Are you tired because of permanent discussions with your security guys? You know the problem - there are two patches for AIX, both patches fix the same component, you installed the latest and greatest, but your security guys don’t want to understand it. Because their vulnerability scanner shows that you must install both patches, even if it is technically impossible.

I was in Zurich, talking about automated AIX patch management. The same example again, I see nodding people again. The problem is very well known.

What can I do? Nothing?

NO WAY!

I work with AIX long enough to know which commands you can find in your installation. Some of them are real treasure!

The problem with OpenSSL and two fixes

If you were at one of my automated AIX patch management sessions, you’ve got the code of my check_ifixes playbook. If you were not, no worry, it will come in some of the next newsletters. With the playbook you can easily check which fixes you should install without calling your security guys.

I check my system and what I see? Yes, you guessed it right! I need to install two fixes for my latest OpenSSL version:

        "openssl.base|3.0.13.1000|sec||NOT FIXED - AIX is vulnerable to arbitrary code execution (CVE-2024-4741) and denial of service (CVE-2024-5535 CVE-2024-4603) due to OpenSSL|3.0.0.0-3.0.13.1000|1112400a / 1122400a / 3013sa / 3013ma / CVE-2024-4603 / CVE-2024-4741 / CVE-2024-5535|https://aix.software.ibm.com/aix/efixes/security/openssl_advisory42.asc|https://aix.software.ibm.com/aix/efixes/security/openssl_fix42.tar|CVE-2024-4603:3.7 CVE-2024-4741:8.1 CVE-2024-5535:3.7|NO|07/30/2024|See Bulletin",
        "openssl.base|3.0.13.1000|sec||NOT FIXED - AIX is vulnerable to a denial of service (CVE-2024-6119) due to OpenSSL|3.0.5.101-3.0.13.1000|3013ma / CVE-2024-6119|https://aix.software.ibm.com/aix/efixes/security/openssl_advisory43.asc|https://aix.software.ibm.com/aix/efixes/security/openssl_fix43.tar|CVE-2024-6119:5.3|NO|09/30/2024|See Bulletin",

What is the problem? Except time for downloading the fixes?

# wget https://aix.software.ibm.com/aix/efixes/security/openssl_fix42.tar
...
# wget https://aix.software.ibm.com/aix/efixes/security/openssl_fix43.tar
...
# emgr_sec_patch openssl_fix42.tar
...
Return Status = SUCCESS
Done
# emgr_sec_patch openssl_fix43.tar
...
calling emgr -p -e /tmp/emgr_14287316/openssl_fix43/3013ma.240923.epkg.Z
Skipping ifix
See /var/adm/ras/emgr.log for more details

If you have never heard about the commands like emgr_sec_patch, no worries! You are not alone! These are new commands and you can search any mention about them in IBM release notes for years and find nothing. But man pages are there and you can read them next time when you have a break between your multiple tasks.

But stop, what do I see in the output above? It skipped my fix! The reason for skipping is in /var/adm/ras/emgr.log:

emgr: 0645-071 The following target files have failed lock checks:
emgr: 0645-035 Efix package did not pass all preview checks.

I must first uninstall the previous fix. Let’s do it! It doesn’t matter any way, because IBM ensures us, that the latest fix always contains the previous one.

# emgr -rL 3013sa
...
Return Status = SUCCESS
# emgr_sec_patch openssl_fix43.tar
...
Return Status = SUCCESS
Done

Now it is installed and I did my AIX patch management duty!

Two days later…

Telephone rings. The manager calls. He just got the new vulnerabilities report and AIX team is again the worst case. Every single server is unpatched and is missing the very serious patch with the CVE score 8.1! Exactly the patch we removed earlier - 3013sa. Because we’ve got the newer patch. Yes, the manager understands everything, but the vulnerabilities report will go directly to the upper management and will be checked during the next annual check of all accounting information. You know, you can discuss it with your chef and even with security guys, but try to discuss it with E&Y, PWC or Deloitte guys. They even will not discuss it with you. Because they will discuss it with someone whose title begins with the very big letter C.

