IBM SECURITY ADVISORY First Issued: Wed Dec 14 09:18:26 CST 2022 |Updated: Wed Apr 5 13:56:20 CDT 2023 |Update: Corrected the affected upper fileset levels for VIOS to show that | VIOS 3.1.2.50 and 3.1.3.30 are affected. | Added iFixes for VIOS 3.1.2.50 and 3.1.3.30. | This update applies to the kernel, perfstat, and pfcdd | portions of the bulletin. The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/kernel_advisory5.asc Security Bulletin: AIX is vulnerable to denial of service vulnerabilities =============================================================================== SUMMARY: Vulnerabilities in the AIX kernel and kernel extensions could allow a non-privileged local user to cause a denial of service (CVE-2022-43380, CVE-2022-40233, CVE-2022-39165, CVE-2022-43848, CVE-2022-43849, CVE-2022-39164). =============================================================================== VULNERABILITY DETAILS: CVEID: CVE-2022-39164 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39164 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to obtain root privileges. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/235181 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-43380 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43380 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in the AIX NFS kernel extension to cause a denial of service. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/238640 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-40233 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40233 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in the AIX TCP/IP kernel extension to cause a denial of service. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/235599 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-39165 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39165 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in CAA to cause a denial of service. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/235183 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-43848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43848 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in the AIX perfstat kernel extension to cause a denial of service. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/239169 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-43849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43849 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in the AIX pfcdd kernel extension to cause a denial of service. CVSS Base Score: 6.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/239170 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) AFFECTED PRODUCTS AND VERSIONS: AIX 7.1, 7.2, 7.3 VIOS 3.1 The vulnerabilities in the following filesets are being addressed: key_fileset = aix Fileset Lower Level Upper Level KEY --------------------------------------------------------- bos.cluster.rte 7.1.5.0 7.1.5.39 key_w_fs | bos.mp64 7.1.5.0 7.1.5.47 key_w_fs bos.net.nfs.client 7.1.5.0 7.1.5.38 key_w_fs bos.net.tcp.client 7.1.5.0 7.1.5.41 key_w_fs bos.perf.perfstat 7.1.5.0 7.1.5.32 key_w_fs | bos.pfcdd.rte 7.1.5.0 7.1.5.34 key_w_fs bos.cluster.rte 7.2.5.0 7.2.5.2 key_w_fs | bos.mp64 7.2.5.0 7.2.5.6 key_w_fs bos.net.nfs.client 