Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This run-book covers only three of the most commons security vulnerabilities (APARs/Vulnerabilities)
over the AIX environment. Even when each one of them can be easily solved following the regular
APARs resolution process, the intention of this run-book is to reduce the time needed on the initial
investigation process (how to solve the security vulnerability), the downloading time (os the needed
fix/new version), and the possible related issues of doing a wrong process, and reduce human errors
factor.
To make this possible, the AIX team have created and maintain two repositories:
Java Repository:
/install/AIX/JavaSecUpdates/all_in_one
Openssl and Openssh latest versions repository:
/install/AIX/APAR/OpenSSH_OpenSSL/latest
Both located on server:
dst.lexington.ibm.com (9.51.97.122) that can be easily mounted by NFS in the needed server located on
the IBM Blue Zone.
Important notes:
1. The AIX Mexico team is the responsible to maintain updated both repositories with the latest
released versions. The above ensure when the system administrator, execute the procedure
described on this run-book, always be installing the latest versions needed.
2. Both procedures described will update all the needed java versions in a server with a single
step.
3. Even when this procedure describe the process for servers located in IBM Blue zone, the same
process can be followed in Yellow Zone servers, with the difference that you need to copy
locally the repository, because YZ Servers are now allowed to mount NFS resources located on
Blue Zone servers.
4. Openssl and Openssh are services that work together, so it is too important that you update both
services every time, so even when you are trying to resolve openssh security vulnerabilities,
then openssl need to be updated too, this way will ensure both services will be remain
compatibles and operating successfully, and vice versa.
IBM: Multiple vulnerabilities in IBM Java SDK affect AIX
Note: The Java SDK mentioned on this security vulnerability, is the internal AIX Java, can be version
5, 6, 7 or 8 in both 32 and 64 bits, and this Java SDK is totally independent of any other Java used by
middleware such WebSphere, DB2 and others; due this, IBM Java SDK can be securely updated
without any impact to services running on the server. In other words, this update do not need
maintenance windows.
In order to solve any security vulnerability related to IBM Java SDL affecting AIX, in a server, you
need to mount (or copy) the repository.
Mounting the repository:
server1:/root# mount dst.lexington.ibm.com:/install /install
Updating all those Java that requires an update to solve the security vulnerabilities:
server1:/root# update_all -Yd /install/AIX/JavaSecUpdates/all_in_one
…
Finished processing all filesets. (Total time: 25 secs).
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+
Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
Java71_64.jre 7.1.0.415 USR APPLY SUCCESS
Java71_64.jre 7.1.0.415 ROOT APPLY SUCCESS
Umounting /install
server1:/root# umount /install
As we can see, even when the server have installed three different version fo IBM Java, only one of
them needed an update, the command update_all is able to identify that and executes the fileset update
only on the Java that needs.
Let's see a second example, this time, the server needs three IBM Java SDK updates in order to solve
this security vulnerability.
In order to solve any security vulnerability related to IBM Java SDL affecting AIX, in a server, you
need to mount (or copy) the repository.
Mounting the repository:
server2:/root# mount dst.lexington.ibm.com:/install /install
server2:/root#
Updating all those Java that requires an update to solve the security vulnerabilities:
server2:/root# update_all -Yd /install/AIX/JavaSecUpdates/all_in_one
…
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+
Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
Java7_64.sdk 7.0.0.615 USR APPLY SUCCESS
Java7_64.jre 7.0.0.615 USR APPLY SUCCESS
Java7_64.jre 7.0.0.615 ROOT APPLY SUCCESS
Java6.sdk 6.0.0.655 USR APPLY SUCCESS
Java6.sdk 6.0.0.655 ROOT APPLY SUCCESS
Umounting /install
server2:/root# umount /install
From the two examples above, we conclude that, update_all command, select and identify the IBM
Java SDK that needs an update in order to close the related security vulnerabilities, and always that you
execute that command, and the repository is updated, then you need to close all the IBM Java SDK
security vulnerabilities in a single step.
For the case of Yellow Zone servers, the procedure is the same, the only difference is that we can not
mount dst.lexington.ibm.com NFS resources due network restrictions, instead of that, copy the whole
repository into the server, and continue with the procedure described above.
IBM: Vulnerability in OpenSSL affects AIX / IBM: Vulnerability in OpenSSH affects AIX
As we already mentioned in the beginning of this run-book, openssl and openssh are dependent
services from each other, this mean that when you need to update one of them, then you need to verify
the compatibility and update the other service accordingly.
The AIX Mexico Team makes that validation for you, and create and maintain a single repository that
contains the compatible pair of services by versions, to facilitate and reduce the effort and time you
need to spend solving this kind of security vulnerabilities.
Important note: Is really common that these two services have eFixes installed on the system, that
need to be removed firsts, before the openssl and openssh update.
To list installed eFixes on the system you can execute the command: #emgr -P
To remove a installed eFix on the system you can execute the command: # emgr -r -L <label>
Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
openssl.man.en_US 1.0.2.1000 USR APPLY SUCCESS
openssl.license 1.0.2.1000 USR APPLY SUCCESS
openssl.base 1.0.2.1000 USR APPLY SUCCESS
openssl.base 1.0.2.1000 ROOT APPLY SUCCESS
openssh.license 7.1.102.1100 USR APPLY SUCCESS
openssh.base.client 7.1.102.1100 USR APPLY SUCCESS
openssh.base.server 7.1.102.1100 USR APPLY SUCCESS
openssh.base.client 7.1.102.1100 ROOT APPLY SUCCESS
openssh.base.server 7.1.102.1100 ROOT APPLY SUCCESS
openssh.man.en_US 7.1.102.1100 USR APPLY SUCCESS
Umounting /install
Verify that sshd command is available after this update, with command: lssrc -s sshd