PowerVM

 View Only

  • 1.  VIOS CVEs: To find out whether the affected filesets are installed on your systems...

    Posted Fri June 14, 2024 09:18 AM

    When I look at a VIOS CVE it often has a section like:

    To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

    Example:  lslpp -L | grep -i something.something

    So if I do that example, and the particular something.something simply returns null like this example:

    $ oem_setup_env
    # lslpp -L | grep -i python3.9.base
    #
    # oslevel -s
    7200-05-07-2346
    #

    Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

    Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

    This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

    Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------


  • 2.  RE: VIOS CVEs: To find out whether the affected filesets are installed on your systems...
    Best Answer

    Posted Mon June 17, 2024 12:49 AM

    Hi Robert;

    Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

    > That is correct; If lslpp does not return anything ; U don't have the package installed, and are not affected. Some vulnerabilities however might be related to rpm packages too ; so U might want to do some doublecheck with rpm -qa |grep -I something.something cmd . Python3.9 afaik is installed with installp cmd nowadays, so it should be visible on lslpp listing if you have it installed.

    Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

    > Python3.9 is not included in base AIX / VIOS packages, but needs to be downloaded from IBM Web Download Page and installed separately. Many people use e.g Ansible on VIOS etc nowadays, and Python is pre-req for having that working, therefore folks install python to VIOS too. 

    There was a community discussion on which all "extra" SW is supported to be installed on VIOS, eventhough it is closed appliance like U mentioned. 

    PowerVM



    ------------------------------
    Tommi Sihvo, Lead Service Architect
    Tietoevry Tech Services
    email tommi.sihvo@tietoevry.com mobile +358 (0)40 5180 Finland
    ------------------------------

    Original Message


  • 3.  RE: VIOS CVEs: To find out whether the affected filesets are installed on your systems...

    Posted Mon June 17, 2024 08:18 AM

    Thank you



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 4.  RE: VIOS CVEs: To find out whether the affected filesets are installed on your systems...

    Posted Wed June 19, 2024 04:59 AM

    In contexq of Q2.

    Simplify:
    VIOS 4.1.0 is based on AIX 7.3 and contains python in default instalation.

    VIOS 3.1.3.x and 3.1.4.x are based on AIX 7.2 and not contain python in default instalation.
    (I ommit prevous releases of VIOS, case at this moment (June 2024) they are reached of date of Fix Support (EoFS)).

    Referenes:
    https://www.ibm.com/support/pages/virtual-io-server-vios-maintenance-strategy
    https://www.ibm.com/support/pages/powervm-vios-lifecycle-information

    Quoted Security Buletin contains information about Affected Products:

    Affected Product(s) Version(s)
    AIX 7.3
    VIOS 4.1


     
    Regards,

    Michal



    ------------------------------
    Michal Kozlowski
    ------------------------------

    Original Message


  • 5.  RE: VIOS CVEs: To find out whether the affected filesets are installed on your systems...

    Posted Wed June 19, 2024 05:07 AM

    Hi,

    VIOS 4.1.0 is based on AIX 7.3 and contains python in default instalation.

    >> Hmmm.. I have VIOS image built from Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso..and don't have python there..?

    Br,

    tommi



    ------------------------------
    Tommi Sihvo, Lead Service Architect
    Tietoevry Tech Services
    email tommi.sihvo@tietoevry.com mobile +358 (0)40 5180 Finland
    ------------------------------

    Original Message


  • 6.  RE: VIOS CVEs: To find out whether the affected filesets are installed on your systems...

    Posted Thu June 20, 2024 05:59 AM

    Hi Tommi,

    I don't know if during install VIOS from flash.iso you can choose to install or not python. I think that in defaul,t python is installed.
    Based on other thread in this community, I know (but also I didn't test it) that python can be removed from AIX 7.3 without problems.

    Unfortunaltely I have no posiblility now to check installation, but installation iso contains python.

    #csum -h MD5 /home/padmin/Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso
0a913fef967529d7decf650ff0969de6  /home/padmin/Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso

#loopmount -i /home/padmin/Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso -o "-V udfs -o ro" -m /mnt

# mount | grep mnt
         /dev/loop0       /mnt             udfs   Jun 20 12:20 ro

#lsmksysb -f /mnt/usr/sys/inst.images/mksysb_image | grep python3
New volume on /mnt/usr/sys/inst.images/mksysb_image:
Cluster size is 51200 bytes (100 blocks).
The volume number is 1.
The backup date is: Sat Oct 28 00:46:00 IST 2023
Files are backed up by name.
The user is .
          30 ./usr/bin/python3
          37 ./usr/bin/python3-config
          30 ./usr/bin/python3.9
          37 ./usr/bin/python3.9-config
           0 ./usr/lpp/python3.9.base
<..>
       85249 ./lpp/python3.9.base/deinstl/python3.9.base.sec
The number of archived files is 69566.

    Regards,

    Michal



    ------------------------------
    Michal Kozlowski
    ------------------------------

    Original Message


  • 7.  RE: VIOS CVEs: To find out whether the affected filesets are installed on your systems...

    Posted Thu June 20, 2024 06:10 AM

    Hi,

    Thanks for the info Michal;

    I did the installation via HMC cli with installios cmd, did not specify any other flags than the "mandatory" ones (like ISO image location path etc) ...but would be curious if there are some extra flags for example to have this python installed by default etc.. 

    Br,

    tommi



    ------------------------------
    Tommi Sihvo, Lead Service Architect
    Tietoevry Tech Services
    email tommi.sihvo@tietoevry.com mobile +358 (0)40 5180 Finland
    ------------------------------

    Original Message


  • 8.  RE: VIOS CVEs: To find out whether the affected filesets are installed on your systems...

    Posted Mon June 17, 2024 03:44 AM

    Q2: Specifically on VIOS you can use lssw command instead of lslpp:

    $ ioslevel
4.1.0.10
$ lssw | grep -i python3.9.base
  python3.9.base            3.9.17.1    C     F    Python 3.9 64-bit binary
There is no efix data on this system.
$

    To be fair to IBM, the advisory has an example how to get the information on AIX but not on VIOS:

    To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i python3.9.base

    We can ask IBM to add a VIOS example with lssw command, but remember - it is just an example. You can use whatever tools you have.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 9.  RE: VIOS CVEs: To find out whether the affected filesets are installed on your systems...

    Posted Tue June 18, 2024 09:03 AM
    Edited by Vincent Greene Tue June 18, 2024 09:04 AM

    You've already got the specific answer, but I think it's worth mentioning a more general detail.

    Whenever you see something that pipes to grep "| grep something" it is filtering the output of the command before the pipe through grep so it will only show lines that contain your "something".  If it has the -i flag then it's comparing case insensitive. 

    If you don't see a result that you expect, make sure your "something" doesn't have a typo.  I usually will also run the command up to the pipe character to make sure the command is outputting something and not just sending a message that you won't see because of the filter.

    In your case I would have also run "lslpp -L" to confirm it did list packages and also "lslpp -L | grep -i python" to see if there are any similar names just in case the package name had a typo.



    ------------------------------
    Vincent Greene
    IT Consultant
    Technology Expert labs
    IBM
    Vincent.Greene@ibm.com


    The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.
    ------------------------------

    Original Message