7.2.5.0 7.2.5.3 key_w_fs bos.net.tcp.client_core 7.2.5.0 7.2.5.4 key_w_fs bos.perf.perfstat 7.2.5.0 7.2.5.0 key_w_fs | bos.pfcdd.rte 7.2.5.0 7.2.5.2 key_w_fs bos.cluster.rte 7.2.5.100 7.2.5.102 key_w_fs | bos.mp64 7.2.5.100 7.2.5.106 key_w_fs bos.net.nfs.client 7.2.5.100 7.2.5.101 key_w_fs bos.net.tcp.client_core 7.2.5.100 7.2.5.104 key_w_fs bos.perf.perfstat 7.2.5.100 7.2.5.101 key_w_fs | bos.pfcdd.rte 7.2.5.100 7.2.5.102 key_w_fs bos.mp64 7.2.5.200 7.2.5.201 key_w_fs bos.perf.perfstat 7.2.5.200 7.2.5.200 key_w_fs | bos.pfcdd.rte 7.2.5.200 7.2.5.200 key_w_fs bos.cluster.rte 7.3.0.0 7.3.0.1 key_w_fs bos.net.tcp.client_core 7.3.0.0 7.3.0.2 key_w_fs | bos.mp64 7.3.0.0 7.3.0.4 key_w_fs bos.net.nfs.client 7.3.0.0 7.3.0.1 key_w_fs | bos.perf.perfstat 7.3.0.0 7.3.0.1 key_w_fs | bos.pfcdd.rte 7.3.0.0 7.3.0.2 key_w_fs bos.mp64 7.3.1.0 7.3.1.1 key_w_fs bos.perf.perfstat 7.3.1.0 7.3.1.0 key_w_fs To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i bos.mp64 REMEDIATION: A. APARS IBM has assigned the following APARs to this problem: For kernel: AIX Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- | 7.1.5 IJ43967 ** SP12 key_w_apar kernel 7.2.5 IJ43869 ** SP06 key_w_apar kernel | 7.3.0 IJ43875 ** SP04 key_w_apar kernel 7.3.1 IJ44594 ** SP02 key_w_apar kernel VIOS Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- | 3.1.2 IJ43995 ** 3.1.2.60 key_w_apar kernel | 3.1.3 IJ45541 ** 3.1.3.40 key_w_apar kernel 3.1.4 IJ43869 ** 3.1.4.20 key_w_apar kernel For CAA kernel extension: AIX Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- 7.1.5 IJ43099 ** SP11 key_w_apar CAA 7.2.5 IJ41975 ** SP05 key_w_apar CAA 7.3.0 IJ42938 ** SP03 key_w_apar CAA VIOS Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- 3.1.2 IJ44115 ** 3.1.2.50 key_w_apar CAA 3.1.3 IJ41975 ** 3.1.3.30 key_w_apar CAA For NFS kernel extension: AIX Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- 7.1.5 IJ43072 ** SP11 key_w_apar NFS 7.2.5 IJ42159 ** SP05 key_w_apar NFS 7.3.0 IJ43468 ** SP03 key_w_apar NFS VIOS Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- 3.1.2 IJ43674 ** 3.1.2.50 key_w_apar NFS 3.1.3 IJ42159 ** 3.1.3.30 key_w_apar NFS For TCP/IP kernel extension: AIX Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- 7.1.5 IJ43098 ** SP11 key_w_apar TCPIP 7.2.5 IJ41974 ** SP05 key_w_apar TCPIP 7.3.0 IJ42937 ** SP03 key_w_apar TCPIP VIOS Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- 3.1.2 IJ43598 ** 3.1.2.50 key_w_apar TCPIP 3.1.3 IJ41974 ** 3.1.3.30 key_w_apar TCPIP For perfstat kernel extension: AIX Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- | 7.1.5 IJ43970 ** SP12 key_w_apar perfstat 7.2.5 IJ43876 ** SP06 key_w_apar perfstat | 7.3.0 IJ43891 ** SP04 key_w_apar perfstat 7.3.1 IJ44595 ** SP02 key_w_apar perfstat VIOS Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- | 3.1.2 IJ44114 ** 3.1.2.60 key_w_apar perfstat | 3.1.3 IJ43876 ** 3.1.3.40 key_w_apar perfstat 3.1.4 IJ43876 ** 3.1.4.20 key_w_apar perfstat For pfcdd kernel extension: AIX Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- | 7.1.5 IJ43980 ** SP12 key_w_apar pfcdd 7.2.5 IJ43877 ** SP06 key_w_apar pfcdd | 7.3.0 IJ43893 ** SP04 key_w_apar pfcdd VIOS Level APAR Availability SP KEY PRODUCT(S) ----------------------------------------------------------------- | 