Is VIOS 3.1.4.31 affected by CVE-2024-25062?

View Only

Expand all | Collapse all

Is VIOS 3.1.4.31 affected by CVE-2024-25062?

Jump to Best Answer

1. Is VIOS 3.1.4.31 affected by CVE-2024-25062?

0 Like
Robert Berendt
Posted Wed May 22, 2024 10:45 AM

Reply
I am looking at the following: https://www.ibm.com/support/pages/node/7150641?mhsrc=ibmsearch_a&mhq=CVE-2024-25062 I do not see VIOS 3.1.4.31 on it's list. Does that mean that it's exempt from this CVE?

------------------------------
Robert Berendt IBMChampion
------------------------------

2. RE: Is VIOS 3.1.4.31 affected by CVE-2024-25062?
Best Answer

Like

Luke February

Posted Wed May 22, 2024 03:45 PM
Edited by Robert Berendt Wed May 22, 2024 03:54 PM

Hi Robert

FYI

$ ioslevel
3.1.4.31
$ oem_setup_env

# oslevel -s
7200-05-07-2346

# lslpp -l bos.rte.control
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.rte.control 7.2.5.202 COMMITTED System Control Commands

The following fileset levels are vulnerable:

Fileset	Lower Level	Upper Level
bos.rte.control	7.2.5.0	7.2.5.102
bos.rte.control	7.2.5.200	7.2.5.202
bos.rte.control	7.3.0.0	7.3.0.3
bos.rte.control	7.3.1.0	7.3.1.2
bos.rte.control	7.3.2.0	7.3.2.0

------------------------------
Luke February
------------------------------

Original Message

3. RE: Is VIOS 3.1.4.31 affected by CVE-2024-25062?

0 Like
Robert Berendt
Posted Wed May 22, 2024 03:55 PM

Reply
Thank you. I think I'm starting to understand how these people think.

I am trying the tar command and I am getting:

# tar libxml2_fix6.tar
tar: 0511-191 Specify the block size with the -b or -N flag.
Usage: tar -{c|r|t|u|x} [ -BdDEFhilmopRUsvwZ ] [ -Number ] [ -f TarFil e ]
[ -b Blocks ] [ -S [ Feet ] | [ Feet@Density ] | [ Blocksb ] ]
[ -L InputList ] [-X ExcludeFile] [ -N Blocks ] [ -C Directory ] File ...
Usage: tar {c|r|t|u|x} [ bBdDEfFhilLXmNopRsSUvwZ[0-9] ] ]
[ Blocks ] [ TarFile ] [ InputList ] [ ExcludeFile ]
[ [ Feet ] | [ Feet@Density ] | [ Blocksb ] ] [-C Directory ] File ...

------------------------------
Robert Berendt IBMChampion
------------------------------

Original Message
4. RE: Is VIOS 3.1.4.31 affected by CVE-2024-25062?

0 Like
Ralf Kuehne
Posted Thu May 23, 2024 02:12 AM

Reply
tar -xvf libxml2_fix6.tar

VIOS Level Interim Fix (*.Z) KEY
-----------------------------------------------
3.1.3.21 IJ50828m4a.240409.epkg.Z key_w_fix
3.1.3.30 IJ50828m4a.240409.epkg.Z key_w_fix
3.1.3.40 IJ50828m4a.240409.epkg.Z key_w_fix
3.1.4.21 IJ50602m7a.240409.epkg.Z key_w_fix
3.1.4.30 IJ50602m7a.240409.epkg.Z key_w_fix
3.1.4.40 IJ50602m7a.240409.epkg.Z key_w_fix
4.1.0.10 IJ50601s1a.240409.epkg.Z key_w_fix

check on the vio (root):

emgr -e IJ50602m7a.240409.epkg.Z -p (preview)

EPKG NUMBER LABEL OPERATION RESULT
=========== ============== ================= ==============
1 IJ50602m7a INSTALL PREVIEW SUCCESS

padmin:

change to the install directory (copy the file in a new directory IJ50602m7a.240409.epkg.Z)

updateios -commit

updateios -dev "path to install directory" -install -accept

------------------------------
Ralf Kuehne
------------------------------

Original Message
5. RE: Is VIOS 3.1.4.31 affected by CVE-2024-25062?

0 Like
Robert Berendt
Posted Thu May 23, 2024 08:13 AM

Reply
Ralf,

The site Security Bulletin: AIX is vulnerable to a denial of service due to libxml2 (CVE-2024-25062) (ibm.com) did not mention any updateios stuff. I though updateios was for different upgrades and not patches?

