AIX

 View Only
  • 1.  CVE-2022-36768 invscout vulnerability and AIX 6.1 and AIX 5.3

    Posted Wed September 14, 2022 08:15 AM
    Does anyone know if CVE-2022-36768 invscout vulnerability also affect AIX 6.1 and AIX 5.3 ?

    And if so, is there any fix or mitigation measures ?

    Thanks in advance.

    ------------------------------
    Sylvain
    ------------------------------


  • 2.  RE: CVE-2022-36768 invscout vulnerability and AIX 6.1 and AIX 5.3

    Posted Thu September 15, 2022 02:12 AM

    Hi, the CVE-2022-36768  is only for the actual AIX / VIO Releases /7.1, 7.2. VIO 3.1 ).

    AIX 5.3 is End of Life (EOL 2015) and AIX 6.1 (EOS 2017)  is End of Support and those Releases are no longer getting New Defect Support. No new Fixes. Anyone using those End of Life / End of Support Releases should think about an upgrade to an actual Level. There won't be any new Fixes for those old Releases.



    ------------------------------
    Marc-Eric Kahle
    ------------------------------



  • 3.  RE: CVE-2022-36768 invscout vulnerability and AIX 6.1 and AIX 5.3

    Posted Wed September 21, 2022 05:23 AM
    Hi,
    Once we've said that "AIX 5.3 and 6.1 are no longer supported" (blah blah blah), how do we do in real life when we have to maintain (for legal constraints) old LPARs that host applications only working on AIX 5.3 and 6.1 and want to protect against this vulnerability ?

    Thanks in advance for your constructive replies.


    ------------------------------
    Sylvain
    ------------------------------



  • 4.  RE: CVE-2022-36768 invscout vulnerability and AIX 6.1 and AIX 5.3

    Posted Thu September 22, 2022 03:31 AM
    AIX has long release cycle and provides end of support information in well advance. After that also there is extended support.
    That is the time one should plan to migrate their application/workload  to newer level of AIX. 
    It is not possible to keep supporting a platform for forever. It is not feasible.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 5.  RE: CVE-2022-36768 invscout vulnerability and AIX 6.1 and AIX 5.3

    IBM Champion
    Posted Thu September 22, 2022 03:40 AM

    You can't protect against vulnerabilities discovered after the OS went EOL (it's the same for any other code running on the machine).

    What you can do is mitigate it's exposure, keep it in a separate, firewalled VLAN, and eventually to keep it shutdown unless there is a request for data.
    Backup the filesystems, do a DVD backup (to ISO) and backup that too.  Said backups should be held for the legal retention period for that machine.

    Note that unless it's an ancient oracle, in 99.99% of the cases it will run fine after you upgrade it all the way to AIX 7.3.
    I think the other notable exception is 64-bit programs compiled on AIX 4.3.3 (the 64-bit ABI changed between 4.3.3 and 5.1), but they're few and far between.

    Backup the filesystems, do a DVD backup (to ISO) and backup that too.  Then clone, upgrade, and test.

    Usually the customer plays stupid games like: "but it's not certified", to which the response is: "This EOL combo is also no longer certified, this OS level is guaranteed to be unsafe, the machine is decomposing,  and this doesn't run on current hardware.  We can upgrade and test, or you can sign a risk letter".



    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------