You can't protect against vulnerabilities discovered after the OS went EOL (it's the same for any other code running on the machine).
What you can do is mitigate it's exposure, keep it in a separate, firewalled VLAN, and eventually to keep it shutdown unless there is a request for data.
Backup the filesystems, do a DVD backup (to ISO) and backup that too. Said backups should be held for the legal retention period for that machine.
Note that unless it's an ancient oracle, in 99.99% of the cases it will run fine after you upgrade it all the way to AIX 7.3.
I think the other notable exception is 64-bit programs compiled on AIX 4.3.3 (the 64-bit ABI changed between 4.3.3 and 5.1), but they're few and far between.
Backup the filesystems, do a DVD backup (to ISO) and backup that too. Then clone, upgrade, and test.
Usually the customer plays stupid games like: "but it's not certified", to which the response is: "This EOL combo is also no longer certified, this OS level is guaranteed to be unsafe, the machine is decomposing, and this doesn't run on current hardware. We can upgrade and test, or you can sign a risk letter".
------------------------------
José Pina Coelho
IT Specialist at Kyndryl
------------------------------
Original Message:
Sent: Wed September 21, 2022 05:23 AM
From: Sylvain
Subject: CVE-2022-36768 invscout vulnerability and AIX 6.1 and AIX 5.3
Hi,
Once we've said that "AIX 5.3 and 6.1 are no longer supported" (blah blah blah), how do we do in real life when we have to maintain (for legal constraints) old LPARs that host applications only working on AIX 5.3 and 6.1 and want to protect against this vulnerability ?
Thanks in advance for your constructive replies.
------------------------------
Sylvain
Original Message:
Sent: Thu September 15, 2022 02:11 AM
From: Marc-Eric Kahle
Subject: CVE-2022-36768 invscout vulnerability and AIX 6.1 and AIX 5.3
Hi, the CVE-2022-36768 is only for the actual AIX / VIO Releases /7.1, 7.2. VIO 3.1 ).
AIX 5.3 is End of Life (EOL 2015) and AIX 6.1 (EOS 2017) is End of Support and those Releases are no longer getting New Defect Support. No new Fixes. Anyone using those End of Life / End of Support Releases should think about an upgrade to an actual Level. There won't be any new Fixes for those old Releases.
------------------------------
Marc-Eric Kahle
Original Message:
Sent: Wed September 14, 2022 08:15 AM
From: Sylvain
Subject: CVE-2022-36768 invscout vulnerability and AIX 6.1 and AIX 5.3
Does anyone know if CVE-2022-36768 invscout vulnerability also affect AIX 6.1 and AIX 5.3 ?
And if so, is there any fix or mitigation measures ?
Thanks in advance.
------------------------------
Sylvain
------------------------------