------------------------------
Robert Berendt IBMChampion
------------------------------

Original Message
6. RE: Is VIOS 3.1.4.31 affected by CVE-2024-25062?

0 Like
Ralf Kuehne
Posted Thu May 23, 2024 08:43 AM

Reply
Hello,

All FIXES in the directory will be installed when installing via padmin. In addition, it is checked whether the SSP is active.

It's best to create your own directory

greeting

Ralf

Von: Robert Berendt via IBM TechXchange Community Mail@ConnectedCommunity.org
Gesendet: Donnerstag, 23. Mai 2024 14:15
An: Kühne, Ralf <Ralf.Kuehne@o-s.de>
Betreff: RE: PowerVM : Is VIOS 3.1.4.31 affected by CVE-2024-25062?

Ralf, The site Security Bulletin: AIX is vulnerable to a denial of service due to libxml2 (CVE-2024-25062) (ibm.com) did not mention any... -posted to the "PowerVM" group

Original Message
7. RE: Is VIOS 3.1.4.31 affected by CVE-2024-25062?

0 Like
Michal Kozlowski
Posted Fri May 24, 2024 03:56 AM
Edited by Michal Kozlowski Fri May 24, 2024 03:57 AM

Reply
Hi Robert,

In my opinion VIOS 3.1.4.31 is affected. I opened case for this,

TS016273493 'Possibme incorect details in IBM SECURITY ADVISORY libxml2_advisory6.asc' - created May 21, 2024
I received replay that buletin has been updated. It looks, It is not updated completly.

My initial case details:

Case number

TS016273493

Hi Team,

I think, that IBM SECURITY ADVISORY libxml2_advisory6.asc contain incorect data.

https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory6.asc

I think, that table with fixes list fix for 3.1.4.40 instaed for 3.1.4.31.

Additionaly 3.1.4.31 is not listed in table with fixes.

Incorect line is (Secton B. FIXES):

3.1.4.40 IJ50602m7a.240409.epkg.Z key_w_fix

It think it should be:

3.1.4.31 IJ50602m7a.240409.epkg.Z key_w_fix

Details:

Section REMEDIATION: contans (for VIOS):

VIOS Level APAR Availability SP KEY

-----------------------------------------------------

3.1.3 IJ50828 ** N/A key_w_apar

3.1.4 IJ50602 ** 3.1.4.40 key_w_apar

4.1.0 IJ50601 ** 4.1.0.20 key_w_apar

So I f I corectly understand, this vullnerability will be fixed in VIOS 3.1.4.40 (for VIOS 3.1 release).

Additionally:

1) VIOS 3.1.4.40 is not released yet, so it is pointless listed fix for it now.

2) In table for VIOSes with fixes missed 3.1.4.31

3) Fix pack for VIOS 3.1.4.31 contains update to 7.2.5.202 for bos.rte.control.

So this advisory is applicable for VIOS 3.1.4.31.

As note.

I wasn't sure how to addres my findig.

Security advisory contain note:

Contact IBM Support for questions related to this announcement:

https://ibm.com/support/

Regards,

Michal Kozlowski

Regards,

------------------------------
Michal Kozlowski
------------------------------

Original Message
8. RE: Is VIOS 3.1.4.31 affected by CVE-2024-25062?

0 Like
Robert Berendt
Posted Fri May 24, 2024 07:39 AM

Reply
Michael,

You may be right. However they think differently than we do. To work with their thought process consider this a range. 3.1.4.31 falls in the range of 3.1.4.30 - 3.1.4.40 and both use the same file.

And, as another stated on this thread, if you run the following

lslpp -l bos.rte.control

and it returns a level in the table "The following fileset levels are vulnerable:" then you need the update.

------------------------------
Robert Berendt IBMChampion
------------------------------

Original Message
9. RE: Is VIOS 3.1.4.31 affected by CVE-2024-25062?

0 Like
Michal Kozlowski
Posted Thu June 06, 2024 03:39 AM

Reply
Hi Robert,

IBM updated advisory:

https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory6.asc

First Issued: Wed May 8 16:18:28 CDT 2024 |Updated: Tue Jun 4 15:20:02 CDT 2024 |Update: iFix added for VIOS 3.1.4.31.

Regards,

Michal

------------------------------
Michal Kozlowski
------------------------------

Original Message

IBM Power

Connect, learn, share, and engage with IBM Power.

PowerVM