3.1.2 IJ46105 ** 3.1.2.60 key_w_apar pfcdd | 3.1.3 IJ46068 ** 3.1.3.40 key_w_apar pfcdd | 3.1.4 IJ43877 ** 3.1.4.20 key_w_apar pfcdd Subscribe to the APARs here: https://www.ibm.com/support/pages/apar/[APAR Number] By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES IBM strongly recommends addressing the vulnerability now. AIX and VIOS fixes are available. An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot. The AIX and VIOS fixes can be downloaded via https from: https://aix.software.ibm.com/aix/efixes/security/kernel_fix5.tar The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. For kernel: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 7.1.5.8 IJ43967m8a.221110.epkg.Z key_w_fix kernel 7.1.5.9 IJ43967m9a.221102.epkg.Z key_w_fix kernel 7.1.5.9 IJ43967m9b.221111.epkg.Z key_w_fix kernel 7.1.5.10 IJ43967mAa.221024.epkg.Z key_w_fix kernel | 7.1.5.11 IJ43967sBa.230314.epkg.Z key_w_fix kernel | 7.2.5.3 IJ43869m3c.230216.epkg.Z key_w_fix kernel | 7.2.5.3 IJ43869m3d.230216.epkg.Z key_w_fix kernel | 7.2.5.4 IJ43869m4b.230216.epkg.Z key_w_fix kernel | 7.2.5.5 IJ43869m5b.230216.epkg.Z key_w_fix kernel | 7.3.0.1 IJ43875m1b.230216.epkg.Z key_w_fix kernel | 7.3.0.2 IJ43875m2b.230216.epkg.Z key_w_fix kernel | 7.3.0.3 IJ43875s3a.230314.epkg.Z key_w_fix kernel | 7.3.1.1 IJ44594m1a.230216.epkg.Z key_w_fix kernel Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04. NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03. IJ43967m9a is for AIX 7100-05-09 with bos.mp64 fileset level 7.1.5.45. IJ43967m9b is for AIX 7100-05-09 with bos.mp64 fileset level 7.1.5.44. | IJ43869m3c is for AIX 7200-05-03 with bos.mp64 fileset level 7.2.5.103. | IJ43869m3d is for AIX 7200-05-03 with bos.mp64 fileset level 7.2.5.101. Please reference the Affected Products and Version section above for help with checking installed fileset levels. VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 3.1.2.21 IJ43995m2b.221027.epkg.Z key_w_fix kernel 3.1.2.30 IJ43995m2c.221212.epkg.Z key_w_fix kernel 3.1.2.40 IJ43995m2a.221025.epkg.Z key_w_fix kernel | 3.1.2.50 IJ43995s5a.230404.epkg.Z key_w_fix kernel 3.1.3.10 IJ43869m3b.221212.epkg.Z key_w_fix kernel 3.1.3.14 IJ43869m3a.221025.epkg.Z key_w_fix kernel 3.1.3.21 IJ43869m4a.221017.epkg.Z key_w_fix kernel | 3.1.3.30 IJ45541s3b.230404.epkg.Z key_w_fix kernel 3.1.4.10 IJ43869s5a.221212.epkg.Z key_w_fix kernel For CAA kernel extension: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 7.1.5.8 IJ43099m8a.221110.epkg.Z key_w_fix CAA 7.1.5.9 IJ43099m9a.221102.epkg.Z key_w_fix CAA 7.1.5.9 IJ43099m9b.221213.epkg.Z key_w_fix CAA 7.1.5.10 IJ43099sAa.221024.epkg.Z key_w_fix CAA 7.2.5.2 IJ44115m2a.221102.epkg.Z key_w_fix CAA 7.2.5.3 IJ41975m3a.221027.epkg.Z key_w_fix CAA 7.2.5.3 IJ41975m3b.221212.epkg.Z key_w_fix CAA 7.2.5.4 IJ41975s4a.221017.epkg.Z key_w_fix CAA 7.3.0.1 IJ42938m1a.221027.epkg.Z key_w_fix CAA 7.3.0.2 IJ42938s2a.221018.epkg.Z key_w_fix CAA Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04. NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03. IJ43099m9a is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.38. IJ43099m9b is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.37. IJ41975m3a is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.101. IJ41975m3b