AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only

  • 1.  ClamAV 0.105.2 or higher delivery because of a critical finding (not affecting AIX!)

    Posted Fri July 07, 2023 11:18 AM
    Edited by Martin Rödlach Fri July 07, 2023 11:29 AM

    Hi,

    we recently got a finding with CVSSv3 Score of 9.8 in our Tenable.sc for a bunch of AIX LPAR's regarding ClamAV:

    ClamAV < 0.103.8 / 0.104.x < 0.105.2 / 1.0.x < 1.0.1 RCE (177449)

    • Synopsis

      The antivirus running on the remote host is affected by a remote code execution vulnerability.

    • Description

      The version of ClamAV installed on the remote host is prior to 0.103.8, 0.104.x prior to 0.105.2 or 1.0.x prior to 1.0.1. It is, therefore, affected by a remote code execution vulnerability in the HFS+ partition file parser of the ClamAV scanning library. An unauthenticated, remote attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. Successful exploitation could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition.

      Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

    • Solution

      Upgrade to ClamAV version 0.103.8, 0.105.2, 1.0.1 or later.

    • Plugin Output

      Path : /opt/freeware/bin/clamscan
      Installed version : 0.104.2
      Fixed version : 0.105.2

      .

      .

      Here ist the thing - we have installed 0.104.2 on our systems and You provided an updated version 0.103.8 (which is the most up2date file on the FTP) - which is indeed fixed - but this would be a downgrade for us. 

      So my question is, if it would be possible to provide a 0.105.2 or higher version? We would be very thankful.

    Note: this finding does not affect AIX and I don't know why Tenable is popping up that finding in the first place - this is a finding regarding HFS+ - but it is easier for us to fix it than to create an accept risk rule because of a false positive. Also a downgrade is something that I want to avoid. There is also a discussion about support end of version 0.103.x

    Thanks and keep up the good work

    Martin



    ------------------------------
    Opensource the Planet ;-)
    ------------------------------



  • 2.  RE: ClamAV 0.105.2 or higher delivery because of a critical finding (not affecting AIX!)

    Posted Sat July 08, 2023 04:18 AM

    Hi Martin,

     

    From 0.103 to 0.105 is major version shift and this require some planning and testing.

    We can look for this in future but it is not possible immediately as we already have planned items for this quarter.

     

     

    Thanks,

     

    Sanket Rathi

     




    Original Message


  • 3.  RE: ClamAV 0.105.2 or higher delivery because of a critical finding (not affecting AIX!)

    Posted Mon July 10, 2023 03:46 AM

    Hi,

    thanks for the info - sadly we then have to step back to the lower level for the moment :-(

    Please keep me informed when the 0.105.2+ or 1.1.0+ releases are available. I would prefer the 1.1.x version if Your time for testing is limited.

    Thanks

    Martin



    ------------------------------
    Opensource the Planet ;-)
    ------------------------------

    Original Message


  • 4.  RE: ClamAV 0.105.2 or higher delivery because of a critical finding (not affecting AIX!)

    Posted Mon July 17, 2023 02:22 AM

    Clamav 0.103.X is a LTS version which has support till Sep 2024 and database update till Sep 2025. That is the reason we moved from 0.104.X to 0.103.X. 
    1.X versions and 0.105.X requires rust compiler which is not yet available in AIX Toolbox.



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 5.  RE: ClamAV 0.105.2 or higher delivery because of a critical finding (not affecting AIX!)

    Posted Mon July 17, 2023 03:36 AM

    Hi, I understand. Thanks for the information.

    May I suggest then to remove the 0.104.2 version from the FTP - because we are syncing that to our repository and and a update via yum would always upgrade to an unpatched version. For the moment we remove it manually on our side. But we sync that daily ;-)

    If You bring rust to AIX (a colleague of mine is a real fan of rust) and providing clamav 1.x.x afterwards, could You please answer to this thread then. Thanks.

    Much appreciated

    Wish You all the best

    Martin



    ------------------------------
    Opensource the Planet ;-)
    ------------------------------

    Original Message


  • 6.  RE: ClamAV 0.105.2 or higher delivery because of a critical finding (not affecting AIX!)

    Posted Mon July 17, 2023 03:43 AM

    We have built 0.103.X with Epoch field which makes this version an update over 0.104.X. 

    So not sure why yum upgrade tries to bring 0.104.X in your case. 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 7.  RE: ClamAV 0.105.2 or higher delivery because of a critical finding (not affecting AIX!)

    Posted Mon July 17, 2023 05:01 AM

    Hi,

    thanks for the information - that sounds good. I can't tell why this happens in our environment at the moment - I have to test something. 

    But despite that the 0.104.2 version should not be longer distributed. But that's just my opinion.

    Thanks

    Martin



    ------------------------------
    Opensource the Planet ;-)
    ------------------------------

    Original Message