AIX

I'd appreciate some clarity from IBM as to how they are protecting their AIX customers from supply chain attacks in OSS software.

The recent xz library supply chain attack is rather alarming due to the long term social engineering that occurred to place a bad actor in a position of power over a commonly used library. That it rapidly progressed to attempts to deploy backdoored code that could be leveraged without compromising carefully examined projects like OpenSSH raises the question of how to protect our production systems.

As I understand it, IBM ships openssl and openssh from upstream OSS sources. How are these validated and secured from these kinds of attacks?

I am deliberately excluding the AIX/Linux toolkit from the question, as it is unsupported and best effort.

I am not IBM, but exactly the xz kind of attack would never work on AIX. The backdoor checks and installs only on x86_64 architecture.

Regarding supply chain attacks in common, yes, there is enough place for improvements in AIX and I'd like to get some info from IBM too.

I'd appreciate some clarity from IBM as to how they are protecting their AIX customers from supply chain attacks in OSS software.

The recent xz library supply chain attack is rather alarming due to the long term social engineering that occurred to place a bad actor in a position of power over a commonly used library. That it rapidly progressed to attempts to deploy backdoored code that could be leveraged without compromising carefully examined projects like OpenSSH raises the question of how to protect our production systems.

As I understand it, IBM ships openssl and openssh from upstream OSS sources. How are these validated and secured from these kinds of attacks?

I am deliberately excluding the AIX/Linux toolkit from the question, as it is unsupported and best effort.

I'd appreciate some clarity from IBM as to how they are protecting their AIX customers from supply chain attacks in OSS software.

The recent xz library supply chain attack is rather alarming due to the long term social engineering that occurred to place a bad actor in a position of power over a commonly used library. That it rapidly progressed to attempts to deploy backdoored code that could be leveraged without compromising carefully examined projects like OpenSSH raises the question of how to protect our production systems.

As I understand it, IBM ships openssl and openssh from upstream OSS sources. How are these validated and secured from these kinds of attacks?

I am deliberately excluding the AIX/Linux toolkit from the question, as it is unsupported and best effort.

Hi Russel,

I'm not speaking for IBM and can't comment on the core questions you raised.

But as you raised the topic with the context of the xz backdoor usable via ssh, it is noteworthy to also note, that AIX should not affected by CVE-2024-3094.

At the time of writing the exploit requires:

• Package build as deb or rpm (Linux Weekly News has an excellent article how that exploit works),
• OpenSSH using systemd,
• OpenSSH and / or systemd being linked against xz.

Given that none of these constraints are met on an AIX system, it is fairly safe to say, that AIX is not affected by this backdoor, even though an official statement from IBM just for sake of having an official source would be nice.

Best regards,

  Alexander

I'd appreciate some clarity from IBM as to how they are protecting their AIX customers from supply chain attacks in OSS software.

The recent xz library supply chain attack is rather alarming due to the long term social engineering that occurred to place a bad actor in a position of power over a commonly used library. That it rapidly progressed to attempts to deploy backdoored code that could be leveraged without compromising carefully examined projects like OpenSSH raises the question of how to protect our production systems.

As I understand it, IBM ships openssl and openssh from upstream OSS sources. How are these validated and secured from these kinds of attacks?

I am deliberately excluding the AIX/Linux toolkit from the question, as it is unsupported and best effort.