is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.100. VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 3.1.2.21 IJ44115m2a.221102.epkg.Z key_w_fix CAA 3.1.2.30 IJ44115m2a.221102.epkg.Z key_w_fix CAA 3.1.2.40 IJ44115m2b.221213.epkg.Z key_w_fix CAA 3.1.3.10 IJ41975m3b.221212.epkg.Z key_w_fix CAA 3.1.3.14 IJ41975m3a.221027.epkg.Z key_w_fix CAA 3.1.3.21 IJ41975s4a.221017.epkg.Z key_w_fix CAA For NFS kernel extension: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 7.1.5.8 IJ43072s8a.221110.epkg.Z key_w_fix NFS 7.1.5.9 IJ43072sAa.221024.epkg.Z key_w_fix NFS 7.1.5.10 IJ43072sAa.221024.epkg.Z key_w_fix NFS 7.2.5.2 IJ43674s2b.221027.epkg.Z key_w_fix NFS 7.2.5.3 IJ42159s3a.221025.epkg.Z key_w_fix NFS 7.2.5.3 IJ42159s3b.221213.epkg.Z key_w_fix NFS 7.2.5.4 IJ42159s4a.221017.epkg.Z key_w_fix NFS 7.3.0.1 IJ43468s1a.221025.epkg.Z key_w_fix NFS 7.3.0.2 IJ43468s2a.221017.epkg.Z key_w_fix NFS Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04. NOTE: Multiple iFixes are provided for AIX 7200-05-03. IJ42159s3a is for AIX 7200-05-03 with bos.adt.include fileset level 7.2.5.102. IJ42159s3b is for AIX 7200-05-03 with bos.adt.include fileset level 7.2.5.101. VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 3.1.2.21 IJ43674s2b.221027.epkg.Z key_w_fix NFS 3.1.2.30 IJ43674s2c.221213.epkg.Z key_w_fix NFS 3.1.2.40 IJ43674s2c.221213.epkg.Z key_w_fix NFS 3.1.3.10 IJ42159s3b.221213.epkg.Z key_w_fix NFS 3.1.3.14 IJ42159s3a.221025.epkg.Z key_w_fix NFS 3.1.3.21 IJ42159s4a.221017.epkg.Z key_w_fix NFS For TCP/IP kernel extension: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 7.1.5.8 IJ43098s8a.221110.epkg.Z key_w_fix TCPIP 7.1.5.9 IJ43098s9a.221102.epkg.Z key_w_fix TCPIP 7.1.5.9 IJ43098s9b.221213.epkg.Z key_w_fix TCPIP 7.1.5.10 IJ43098sAa.221024.epkg.Z key_w_fix TCPIP 7.2.5.2 IJ43598s2b.221027.epkg.Z key_w_fix TCPIP 7.2.5.3 IJ41974s3a.221025.epkg.Z key_w_fix TCPIP 7.2.5.3 IJ41974s3b.221213.epkg.Z key_w_fix TCPIP 7.2.5.4 IJ41974s4a.221017.epkg.Z key_w_fix TCPIP 7.3.0.1 IJ42937s1a.221027.epkg.Z key_w_fix TCPIP 7.3.0.2 IJ42937s2a.221018.epkg.Z key_w_fix TCPIP Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04. NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03. IJ43098s9a is for AIX 7100-05-09 with bos.net.tcp.client fileset level 7.1.5.40. IJ43098s9b is for AIX 7100-05-09 with bos.net.tcp.client fileset level 7.1.5.39. IJ41974s3a is for AIX 7200-05-03 with bos.net.tcp.client_core fileset level 7.2.5.102. IJ41974s3b is for AIX 7200-05-03 with bos.net.tcp.client_core fileset level 7.2.5.101. VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 3.1.2.21 IJ43598s2b.221027.epkg.Z key_w_fix TCPIP 3.1.2.30 IJ43598s2d.221213.epkg.Z key_w_fix TCPIP 3.1.2.40 IJ43598s2c.221213.epkg.Z key_w_fix TCPIP 3.1.3.10 IJ41974s3b.221213.epkg.Z key_w_fix TCPIP 3.1.3.14 IJ41974s3a.221025.epkg.Z key_w_fix TCPIP 3.1.3.21 IJ41974s4a.221017.epkg.Z key_w_fix TCPIP For perfstat kernel extension: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 7.1.5.8 IJ43970sAa.221024.epkg.Z key_w_fix perfstat 7.1.5.9 IJ43970sAa.221024.epkg.Z key_w_fix perfstat 7.1.5.10 IJ43970sAa.221024.epkg.Z key_w_fix perfstat | 7.1.5.11 IJ43970sAa.221024.epkg.Z key_w_fix perfstat 7.2.5.2 IJ44114s2a.221102.epkg.Z