Sysadmin's Shouts!

a blog for sysadmin's rants and raves…

AIX Vulnerabilities

Leave a comment

IBM has a tool to track and report vulnerabilites in it’s products, called the Fix Level Recommendation Tool (FLRT).

https://www-304.ibm.com/support/customercare/flrt/

Particularly for AIX, it has the Security APAR Information, or Security Bulletin information for AIX 7.2, 7.1, 6.1, 5.3, and VIOS

https://www-304.ibm.com/webapp/set2/flrt/doc?page=security

And to check our systems, IBM provides the flrtvc.ksh script, which produces an awesome output, in different formats.
As prerequisites, it needs:

1.- access to internet to retrieve the latest vulnerability CSV listing (aparCSV)
2.- wget
3.- curl

Points 2 & 3 are easily done if we have setup yum in our AIX system (yum install wget curl).

Some examples of flrtvc script execution:

[root@aixtest:/home/admin]./flrtvc.ksh | cut -c 1-110
Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL
bos.acct|7.2.1.0|sec||NOT FIXED - (caccelstat) Vulnerabilities in bellmail / caccelstat / iostat / l
bos.acct|7.2.1.0|sec||NOT FIXED - (iostat) Vulnerabilities in bellmail / caccelstat / iostat / lquer
bos.acct|7.2.1.0|sec||NOT FIXED - (vmstat) Vulnerabilities in bellmail / caccelstat / iostat / lquer
bos.cluster.rte|7.2.1.0|hiper||NOT FIXED - CAA:SLOW GOSSIP RECEIPT ON BOOT MAY CAUSE PARTITIONED CLU
bos.mp64|7.2.1.1|hiper||NOT FIXED - getsockname() returns incorrect NameLength|7.2.1.0-7.2.1.1|IV914
bos.mp64|7.2.1.1|hiper||NOT FIXED - PROBLEMS CAN OCCUR WITH THREAD_CPUTIME AND THREAD_CPUTIME_FAST|7
bos.mp64|7.2.1.1|hiper||NOT FIXED - CRASH OR POTENTIAL DATA LOSS AFTER REMOVING LARGE JFS2 FILES ON
bos.mp64|7.2.1.1|hiper||NOT FIXED - SYSTEM CRASH WHEN USING PROCFS FOR PROCESSES CLOSING MANY FILES|
bos.mp64|7.2.1.1|sec||NOT FIXED - IBM has released AIX and VIOS iFixes in response to the vulnerabil
bos.net.tcp.bind_utils|7.2.1.1|sec||NOT FIXED - There is a vulnerability in BIND that impacts AIX.|7
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - There is a vulnerability in bellmail that impacts A
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - Vulnerabilities in BIND impact AIX|7.2.1.0|CVE-2016
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - There are two vulnerabilities in BIND that impact A
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - Vulnerability in bellmail affects AIX|7.2.1.0-7.2.1
bos.net.tcp.client_core|7.2.1.0|sec||NOT FIXED - (bellmail) Vulnerabilities in bellmail / caccelstat
bos.net.tcp.ntp|7.2.1.0|sec||NOT FIXED - There are multiple vulnerabilities in NTPv3 and NTPv4 that
bos.net.tcp.ntpd|7.2.1.0|sec||NOT FIXED - There are multiple vulnerabilities in NTPv3 and NTPv4 that
bos.net.tcp.tcpdump|7.2.1.0|sec||NOT FIXED - There are multiple vulnerabilities in tcpdump that impa
bos.rte.archive|7.2.1.0|sec||NOT FIXED - (restbyinode) Vulnerabilities in bellmail / caccelstat / io
bos.rte.lvm|7.2.1.0|sec||NOT FIXED - (lquerypv) Vulnerabilities in bellmail / caccelstat / iostat /
devices.fcp.disk.rte|7.2.1.0|hiper||NOT FIXED - UNDETECTED DATA LOSS AFTER STORAGE ERRORS WITH CERTA
devices.pci.77102224.com|7.2.1.0|hiper||NOT FIXED - UNDETECTED DATA LOSS AFTER STORAGE ERRORS WITH C
devices.pciex.df1060e214103404.com|7.2.1.0|hiper||NOT FIXED - UNDETECTED DATA LOSS AFTER STORAGE ERR
devices.vdevice.ibm.l-lan.rte|7.2.1.0|hiper||NOT FIXED - CRASH IN VIOENT_INIT_LS_TIMER WHEN POLL_UPL
devices.vdevice.ibm.vfc-client.rte|7.2.1.0|hiper||NOT FIXED - Potential data loss using Virtual FC w
java7_64.jre|7.0.0.370|sec||NOT FIXED - There are multiple vulnerabilities in IBM SDK Java Technolog
java7_64.sdk|7.0.0.370|sec||NOT FIXED - Multiple vulnerabilities in IBM Java SDK affect AIX|<7.0.0.4
java7_64.sdk|7.0.0.370|sec||NOT FIXED - Multiple vulnerabilities in IBM Java SDK affect AIX|<7.0.0.5
java7_64.sdk|7.0.0.370|sec||NOT FIXED - There are multiple vulnerabilities in IBM SDK Java Technolog
openssh.base.client|6.0.0.6201|sec||NOT FIXED - AIX OpenSSH Vulnerability|4.0.0.5200-6.0.0.6201|CVE-
openssh.base.client|6.0.0.6201|sec||NOT FIXED - Vulnerabilities in OpenSSH affect AIX|4.0.0.5200-6.0
openssl.base|1.0.2.800|sec||NOT FIXED - There is a vulnerability in OpenSSL used by AIX|1.0.2.500-1.
openssl.base|1.0.2.800|sec||NOT FIXED - Vulnerability in OpenSSL affects AIX|1.0.2.500-1.0.2.1100|CV
...
[root@aixtest:/home/admin]./flrtvc.ksh -v | pg
////////////////////////////////////////////////////////////
// IBM FLRTVC (v0.7.3) Report
// Server: aixtest
// Date: Fri Feb 9 10// Report by: root
// Vulnerable Filesets: 22
// Total Vulnerabilities: 54
// Total Fixes (not shown): 22
////////////////////////////////////////////////////////////

