AIX Security Fixes Application

This run-book covers only three of the most commons security vulnerabilities (APARs/Vulnerabilities)
over the AIX environment. Even when each one of them can be easily solved following the regular
APARs resolution process, the intention of this run-book is to reduce the time needed on the initial
investigation process (how to solve the security vulnerability), the downloading time (os the needed
fix/new version), and the possible related issues of doing a wrong process, and reduce human errors
factor.
To make this possible, the AIX team have created and maintain two repositories:
Java Repository:
/install/AIX/JavaSecUpdates/all_in_one
Openssl and Openssh latest versions repository:
/install/AIX/APAR/OpenSSH_OpenSSL/latest
Both located on server:
dst.lexington.ibm.com (9.51.97.122) that can be easily mounted by NFS in the needed server located on
the IBM Blue Zone.
Important notes:
1. The AIX Mexico team is the responsible to maintain updated both repositories with the latest
released versions. The above ensure when the system administrator, execute the procedure
described on this run-book, always be installing the latest versions needed.
2. Both procedures described will update all the needed java versions in a server with a single
step.
3. Even when this procedure describe the process for servers located in IBM Blue zone, the same
process can be followed in Yellow Zone servers, with the difference that you need to copy
locally the repository, because YZ Servers are now allowed to mount NFS resources located on
Blue Zone servers.
4. Openssl and Openssh are services that work together, so it is too important that you update both
services every time, so even when you are trying to resolve openssh security vulnerabilities,
then openssl need to be updated too, this way will ensure both services will be remain
compatibles and operating successfully, and vice versa.
IBM: Multiple vulnerabilities in IBM Java SDK affect AIX
Note: The Java SDK mentioned on this security vulnerability, is the internal AIX Java, can be version
5, 6, 7 or 8 in both 32 and 64 bits, and this Java SDK is totally independent of any other Java used by
middleware such WebSphere, DB2 and others; due this, IBM Java SDK can be securely updated
without any impact to services running on the server. In other words, this update do not need
maintenance windows.
In order to solve any security vulnerability related to IBM Java SDL affecting AIX, in a server, you
need to mount (or copy) the repository.
Mounting the repository:
server1:/root# mount dst.lexington.ibm.com:/install /install

Identifying the installed and running Java versions on the server:

server1:/root# lslpp -L | grep -i java
Java5.sdk 5.0.0.620 C F Java SDK 32-bit
Java5_64.sdk 5.0.0.620 C F Java SDK 64-bit
Java6.sdk 6.0.0.655 C F Java SDK 32-bit
Java71_64.jre 7.1.0.401 C F Java SDK 64-bit Java Runtime

Updating all those Java that requires an update to solve the security vulnerabilities:
server1:/root# update_all -Yd /install/AIX/JavaSecUpdates/all_in_one
…
Finished processing all filesets. (Total time: 25 secs).

+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
Java71_64.jre 7.1.0.415 USR APPLY SUCCESS
Java71_64.jre 7.1.0.415 ROOT APPLY SUCCESS

install_all_updates: Checking for recommended maintenance level 7100-03.

install_all_updates: Executing /usr/bin/oslevel -rf, Result = 7100-03
install_all_updates: Verification completed.
install_all_updates: Log file is /var/adm/ras/install_all_updates.log
install_all_updates: Result = SUCCESS
Verifying the IBM Java SDK update:
server1:/root# lslpp -L | grep -i java
Java5.sdk 5.0.0.620 C F Java SDK 32-bit
Java5_64.sdk 5.0.0.620 C F Java SDK 64-bit
Java6.sdk 6.0.0.655 C F Java SDK 32-bit
Java71_64.jre 7.1.0.415 C F Java SDK 64-bit Java Runtime
server1:/root#

Umounting /install
server1:/root# umount /install

As we can see, even when the server have installed three different version fo IBM Java, only one of
them needed an update, the command update_all is able to identify that and executes the fileset update
only on the Java that needs.

Let's see a second example, this time, the server needs three IBM Java SDK updates in order to solve
this security vulnerability.
In order to solve any security vulnerability related to IBM Java SDL affecting AIX, in a server, you
need to mount (or copy) the repository.
Mounting the repository:
server2:/root# mount dst.lexington.ibm.com:/install /install
server2:/root#

Identifying the installed and running Java versions on the server:

server2:/root# lslpp -L | grep -i java
Java6.sdk 6.0.0.650 A F Java SDK 32-bit
Java7_64.jre 7.0.0.610 A F Java SDK 64-bit Java Runtime
Java7_64.sdk 7.0.0.610 A F Java SDK 64-bit Development
3.2.1.0 C F RSCT GUI JAVA Msgs - U.S.
3.2.1.0 C F RSCT RMC JAVA Msgs - U.S.
server2:/root#

Updating all those Java that requires an update to solve the security vulnerabilities:
server2:/root# update_all -Yd /install/AIX/JavaSecUpdates/all_in_one
…
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
Java7_64.sdk 7.0.0.615 USR APPLY SUCCESS
Java7_64.jre 7.0.0.615 USR APPLY SUCCESS
Java7_64.jre 7.0.0.615 ROOT APPLY SUCCESS
Java6.sdk 6.0.0.655 USR APPLY SUCCESS
Java6.sdk 6.0.0.655 ROOT APPLY SUCCESS

install_all_updates: Checking for recommended maintenance level 7200-02.

install_all_updates: Executing /usr/bin/oslevel -rf, Result = 7200-02
install_all_updates: Verification completed.
install_all_updates: Log file is /var/adm/ras/install_all_updates.log
install_all_updates: Result = SUCCESS

Verifying the IBM Java SDK update:

server2:/root# lslpp -L | grep -i java
Java6.sdk 6.0.0.655 C F Java SDK 32-bit
Java7_64.jre 7.0.0.615 C F Java SDK 64-bit Java Runtime
Java7_64.sdk 7.0.0.615 C F Java SDK 64-bit Development
3.2.1.0 C F RSCT GUI JAVA Msgs - U.S.
3.2.1.0 C F RSCT RMC JAVA Msgs - U.S.