key_w_fix perfstat 7.2.5.3 IJ43876s3a.221025.epkg.Z key_w_fix perfstat 7.2.5.3 IJ43876s3b.221213.epkg.Z key_w_fix perfstat 7.2.5.4 IJ43876s4a.221017.epkg.Z key_w_fix perfstat 7.2.5.5 IJ43876s5a.221212.epkg.Z key_w_fix perfstat 7.3.0.1 IJ43891s2a.221018.epkg.Z key_w_fix perfstat 7.3.0.2 IJ43891s2a.221018.epkg.Z key_w_fix perfstat | 7.3.0.3 IJ43891s3a.230314.epkg.Z key_w_fix perfstat 7.3.1.1 IJ44595s1a.221212.epkg.Z key_w_fix perfstat Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04. NOTE: Multiple iFixes are provided for AIX 7200-05-03. IJ43876s3a is for AIX 7200-05-03 with bos.perf.perfstat fileset level 7.2.5.101. IJ43876s3b is for AIX 7200-05-03 with bos.perf.perfstat fileset level 7.2.5.100. VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 3.1.2.21 IJ44114s2a.221102.epkg.Z key_w_fix perfstat 3.1.2.30 IJ44114s2a.221102.epkg.Z key_w_fix perfstat 3.1.2.40 IJ44114s2a.221102.epkg.Z key_w_fix perfstat | 3.1.2.50 IJ44114s2a.221102.epkg.Z key_w_fix perfstat 3.1.3.10 IJ43876s3b.221213.epkg.Z key_w_fix perfstat 3.1.3.14 IJ43876s3a.221025.epkg.Z key_w_fix perfstat 3.1.3.21 IJ43876s4a.221017.epkg.Z key_w_fix perfstat | 3.1.3.30 IJ43876s4a.221017.epkg.Z key_w_fix perfstat 3.1.4.10 IJ43876s5a.221212.epkg.Z key_w_fix perfstat For pfcdd kernel extension: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 7.1.5.8 IJ43980sAa.221024.epkg.Z key_w_fix pfcdd 7.1.5.9 IJ43980sAa.221024.epkg.Z key_w_fix pfcdd 7.1.5.10 IJ43980sAa.221024.epkg.Z key_w_fix pfcdd | 7.1.5.11 IJ43980sBa.230314.epkg.Z key_w_fix pfcdd 7.2.5.2 IJ44116s2a.221102.epkg.Z key_w_fix pfcdd 7.2.5.3 IJ43877s3a.221025.epkg.Z key_w_fix pfcdd 7.2.5.4 IJ43877s4a.221017.epkg.Z key_w_fix pfcdd | 7.2.5.5 IJ43877s5a.230123.epkg.Z key_w_fix pfcdd 7.3.0.1 IJ43893s1a.221027.epkg.Z key_w_fix pfcdd 7.3.0.2 IJ43893s2a.221018.epkg.Z key_w_fix pfcdd | 7.3.0.3 IJ43893s3a.230314.epkg.Z key_w_fix pfcdd Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04. VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 3.1.2.21 IJ44116s2a.221102.epkg.Z key_w_fix pfcdd 3.1.2.30 IJ44116s2a.221102.epkg.Z key_w_fix pfcdd 3.1.2.40 IJ44116s2a.221102.epkg.Z key_w_fix pfcdd | 3.1.2.50 IJ46105s5a.230404.epkg.Z key_w_fix pfcdd 3.1.3.10 IJ43877s3a.221025.epkg.Z key_w_fix pfcdd 3.1.3.14 IJ43877s3a.221025.epkg.Z key_w_fix pfcdd 3.1.3.21 IJ43877s4a.221017.epkg.Z key_w_fix pfcdd | 3.1.3.30 IJ46068s3a.230404.epkg.Z key_w_fix pfcdd | 3.1.4.10 IJ43877s5a.230123.epkg.Z key_w_fix pfcdd The fixes are cumulative and address previously issued AIX/VIOS kernel security bulletins with respect to SP and TL, which includes: https://aix.software.ibm.com/aix/efixes/security/kernel_advisory4.asc https://www.ibm.com/support/pages/node/6619721 https://aix.software.ibm.com/aix/efixes/security/kernel_advisory3.asc https://www.ibm.com/support/pages/node/6558948 https://aix.software.ibm.com/aix/efixes/security/kernel_advisory2.asc https://www.ibm.com/support/pages/node/6483875 https://aix.software.ibm.com/aix/efixes/security/trace_advisory.asc https://www.ibm.com/support/pages/node/6464369 https://aix.software.ibm.com/aix/efixes/security/caa_advisory2.asc https://www.ibm.com/support/pages/node/6560390 To extract the fixes from the tar file: tar xvf kernel_fix5.tar cd kernel_fix5 Verify you have retrieved