--------------------------------------------------------------------------------
bos.acct - 7.2.1.0 - Vulnerabilities (3)
--------------------------------------------------------------------------------

(1) NOT FIXED - (caccelstat) Vulnerabilities in bellmail / caccelstat / iostat / lquerypv / restbyinode / vmstat affect AIX (CVE-2017-1692)

Type: sec
Score: CVE-2017-1692:8.4
Versions: 7.2.1.0-7.2.1.0
APARs/CVEs: IV97811
Last Update: 02/05/2018
Bulletin: http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
Download: ftp://aix.software.ibm.com/aix/efixes/security/suid_fix.tar
Fixed In: 7200-01-04

(2) NOT FIXED - (iostat) Vulnerabilities in bellmail / caccelstat / iostat / lquerypv / restbyinode / vmstat affect AIX (CVE-2017-1692)
Type: sec
Score: CVE-2017-1692:8.4
Versions: 7.2.1.0-7.2.1.1
APARs/CVEs: IV97898
Last Update: 02/05/2018
Bulletin: http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
Download: ftp://aix.software.ibm.com/aix/efixes/security/suid_fix.tar
Fixed In: 7200-01-04
...

It really is a great tool, that can save us a lot of time when a vulnerability check is needed in our systems.

For a full usage of the tool:

Usage flrtvc: Change delimiter for compact reporting
 ./flrtvc.ksh -d '||'

Usage flrtvc: Generate full reporting (verbose mode)
 ./flrtvc.ksh -v

Usage flrtvc: Choose custom apar.csv file to use
 ./flrtvc.ksh -f myfile.csv

Usage flrtvc: Only show specific filesets in verbose mode
 ./flrtvc.ksh -vg printers

Usage flrtvc: Show only hiper results
 ./flrtvc.ksh -t hiper

Usage flrtvc: Custom lslpp and emgr outputs
 ./flrtvc.ksh -l lslpp.txt -e emgr.txt

Flags:

-d = Change delimiter for compact reporting
-f = Enter a custom aparCSV file in local filesystem
-q = Quiet mode, hide compact reporting header
-s = Skip download and locate 'apar.csv' filename in current directory
-v = Verbose, full report (for piping to email)
-g = Filter filesets for specific phrase, useful for verbose mode
-t = Type of APAR [hiper | sec]
-l = Enter a custom LSLPP output file, must match lslpp -Lqc
-e = Enter a custom EMGR output file, must match emgr -lv3
-x = Skip EFix processing
-a = Show all fixed and non-fixed HIPER/Security vulnerabilities.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s