AIX

Hi,

When I looked at openssh_advisory15.asc and openssh_advisory16.asc advisories, it looks like to me that these have fixes for different vulnerabilities, because the advisories don't have same CVE numbers so the ifixes are not cumulative in this case.

openssh_advisory15.asc: CVE-2023-38408 and CVE-2023-40371
openssh_advisory16.asc: CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385

Have I understood this correctly?

And if I have, is there any chance of getting a ifix that fixes all five CVEs?

I'm asking these questions because I cannot install both ifixes at the same time, because these ifixes update same file(s).

Hi,

When I looked at openssh_advisory15.asc and openssh_advisory16.asc advisories, it looks like to me that these have fixes for different vulnerabilities, because the advisories don't have same CVE numbers so the ifixes are not cumulative in this case.

openssh_advisory15.asc: CVE-2023-38408 and CVE-2023-40371
openssh_advisory16.asc: CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385

Have I understood this correctly?

And if I have, is there any chance of getting a ifix that fixes all five CVEs?

I'm asking these questions because I cannot install both ifixes at the same time, because these ifixes update same file(s).

Hi again!

Rereading your post, I see your argument :)

But the new advisories list only the new vulnerabilities it fixes.  So installing the fix of advistory16 will not only fix CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385, but as they are cumulative also CVE-2023-38408 and CVE-2023-40371 from advisory 15.

Best regards,

  Alexander

Hi,

When I looked at openssh_advisory15.asc and openssh_advisory16.asc advisories, it looks like to me that these have fixes for different vulnerabilities, because the advisories don't have same CVE numbers so the ifixes are not cumulative in this case.

openssh_advisory15.asc: CVE-2023-38408 and CVE-2023-40371
openssh_advisory16.asc: CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385

Have I understood this correctly?

And if I have, is there any chance of getting a ifix that fixes all five CVEs?

I'm asking these questions because I cannot install both ifixes at the same time, because these ifixes update same file(s).

Hello,

Welp that's one problem when the job of parsing advisories has been outsourced to a parser I wrote.

The other datapoint is apar.csv parsed by flrtvc.ksh reports that the fixes from OpenSSH advisories15 and 16 must be installed simultanously.

N.B. the output from the commands has been redacted to contain only OpenSSH related information.

lslpp -l openssh.\*  Fileset                      Level  State      Description  ----------------------------------------------------------------------------Path: /usr/lib/objrepos  openssh.base.client   9.2.112.2000  COMMITTED  Open Secure Shell Commands                                      EFIXLOCKED  openssh.base.server   9.2.112.2000  COMMITTED  Open Secure Shell Server                                      EFIXLOCKED  openssh.license       9.2.112.2000  COMMITTED  Open Secure Shell License  openssh.man.en_US     9.2.112.2000  COMMITTED  Open Secure Shell                                                 Documentation - U.S. EnglishPath: /etc/objrepos  openssh.base.client   9.2.112.2000  COMMITTED  Open Secure Shell Commands                                      EFIXLOCKED  openssh.base.server   9.2.112.2000  COMMITTED  Open Secure Shell Server                                      EFIXLOCKED# emgr -PPACKAGE                                                  INSTALLER   LABEL======================================================== =========== ==========openssh.base.client                                      installp    92112maopenssh.base.server                                      installp    92112ma# flrtvc.kshFileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required|Last Update|Fixed Inopenssh.base.client|9.2.112.2000|sec||NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH|9.2.112.0-9.2.112.2000|38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371|https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc|https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar|CVE-2023-38408:8.1 CVE-2023-40371:6.2|NO|08/23/2023|See Bulletinopenssh.base.server|9.2.112.2000|sec||NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH|9.2.112.0-9.2.112.2000|38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371|https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc|https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar|CVE-2023-38408:8.1 CVE-2023-40371:6.2|NO|08/23/2023|See Bulletin#

Hi again!

Rereading your post, I see your argument :)

But the new advisories list only the new vulnerabilities it fixes.  So installing the fix of advistory16 will not only fix CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385, but as they are cumulative also CVE-2023-38408 and CVE-2023-40371 from advisory 15.

Best regards,

  Alexander

Hi,

When I looked at openssh_advisory15.asc and openssh_advisory16.asc advisories, it looks like to me that these have fixes for different vulnerabilities, because the advisories don't have same CVE numbers so the ifixes are not cumulative in this case.

openssh_advisory15.asc: CVE-2023-38408 and CVE-2023-40371
openssh_advisory16.asc: CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385

Have I understood this correctly?

And if I have, is there any chance of getting a ifix that fixes all five CVEs?

I'm asking these questions because I cannot install both ifixes at the same time, because these ifixes update same file(s).

Hello,

Welp that's one problem when the job of parsing advisories has been outsourced to a parser I wrote.

The other datapoint is apar.csv parsed by flrtvc.ksh reports that the fixes from OpenSSH advisories15 and 16 must be installed simultanously.

N.B. the output from the commands has been redacted to contain only OpenSSH related information.

lslpp -l openssh.\*  Fileset                      Level  State      Description  ----------------------------------------------------------------------------Path: /usr/lib/objrepos  openssh.base.client   9.2.112.2000  COMMITTED  Open Secure Shell Commands                                      EFIXLOCKED  openssh.base.server   9.2.112.2000  COMMITTED  Open Secure Shell Server                                      EFIXLOCKED  openssh.license       9.2.112.2000  COMMITTED  Open Secure Shell License  openssh.man.en_US     9.2.112.2000  COMMITTED  Open Secure Shell                                                 Documentation - U.S. EnglishPath: /etc/objrepos  openssh.base.client   9.2.112.2000  COMMITTED  Open Secure Shell Commands                                      EFIXLOCKED  openssh.base.server   9.2.112.2000  COMMITTED  Open Secure Shell Server                                      EFIXLOCKED# emgr -PPACKAGE                                                  INSTALLER   LABEL======================================================== =========== ==========openssh.base.client                                      installp    92112maopenssh.base.server                                      installp    92112ma# flrtvc.kshFileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required|Last Update|Fixed Inopenssh.base.client|9.2.112.2000|sec||NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH|9.2.112.0-9.2.112.2000|38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371|https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc|https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar|CVE-2023-38408:8.1 CVE-2023-40371:6.2|NO|08/23/2023|See Bulletinopenssh.base.server|9.2.112.2000|sec||NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH|9.2.112.0-9.2.112.2000|38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371|https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc|https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar|CVE-2023-38408:8.1 CVE-2023-40371:6.2|NO|08/23/2023|See Bulletin#

Hi again!

Rereading your post, I see your argument :)

But the new advisories list only the new vulnerabilities it fixes.  So installing the fix of advistory16 will not only fix CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385, but as they are cumulative also CVE-2023-38408 and CVE-2023-40371 from advisory 15.

Best regards,

  Alexander

Hi,

When I looked at openssh_advisory15.asc and openssh_advisory16.asc advisories, it looks like to me that these have fixes for different vulnerabilities, because the advisories don't have same CVE numbers so the ifixes are not cumulative in this case.

openssh_advisory15.asc: CVE-2023-38408 and CVE-2023-40371
openssh_advisory16.asc: CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385

Have I understood this correctly?

And if I have, is there any chance of getting a ifix that fixes all five CVEs?

I'm asking these questions because I cannot install both ifixes at the same time, because these ifixes update same file(s).