the fixes intact: The checksums below were generated using the "openssl dgst -sha256 [filename]" command as the following: openssl dgst -sha256 filename KEY ----------------------------------------------------------------------------------------------------- 5f14f1ce6115aaea99abc509e8f9c29d66f449e28cbdff957a78f98a0d2c1319 IJ41974s3a.221025.epkg.Z key_w_csum f461d5ac0225674d0b5fd2ce0ea1314c413f73d941e3cab1df2a8e907e479c81 IJ41974s3b.221213.epkg.Z key_w_csum 7353aec35438c207ecd34e9efd8773f8d2cf623ff3aaf1c9b21a8c6cc6389ba3 IJ41974s4a.221017.epkg.Z key_w_csum ac6aac0b2364a1dccf99133869bcf5962a30d14c44abd72985d58b070b3e7743 IJ41975m3a.221027.epkg.Z key_w_csum 9320a9ecad0ed683f838f484a512de20f88d281940b63e13f334dbac0e023dd1 IJ41975m3b.221212.epkg.Z key_w_csum 53ed081ce54eaf4a278761c7b80b72e28643d3f07a8ab54b2977652b1cfa9410 IJ41975s4a.221017.epkg.Z key_w_csum dd932b380464cc89938b42bf845d08d1aee3ab6a50ca7bc57292ddda34b849be IJ42159s3a.221025.epkg.Z key_w_csum 0ad3ac0184e19719156e0b1c4af6f97501a64bb3a26543ddbda27cc975c8ad76 IJ42159s3b.221213.epkg.Z key_w_csum ce81ba4ce3db613bb6635ff1496c4b65a0a09c24f8f6d0dd96606bc48b420cf5 IJ42159s4a.221017.epkg.Z key_w_csum 4b3d56260e136ad0b4484db0d2b4dd3924a97c5bc839f80d7ea4c21c42eb3840 IJ42937s1a.221027.epkg.Z key_w_csum 7081ec434fa5ff2c976f935aa6b51f4f51f6641dfd6132640c73dbaea7a6c1cf IJ42937s2a.221018.epkg.Z key_w_csum 6f6d8cf2b6a52f409fa29dc72ef2ada536ea67dc907769c384f88fa60a39b622 IJ42938m1a.221027.epkg.Z key_w_csum 581acd69242d1f86779590e5ed0734de72b6f2452a6b499dceaa8c2b4eadad7d IJ42938s2a.221018.epkg.Z key_w_csum 7d5e82ac6027d9fb1b4546a1de78220af56e77b87d2b7cb744d544aa64b20c62 IJ43072s8a.221110.epkg.Z key_w_csum dc281b603fe5b7d7aa79e061a60e01f7a39eaa30233b545ee760798208ac6adf IJ43072sAa.221024.epkg.Z key_w_csum c6701b36ff490220433aa81466f5a60e182ba2559e07df7fdbd986329e187e1a IJ43098s8a.221110.epkg.Z key_w_csum 1aeded2670910f1aeb2c07cef08d2d6afce788e8de58794db1e93567b5dbed77 IJ43098s9a.221102.epkg.Z key_w_csum 3ac4dd5bc1f3688a2b73e0da29c64cbafff025e7c1a05b5008752d3c8d8b5835 IJ43098s9b.221213.epkg.Z key_w_csum 470310e914d030445412685cd06897804a547b6f26f5b12499c9c3012906083f IJ43098sAa.221024.epkg.Z key_w_csum dad650e7a3f3ac27cc4ca0c3df9bbb1b0dc60ca449f0127398f7c2686c4fb67f IJ43099m8a.221110.epkg.Z key_w_csum a5eef69f5ad7999aac0090c6f44f2b830ed5fe704a03650c78834300433fefd6 IJ43099m9a.221102.epkg.Z key_w_csum 0690a7f9c117bb685540bda389f4f4a99020a45927a5481e72256f1912b2b5a0 IJ43099m9b.221213.epkg.Z key_w_csum 643694ee61b99af1d32f3723c056480c752d70d2f4c824f2e02cacf1489966f4 IJ43099sAa.221024.epkg.Z key_w_csum 7e4791c2b339034a6e20fb2d14968a2570795e0c292a4693e79b609d7f947a49 IJ43468s1a.221025.epkg.Z key_w_csum 87ea6d1ce409ae51ad7e10007bf52d0531e58d921553ada09b7da4d24fbdc6ef IJ43468s2a.221017.epkg.Z key_w_csum 36fb6866347a3b4499d752edfdcade8fedd683d0514bb45b356fb69b0e77243a IJ43598s2b.221027.epkg.Z key_w_csum 49d5cbd9ba461b2477eade7ee16964437fc85b32ea285f747e9286f7d3c32d35 IJ43598s2c.221213.epkg.Z key_w_csum fba350df9177bab36d6f869a7debc8b5d29c8a6b3a3a7216a1dd3ac50d0179b9 IJ43598s2d.221213.epkg.Z key_w_csum c423961037b20a89416d095b0385fcdbc69c9fb51b005c342945d14e5aab9294 IJ43674s2b.221027.epkg.Z key_w_csum e61c7a4e495cf2da86d239f84c275f52fac696880142c603477f038cdfc55df5 