VERSION: 7 INSTALL DATE: 08/25/21 18:15:09 EPKG VERSION: 7 REBOOT REQUIRED: yes BUILD BOOT IMAGE: yes LU CAPABLE: yes PACKAGE LOCKS: no SUPERSEDE: no INSTALLP PREREQUISITES: yes E2E PREREQUISITES: no FIX TESTED: no FILES: 1 Install Scripts =============== PRE_INSTALL: no POST_INSTALL: no PRE_REMOVE: no POST_REMOVE: no FILE NUMBER: 1 LOCATION: /usr/lib/boot/unix_64 FILE TYPE: Standard (file or executable) INSTALLER: installp SIZE: 88936 CKSUM: 31114 ACL: DEFAULT PACKAGE: bos.mp64 MOUNT INST: no Installp Prerequisite Information: ================================== PREREQUISITE NUM: 1 FILESET: bos.mp64 MINIMAL LEVEL: 7.2.5.3 MAXIMUM LEVEL: 7.2.5.3 TYPE: PREREQ LEVEL AT INSTALL: 7.2.5.3 Efix to Efix Prerequisite Information: ====================================== No efix to efix prerequisites data. APAR information: ================= APAR number: IJ34076 APAR abstract: A POTENTIAL SECURITY ISSUE EXISTS APAR number: IJ32631 APAR abstract: FIX ISSUES FOUND WITH THE THRASHER TEST Description: ============ IJ32631 - Kernel security vulnerability CVE-2021-29801 CVE-2021-29862
I installed this AIX ifix successfully, without a reboot!