PowerVM

Power Virtualization

Learn about the virtualization technologies designed specifically for IBM Power including #PowerVM, #PowerVC, #VM Recovery Manager#HCM/CMC, and more.


#Power
#TechXchangeConferenceLab

 View Only

  • 1.  Is VIOS 3* immune (or just not supported anymore) to CVE-2025-8732?

    Posted Wed February 18, 2026 10:22 AM

    I am at vios 3.1.4.50
    lslpp -L | grep -i bos.rte.control
    returns bos.rte.control 7.2.5.204
    This is in the vulnerable range in https://www.ibm.com/support/pages/node/7261170
    yet it says it only applied to VIOS 4.1.
    Why?



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------


  • 2.  RE: Is VIOS 3* immune (or just not supported anymore) to CVE-2025-8732?

    Posted Wed February 18, 2026 10:30 AM

    Perhaps they are jumping the gun on 2026-04-30?  https://www.ibm.com/support/pages/lifecycle/search?q=powerVM%203.1.x



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------



  • 3.  RE: Is VIOS 3* immune (or just not supported anymore) to CVE-2025-8732?

    Posted Thu February 19, 2026 05:21 AM

    Well, yes, it must be equally vulnerable to the corresponding AIX 7.2 level, and you can probably apply the corresponding AIX iFix.

    Do note that in 99% of the python/perl/libxml cases, the vulnerability isn't exploitable since there is nothing vulnerable actively listening on the network.



    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------



  • 4.  RE: Is VIOS 3* immune (or just not supported anymore) to CVE-2025-8732?

    Posted Thu February 19, 2026 05:50 AM

    I downloaded the fix package and looked at the Advisory.asc file included with the fix. 

    It lists VIOS 3.1 as being affected.

        AFFECTED PRODUCTS AND VERSIONS:

            AIX 7.2, 7.3
            VIOS 3.1, 4.1

            The following fileset levels are vulnerable:

            key_fileset = aix

            Fileset                 Lower Level  Upper Level KEY
            ---------------------------------------------------------
            bos.rte.control         7.2.5.0      7.2.5.206   key_w_fs
            bos.rte.control         7.3.2.0      7.3.2.3     key_w_fs
            bos.rte.control         7.3.3.0      7.3.3.1     key_w_fs
            bos.rte.control         7.3.4.0      7.3.4.0     key_w_fs

    It looks as though the publication note somehow omitted VIOS 3.1. And indeed, the VIOS fix table does not mention the fix needed/allowed for VIOS 3.1.4.50.

    Based on your level of bos.rte.control (7.2.5.204) and the prerequisites listed in the fix file (as shown my emgr), it should be possible to install the fix IJ57276sBa.260212.epkg.Z on your VIOS with level 3.1.4.50.
    I do not know why IBM doesn't mention it in the publication/advisory.



    ------------------------------
    Richard Westerik
    Principal specialist
    Simac IT NL bv
    Ede
    +31651575123
    ------------------------------



Related Content