FYI IBM Support confirmed to me that if you stop the nimesis subsystem on the NIM master, and nimsh subsystems on the clients, then you are not vulnerable. You can stop the services until you can patch.

Yet another embarrassing AIX security debacle

FYI IBM Support confirmed to me that if you stop the nimesis subsystem on the NIM master, and nimsh subsystems on the clients, then you are not vulnerable. You can stop the services until you can patch.

Yet another embarrassing AIX security debacle

FYI IBM Support confirmed to me that if you stop the nimesis subsystem on the NIM master, and nimsh subsystems on the clients, then you are not vulnerable. You can stop the services until you can patch.

 So, we have some legacy systems we are stuck on. Mostly AIX 7.1.   Are these systems vulnerable to these exploits?

"However, versions 7.2 and 7.3 are both vulnerable and should be updated immediately, Big Blue says." - from the cited article.
From AIX Standard Edition_7.1.0 - Withdrawal notification we see:

Lifecycle dates, announcement letters and other information

GA

10-Sep-2010 , 210-200

EOM

23-Nov-2021 , 921-107

EOS

30-Apr-2023 , 921-107

Extension, Extended, or Sustained Support ends

30-Apr-2026

... So I guess if you are vulnerable and have extended support, you'll get a patch.

 So, we have some legacy systems we are stuck on. Mostly AIX 7.1.   Are these systems vulnerable to these exploits?

Well..  I don't know if I have the vulnerability on my legacy systems, which is why I am asking if this affects AIX 7.1. 

There's no details I have seen on how the exploit works so we can't evaluate the situation.  Even if there is a patch, we won't be getting it and there is also the question of the exposure in the meantime before any such patch is released. We have a mitigation plan, but I really, really need to know if we have to pull the trigger on it as it's a bit drastic.

"However, versions 7.2 and 7.3 are both vulnerable and should be updated immediately, Big Blue says." - from the cited article.
From AIX Standard Edition_7.1.0 - Withdrawal notification we see:

Lifecycle dates, announcement letters and other information

GA

10-Sep-2010 , 210-200

EOM

23-Nov-2021 , 921-107

EOS

30-Apr-2023 , 921-107

Extension, Extended, or Sustained Support ends

30-Apr-2026

... So I guess if you are vulnerable and have extended support, you'll get a patch.

 So, we have some legacy systems we are stuck on. Mostly AIX 7.1.   Are these systems vulnerable to these exploits?

Well..  I don't know if I have the vulnerability on my legacy systems, which is why I am asking if this affects AIX 7.1. 

There's no details I have seen on how the exploit works so we can't evaluate the situation.  Even if there is a patch, we won't be getting it and there is also the question of the exposure in the meantime before any such patch is released. We have a mitigation plan, but I really, really need to know if we have to pull the trigger on it as it's a bit drastic.

"However, versions 7.2 and 7.3 are both vulnerable and should be updated immediately, Big Blue says." - from the cited article.
From AIX Standard Edition_7.1.0 - Withdrawal notification we see:

Lifecycle dates, announcement letters and other information

GA

10-Sep-2010 , 210-200

EOM

23-Nov-2021 , 921-107

EOS

30-Apr-2023 , 921-107

Extension, Extended, or Sustained Support ends

30-Apr-2026

... So I guess if you are vulnerable and have extended support, you'll get a patch.

 So, we have some legacy systems we are stuck on. Mostly AIX 7.1.   Are these systems vulnerable to these exploits?

@Charles Buckley ... from an IBM Distinguished Engineer:
"AIX 7.1 is impacted. Clients with extended support can open a support case and request a fix."

Well..  I don't know if I have the vulnerability on my legacy systems, which is why I am asking if this affects AIX 7.1. 

There's no details I have seen on how the exploit works so we can't evaluate the situation.  Even if there is a patch, we won't be getting it and there is also the question of the exposure in the meantime before any such patch is released. We have a mitigation plan, but I really, really need to know if we have to pull the trigger on it as it's a bit drastic.

"However, versions 7.2 and 7.3 are both vulnerable and should be updated immediately, Big Blue says." - from the cited article.
From AIX Standard Edition_7.1.0 - Withdrawal notification we see:

Lifecycle dates, announcement letters and other information

GA

10-Sep-2010 , 210-200

EOM

23-Nov-2021 , 921-107

EOS

30-Apr-2023 , 921-107

Extension, Extended, or Sustained Support ends

30-Apr-2026

... So I guess if you are vulnerable and have extended support, you'll get a patch.

 So, we have some legacy systems we are stuck on. Mostly AIX 7.1.   Are these systems vulnerable to these exploits?

Thank you for the head's up.  I'm sure it is going to be popping up via our Security team's Qualys alerting very soon.  Will get the teams to take a look at it today for possible impact.

AIX 7.2 and 7.3 are vulnerable as noted in bulletin. Also, filesets 7.3.1.x are vulnerable. But, if I have nim clients with bos.sysmgt.nim.client and bos.sysmgt.sysbr filesets on 7.3.1.1 level installed on AIX 7300-01-02-2320 level, this is not vulnerable or there is no fix for this combo?

AIX 7.2 and 7.3 are vulnerable as noted in bulletin. Also, filesets 7.3.1.x are vulnerable. But, if I have nim clients with bos.sysmgt.nim.client and bos.sysmgt.sysbr filesets on 7.3.1.1 level installed on AIX 7300-01-02-2320 level, this is not vulnerable or there is no fix for this combo?