Umounting /install
server2:/root# umount /install

From the two examples above, we conclude that, update_all command, select and identify the IBM
Java SDK that needs an update in order to close the related security vulnerabilities, and always that you
execute that command, and the repository is updated, then you need to close all the IBM Java SDK
security vulnerabilities in a single step.

For the case of Yellow Zone servers, the procedure is the same, the only difference is that we can not
mount dst.lexington.ibm.com NFS resources due network restrictions, instead of that, copy the whole
repository into the server, and continue with the procedure described above.
IBM: Vulnerability in OpenSSL affects AIX / IBM: Vulnerability in OpenSSH affects AIX
As we already mentioned in the beginning of this run-book, openssl and openssh are dependent
services from each other, this mean that when you need to update one of them, then you need to verify
the compatibility and update the other service accordingly.
The AIX Mexico Team makes that validation for you, and create and maintain a single repository that
contains the compatible pair of services by versions, to facilitate and reduce the effort and time you
need to spend solving this kind of security vulnerabilities.
Important note: Is really common that these two services have eFixes installed on the system, that
need to be removed firsts, before the openssl and openssh update.
To list installed eFixes on the system you can execute the command: #emgr -P
To remove a installed eFix on the system you can execute the command: # emgr -r -L <label>

Verifying the installed openssl and openssh versions:

server1:/root# lslpp -L | grep -i openss
openssh.base.client 6.0.0.6202 CE F Open Secure Shell Commands
openssh.base.server 6.0.0.6202 CE F Open Secure Shell Server
openssh.license 6.0.0.6202 C F Open Secure Shell License
openssh.man.en_US 6.0.0.6202 C F Open Secure Shell
openssl.base 1.0.1.516 C F Open Secure Socket Layer
openssl.license 1.0.1.516 C F Open Secure Socket License
openssl.man.en_US 1.0.1.516 C F Open Secure Socket Layer
openssl 1.0.1e-2 C R Secure Sockets Layer and
openssl-devel 1.0.1e-2 C R Secure Sockets Layer and
openssl-doc 1.0.1e-2 C R OpenSSL miscellaneous files

Updating openssl and openssh using the repository:

server1:/root# update_all -Yd /install/AIX/APAR/OpenSSH_OpenSSL/latest
install_all_updates: Initializing system parameters.
install_all_updates: Log file is /var/adm/ras/install_all_updates.log
install_all_updates: Checking for updated install utilities on media.
install_all_updates: Processing media.
install_all_updates: Generating list of updatable installp filesets.
…
+-----------------------------------------------------------------------------+
Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
openssl.man.en_US 1.0.2.1000 USR APPLY SUCCESS
openssl.license 1.0.2.1000 USR APPLY SUCCESS
openssl.base 1.0.2.1000 USR APPLY SUCCESS
openssl.base 1.0.2.1000 ROOT APPLY SUCCESS
openssh.license 7.1.102.1100 USR APPLY SUCCESS
openssh.base.client 7.1.102.1100 USR APPLY SUCCESS
openssh.base.server 7.1.102.1100 USR APPLY SUCCESS
openssh.base.client 7.1.102.1100 ROOT APPLY SUCCESS
openssh.base.server 7.1.102.1100 ROOT APPLY SUCCESS
openssh.man.en_US 7.1.102.1100 USR APPLY SUCCESS

install_all_updates: Checking for recommended maintenance level 7100-03.

install_all_updates: Executing /usr/bin/oslevel -rf, Result = 7100-03
install_all_updates: Verification completed.
install_all_updates: Log file is /var/adm/ras/install_all_updates.log
install_all_updates: Result = SUCCESS

Verifying the updated filesets:

server1:/root# lslpp -L | grep -i openss

openssh.base.client 7.1.102.1100 C F Open Secure Shell Commands
openssh.base.server 7.1.102.1100 C F Open Secure Shell Server
openssh.license 7.1.102.1100 C F Open Secure Shell License
openssh.man.en_US 7.1.102.1100 C F Open Secure Shell
openssl.base 1.0.2.1000 C F Open Secure Socket Layer
openssl.license 1.0.2.1000 C F Open Secure Socket License
openssl.man.en_US 1.0.2.1000 C F Open Secure Socket Layer
openssl 1.0.1e-2 C R Secure Sockets Layer and
openssl-devel 1.0.1e-2 C R Secure Sockets Layer and
openssl-doc 1.0.1e-2 C R OpenSSL miscellaneous files
server1:/root#

Umounting /install

server1:/root# umount /install

Verify that sshd command is available after this update, with command: lssrc -s sshd

server1:/root# lssrc -s sshd

Subsystem Group PID Status
sshd ssh 9502798 active
server1:/root#