IJ43674s2c.221213.epkg.Z key_w_csum 158e99123e6a6eb8909943a3438c032ba3f06248e6da4c6402e9efd3ce3900aa IJ43869m3a.221025.epkg.Z key_w_csum 7bc058cb39721fea6c11e79a45e5e2cf8501ea762169dba214be9849ddb727d8 IJ43869m3b.221212.epkg.Z key_w_csum c416914cd934f8235c9c39937d70437ab1193533142412f9726dae10cc1ff6b4 IJ43869m4a.221017.epkg.Z key_w_csum 2cea6bd4f5e87074bb7e4999e53cc6105cbb060c0e43d65e7a00ace071fea97f IJ43869s5a.221212.epkg.Z key_w_csum e8e91cb5a7446dd7cdeafd6f22ebd007bfcb5df7151fc1cc02888ad7859a1ba4 IJ43875m1a.221025.epkg.Z key_w_csum 33b719eb2216776a0cafca012771db3dc1cdf7676dbb9a8d3611e24795d1d7bb IJ43875m2a.221017.epkg.Z key_w_csum cb9e693c29e1d2f33c3a304779491030fb9233a3c5a60dc116a8acef3cc349ce IJ43876s3a.221025.epkg.Z key_w_csum 5f44726c3402cacf73de3e91b5b518895e1e1a0d47141855319e48dd40d81d17 IJ43876s3b.221213.epkg.Z key_w_csum e7ac8b7326ea273723968938f7405c0b105ec1413cb3c4ca6db54d91e13977e3 IJ43876s4a.221017.epkg.Z key_w_csum d4815878bc65ba7524718d0b75f211f7bf5e8c97ed644894843309fdc312cdaf IJ43876s5a.221212.epkg.Z key_w_csum 56f4a15bd4b5c33642207323dc1d21262f7558ad7879d5fc3f8c6f5fdf020ca1 IJ43877s3a.221025.epkg.Z key_w_csum 466c3b4a3238e68226ff7886771ec37d0787a964b8a27dba5d01f3a51c610af4 IJ43877s4a.221017.epkg.Z key_w_csum | ebe3dc4484195bdab109a378559e763b0bbf5841cd9f2c2c8e14ecd3ef9d0e5e IJ43877s5a.230123.epkg.Z key_w_csum 68e3dadd864733d1edd5c59228fb0d6418829689a3395396f2237f9782093110 IJ43891s2a.221018.epkg.Z key_w_csum 714238ea24f04de93378bf879d1ab1b1dc1592a73732bd345915b16849940c9d IJ43893s1a.221027.epkg.Z key_w_csum c3b40b12d60119453b32c1b0cd73d560c7b7755703c62bff138d986dd78c3c4c IJ43893s2a.221018.epkg.Z key_w_csum 3342e50f48f0c995d4ab0ed852cbc3f782b05be4938bffddd06bdcd206fe5b13 IJ43967m8a.221110.epkg.Z key_w_csum 307f93cee2e4767d2cedec1c705acfbd099d7b8b32c8853bcfa18ff762a6fc1f IJ43967m9a.221102.epkg.Z key_w_csum 952d2e4b8888ea3beca7fbe6841191fdd58675f3640e4018d0f9de430016c504 IJ43967m9b.221111.epkg.Z key_w_csum f819756d2d2ab6094ae4744babbf9cc10d47e04484973dac44a736029e741e21 IJ43967mAa.221024.epkg.Z key_w_csum e7f8b39a6df86429f9859e7e6364a37b73de53952fd8cb69a570ab6397196055 IJ43970sAa.221024.epkg.Z key_w_csum 51589ea00f8e6574d563e71ae33604d7b7397391482165495aa27d867926354c IJ43980sAa.221024.epkg.Z key_w_csum 64a961365a68e435e35313e7bd5fda2b2f1d93c84a266e1dddfe792b3b43efdd IJ43995m2a.221025.epkg.Z key_w_csum 20f41357e75da7a386de8990c92a781c32de92fbfaa6bc56eda09685dcf979ea IJ43995m2b.221027.epkg.Z key_w_csum 541cee83f622844dd0c6ca50515e3d41e6a6727c7a1264ca67ca696c8c7984d1 IJ43995m2c.221212.epkg.Z key_w_csum c89483dc79d4132f32bc41211696616c4707c253a4c452a2829b122d1b19db06 IJ44114s2a.221102.epkg.Z key_w_csum 9cb895991f8a94f66ef77985cacec5a5f7018f97dd2567f403cfb5aeb4d43f73 IJ44115m2a.221102.epkg.Z key_w_csum 7c5490016562d664d5d7a68ef2669407053ccb2175f8b0f13a3dd1197e1287d0 IJ44115m2b.221213.epkg.Z key_w_csum 82caf3050ae1ea2120e3fc6aec0e4387f51c7e8b1b28993d799dc4c7bdd066a2 IJ44116s2a.221102.epkg.Z key_w_csum 9b8f2f3a5a17596b2388e01fb4006a937d363f3b044b27ff817081b0d4b2c915 IJ44594s1a.221212.epkg.Z key_w_csum 1af43848b2d615d9a341b5b9d79a36d6ce61b3f7911808c0a07e5a14189cd33e IJ44595s1a.221212.epkg.Z key_w_csum | 3ff36152cb41f03cfcd53ae3d62abef462d8e4413580fbb3791f1e1bd97b42d0 IJ43869m3c.230216.epkg.Z