AIX

 View Only
  • 1.  Questions regarding OpenSSH advisories 15 and 16

    Posted Mon May 13, 2024 04:37 AM

    Hi,

    When I looked at openssh_advisory15.asc and openssh_advisory16.asc advisories, it looks like to me that these have fixes for different vulnerabilities, because the advisories don't have same CVE numbers so the ifixes are not cumulative in this case.

    openssh_advisory15.asc: CVE-2023-38408 and CVE-2023-40371
    openssh_advisory16.asc: CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385

    Have I understood this correctly?

    And if I have, is there any chance of getting a ifix that fixes all five CVEs?

    I'm asking these questions because I cannot install both ifixes at the same time, because these ifixes update same file(s).



    ------------------------------
    Esa Kärkkäinen
    ------------------------------


  • 2.  RE: Questions regarding OpenSSH advisories 15 and 16

    Posted Tue May 14, 2024 04:05 AM

    Hi!

    Why do you think that for these advisories the fixes would not be cumulative?  The advisory says:

    Note that [..], and AIX OpenSSH fixes are cumulative.

    Best regards,

      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 3.  RE: Questions regarding OpenSSH advisories 15 and 16

    Posted Tue May 14, 2024 04:08 AM

    Hi again!

    Rereading your post, I see your argument :)

    But the new advisories list only the new vulnerabilities it fixes.  So installing the fix of advistory16 will not only fix CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385, but as they are cumulative also CVE-2023-38408 and CVE-2023-40371 from advisory 15.

    Best regards,

      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 4.  RE: Questions regarding OpenSSH advisories 15 and 16

    Posted Tue May 14, 2024 04:41 AM

    Hello,

    Welp that's one problem when the job of parsing advisories has been outsourced to a parser I wrote.

    The other datapoint is apar.csv parsed by flrtvc.ksh reports that the fixes from OpenSSH advisories15 and 16 must be installed simultanously.

    N.B. the output from the commands has been redacted to contain only OpenSSH related information.

    lslpp -l openssh.\*
      Fileset                      Level  State      Description
      ----------------------------------------------------------------------------
    Path: /usr/lib/objrepos
      openssh.base.client   9.2.112.2000  COMMITTED  Open Secure Shell Commands
                                          EFIXLOCKED
      openssh.base.server   9.2.112.2000  COMMITTED  Open Secure Shell Server
                                          EFIXLOCKED
      openssh.license       9.2.112.2000  COMMITTED  Open Secure Shell License
      openssh.man.en_US     9.2.112.2000  COMMITTED  Open Secure Shell
                                                     Documentation - U.S. English
    
    Path: /etc/objrepos
      openssh.base.client   9.2.112.2000  COMMITTED  Open Secure Shell Commands
                                          EFIXLOCKED
      openssh.base.server   9.2.112.2000  COMMITTED  Open Secure Shell Server
                                          EFIXLOCKED
    # emgr -P
    
    PACKAGE                                                  INSTALLER   LABEL
    ======================================================== =========== ==========
    openssh.base.client                                      installp    92112ma
    openssh.base.server                                      installp    92112ma
    # flrtvc.ksh
    Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required|Last Update|Fixed In
    openssh.base.client|9.2.112.2000|sec||NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH|9.2.112.0-9.2.112.2000|38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371|https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc|https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar|CVE-2023-38408:8.1 CVE-2023-40371:6.2|NO|08/23/2023|See Bulletin
    openssh.base.server|9.2.112.2000|sec||NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH|9.2.112.0-9.2.112.2000|38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371|https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc|https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar|CVE-2023-38408:8.1 CVE-2023-40371:6.2|NO|08/23/2023|See Bulletin
    #


    ------------------------------
    Esa Kärkkäinen
    ------------------------------



  • 5.  RE: Questions regarding OpenSSH advisories 15 and 16

    Posted Tue May 14, 2024 09:02 AM

    Hi!

    While setting up a new VIOS, I tried to check it.

    If have the following patches installed:

    As you can see I have the ifixes from advisory16 installed (and am still on openssh 8.x)

    Using the FLRTVC I get the following shown regarding openssh:

    As you can see both advisory15 and advisory16 are shown as fixed.

    Hope that helps,

      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 6.  RE: Questions regarding OpenSSH advisories 15 and 16

    Posted Tue May 14, 2024 09:46 AM

    Hi Esa,

    What version of flrtvc.ksh are you using? I.e., cat flrtvc.ksh | grep -i version

    The latest version (0.8.8) should provide output similar to what Alexander sees with FLRTVC Online, showing that the fixes from openssh_advisory16.asc cover advisory15.



    ------------------------------
    Roy ST. JOHN
    ------------------------------