You must do what is technically impossible and install both patches at the same time!

Poor AIX admin…

Chip ‘n Dale: Rescue Rangers!

Let’s spoil our security guys and make the report beautiful! But before we start:

Please don’t use this technique if you are not sure if it is legal in your company and your country! You can make your IT security department blind and as a result - make you personally liable for very big problems.

What do we need to know before we start?

We need several informations from the old fix. You can get everything by displaying the fix information:

# emgr -v3 -d -e 3013sa.240722.epkg.Z

You need:

• LABEL: 3013sa

• PREREQ: openssl.base 3.0.13.1000 3.0.13.1000

• APARREF: NONE

• ABSTRACT: ifix for openssl july CVEs

• Efix description: ifix for CVE-2024-4603, CVE-2024-4741 and CVE-2024-5535

Starting the work

First you need some temporary directory:

# mkdir /tmp/3013sa
# cd $_

Now let’s start creating files:

# echo 'NONE' >aparref
# echo 'openssl.base 3.0.13.1000 3.0.13.1000' >prereq
# echo 'ifix for CVE-2024-4603, CVE-2024-4741 and CVE-2024-5535' >desc

I think creating these 3 files were easy. We’ve got the information from the old fix and added it into some files.

Next file we need to create just because we should install something:

# echo '3013sa patch is installed' >3013sa.txt

It doesn’t matter what you write into the file and how it is named. But if you changed the name, you must change it in the next file too.

The next file is the most important file.

ABSTRACT=ifix for openssl july CVEs
PRE_INSTALL=.
POST_INSTALL=.
PRE_REMOVE=.
POST_REMOVE=.
REBOOT=no
PREREQ=prereq
APARREF=aparref
DESCRIPTION=desc
EFIX_FILES=1
LKU_CAPABLE=yes
EFIX_FILE:
        EFIX_FILE_NUM=1
        SHIP_FILE=3013sa.txt
        TARGET_FILE=/tmp/3013sa.txt
        TYPE=1
        INSTALLER=9
        AR_MEM=.
        ACL=root:system:0400

Save the file under some name. As for me it is simply called control, because it is a control file.

Building the new fix

We did almost everything, we must build the new fix. It is done with the command epkg and you can find it on every AIX installation.

# epkg -e control -w ./tmp 3013sa

The first parameter is the path to our control file.

The second parameter is the path to the temporary directory, where the whole work is done. If it doesn’t exist, it will be created automatically.

The last parameter is the label of the future fix.

If everything is good, you will see the output like:

Consider supporting Power DevOps Newsletter!

Upgrade to our paid tier to unlock every article in the archive. Become a Founding Member for a little bit extra and book a 1-to-1 coffee chat with Andrey Klyachkin.

Let’s test!

I think you know how to install “normal” fixes.

# emgr -e /tmp/3013sa/tmp/3013sa/3013sa.*.epkg.Z

As for me everything is installed and I see both fixes at the same time - the real fix and my spoiler fix:

Security is happy. The manager is happy. I am happy too.

But don’t forget! It is your responsibility to be sure, that the real security problems are really patched! Don’t make “fake” patches only to avoid patching your AIX systems at all.

Have fun spoiling security guys!

Andrey

P.S. Neither me nor the company/companies I work for are liable for any direct or indirect losses caused by applying the knowledge you gained by reading this newsletter…

Hi, I am Andrey Klyachkin, IBM Champion and IBM AIX Community Advocate. It means I don’t work for IBM. Over last 20 years I worked with many different IBM Power customers all over the world both on-premise and in cloud. I specialize in automating IBM Power infrastructures making them even more robust and agile. I co-authored several IBM Redbooks and IBM Power certifications. I am an active Red Hat Certified Engineer and Instructor.

Follow me on LinkedIn, Twitter and Youtube.

Meet me on events like IBM TechXchange, Common Europe Congress and GSE Germany’s IBM Power Working group sessions.