Skip to main content

Using emgr_check_ifixes on AIX 7.3

IBM's Chris Gibson explains how to use emgr_check_ifixes to automatically check for and download AIX security interim fixes

If your AIX system has internet connectivity, you can use the emgr_check_ifixes tool to check for the availability of AIX security interim fixes (ifixes) for your current AIX operating system level. The tool can also download the fixes to your AIX host. It provides AIX administrators a convenient way to ensure their AIX systems have known security fixes installed.

How to Use emgr_check_ifixes

The tool is included with AIX 7.2 and AIX 7.3. It is delivered with the bos.rte.install AIX fileset.

# which_fileset /usr/sbin/emgr_check_ifixes /usr/sbin/emgr_check_ifixes bos.rte.install 7.3.0.0

There‚Äôs also the companion tool, emgr_download_ifix, which can be used to download specific security ifixes.

# which_fileset /usr/sbin/emgr_download_ifix
/usr/sbin/emgr_download_ifix            bos.rte.install 7.3.0.0

Here are some examples of using the tool on an AIX system with internet access. All testing was performed on an AIX LPAR running AIX 7.3 TL2 SP1.

# oslevel -s
7300-02-01-2346

In this example we will check for any available security ifixes for our AIX system. The tool reports that there are none available to download and install for our current AIX level.

# emgr_check_ifixes
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=mercury
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
There is no efix data on this system.
 
Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
No AIX security fixes are required at this time ...
#

Next we will, again, check for any security ifixes that might be available for our AIX system. In this example several ifixes were found that are NOT installed on my AIX host. The tool displays a list of each of the security fixes that are available for my AIX host, but they are not downloaded to the host.

# emgr_check_ifixes
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=apollo
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX
 
 
Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
Recommended ifixes, please wait..parsing
===============================================================================
38408m9a        AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH        https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
CVE-2023-5363   AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL     https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
curl7791mb      Multiple vulnerabilities in cURL libcurl affect AIX      https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
 
Vulnerability fixes are not downloaded
#

Finally, we check for security ifixes, and again, there are several security ifixes found that are NOT installed on my AIX host. By specifying the -D flag we have chosen to automatically download the required fixes to the host (in /tmp/ifix_ ${PID}, the default location).

# emgr_check_ifixes -D
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=8284-22A
p0.fw=SV860_212
p0.parnm=apollo
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX


Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
Recommended ifixes, please wait..parsing
===============================================================================
38408m9a        AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH        https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
CVE-2023-5363   AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL     https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
curl7791mb      Multiple vulnerabilities in cURL libcurl affect AIX      https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar

Downloading 1 of 3 ...
Downloading fix: https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar
+-----------------------------------------------------------------------------+

Performing certificate verification ...
OpenSSL success!
Interim fix openssh_fix15.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+

Downloading 2 of 3 ...
Downloading fix: https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar
+-----------------------------------------------------------------------------+

Performing certificate verification ...
OpenSSL success!
Interim fix openssl_fix40.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+

Downloading 3 of 3 ...
Downloading fix: https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar
+-----------------------------------------------------------------------------+

Performing certificate verification ...
OpenSSL success!
Interim fix curl_fix3.tar has been downloaded to /tmp/ifix_15466784 directory.
+-----------------------------------------------------------------------------+
#

The ifixes are downloaded to the /tmp/ifix_15466784 directory on the AIX host.
# ls -ltr /tmp/ifix_15466784
total 303424
-rw-r--r--    1 root     system         1865 Feb 27 21:52 ssl_connection_flrt.log
-rw-r--r--    1 root     system         9641 Feb 27 21:53 adv_file
-rw-r--r--    1 root     system          256 Feb 27 21:53 adv_file.sig
-rw-r--r--    1 root     system     27258880 Feb 27 21:53 openssh_fix15.tar
-rw-r--r--    1 root     system    125890560 Feb 27 21:53 openssl_fix40.tar
-rw-r--r--    1 root     system      2181120 Feb 27 21:54 curl_fix3.tar

Additionally, if desired, the emgr_download_ifix tool can be used to download a specific fix. For example, to download the ntp_fix14.tar fix to my current directory:

# emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P .
Downloading fix: https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar
+-----------------------------------------------------------------------------+

Performing certificate verification ...
OpenSSL success!
Interim fix ntp_fix14.tar has been downloaded to . directory.
+-----------------------------------------------------------------------------+
#
# ls -ltr ntp_fix14.tar
-rw-r--r--    1 root     system      8355840 Feb 27 21:57 ntp_fix14.tar

Please note that all our testing was done with an additional ifix installed for the emgr_* tools. The necessary ifix is IJ49378m1d, as shown below. You can obtain this ifix from the IBM AIX support team by opening a new support case and requesting the fix for your specific AIX version and level.

# emgr -l
 
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX
 
STATE codes:
 S = STABLE
 M = MOUNTED
 U = UNMOUNTED
 Q = REBOOT REQUIRED
 B = BROKEN
 I = INSTALLING
 R = REMOVING
 T = TESTED
 P = PATCHED
 N = NOT PATCHED
 SP = STABLE + PATCHED
 SN = STABLE + NOT PATCHED
 QP = BOOT IMAGE MODIFIED + PATCHED
 QN = BOOT IMAGE MODIFIED + NOT PATCHED
 RQ = REMOVING + REBOOT REQUIRED
 
# emgr -lv3 | tail -18
 
APAR information:
=================
 
APAR number:      IJ49378
APAR abstract:    crl download fails after change in certificate server
 
APAR number:      IJ49379
APAR abstract:    emgr_download_ifix fails with ssl connection failed
 
APAR number:      IJ49220
APAR abstract:    default download path of emgr_check_ifixes is /tmp/ifix
 
Description:
============
IJ49378 - crl download fails after change in certificate server
IJ49379 - emgr_download_ifix fails with ssl connection failed
IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix

Please refer to the command reference links (below) for more information on these tools.

emgr_check_ifixes Command

emgr_download_ifix Command