key_w_csum | 425e99709eb5d2bd5e3bf5d050756ae449955a3003dd80dbdae82fb7de98dce9 IJ43869m3d.230216.epkg.Z key_w_csum | 4a70d24d07bd8c47933dff26d8acbdbdf9683cc5cb45cfb9561fc255af3cb126 IJ43869m4b.230216.epkg.Z key_w_csum | 22324ac88e237ae509721d0491f25fdfc6fd52a1d7db850559dee786e18b371e IJ43869m5b.230216.epkg.Z key_w_csum | c4d645f2037cad14c73f1ad91276dda4afecae0bede46686f6c76381bb026fb9 IJ43875m1b.230216.epkg.Z key_w_csum | 6e7b81be73863b958f6ac788774d2264d281770f70c23b397c214ec719d1013f IJ43875m2b.230216.epkg.Z key_w_csum | d5bee8d3d0606132b59efae3997c9a6c76462396109eb83aeb23e35fa9dedf9c IJ44594m1a.230216.epkg.Z key_w_csum | 4e13e56fefcda5b42bc1cc5ac5bb6a3ce6d5381820b6cc04d5e4a2ac7ba2b5b7 IJ43875s3a.230314.epkg.Z key_w_csum | f42aa6ccfc40903241dc0a9cdc6c16afb9006e50064402ff8c89bcbf52075752 IJ43891s3a.230314.epkg.Z key_w_csum | 59abc2a3a1ac0f9971754c1a1471aa06a5a5df50c84f6275f93fbad037f12e5d IJ43893s3a.230314.epkg.Z key_w_csum | 59b3ffdb67890f448a30f90399d4beec89d19e190d96470813d2b0297e3a7f84 IJ43967sBa.230314.epkg.Z key_w_csum | fdfaced64f43867e83fc0dbcf9a1599654378c32dcbea44eab73be019be51425 IJ43980sBa.230314.epkg.Z key_w_csum | f2f3e7983d59726b277dff0776fe4f2a2299c59064ff65a85cca218d9b28e88a IJ43995s5a.230404.epkg.Z key_w_csum | 4c10040cb56e6316e468d9ee20aa70e09ba61d0594374888e3ebcbf4c83e73ea IJ45541s3b.230404.epkg.Z key_w_csum | f52ef61837f06719e567ed1b181635fed35bbebf7c31140d5c05ed5dfa63371c IJ46068s3a.230404.epkg.Z key_w_csum | 504068cd84fe4431d7ce3e78bb93ee79a071447b753472111aec3f5e4d445c38 IJ46105s5a.230404.epkg.Z key_w_csum These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy. openssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file] openssl dgst -sha256 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file] Published advisory OpenSSL signature file location: https://aix.software.ibm.com/aix/efixes/security/kernel_advisory5.asc.sig C. FIX AND INTERIM FIX INSTALLATION An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot. If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. WORKAROUNDS AND MITIGATIONS: None. =============================================================================== CONTACT US: Note: Keywords labeled as KEY in this document are used for parsing purposes. If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications Contact IBM Support for questions related to this announcement: https://ibm.com/support/ To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: ftp://ftp.software.ibm.com/systems/power/AIX/systems_p_os_aix_security_pubkey.txt Please contact your local IBM AIX support center for any assistance. REFERENCES: Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide On-line Calculator v3: http://www.first.org/cvss/calculator/3.0 RELATED INFORMATION: IBM Secure Engineering Web Portal http://www.ibm.com/security/secure-engineering/bulletins.html IBM Product Security Incident Response Blog https://www.ibm.com/blogs/psirt/ Security Bulletin: AIX is vulnerable to denial of service vulnerabilities https://www.ibm.com/support/pages/node/6847947 ACKNOWLEDGEMENTS: None. CHANGE HISTORY: First Issued: Wed Dec 14 09:18:26 CST 2022 | Updated: Fri Feb 10 15:51:45 CST 2023 | Update: Added pfcdd iFix for AIX 7.2 TL5 SP5 and VIOS 3.1.4.10. | | Updated: Fri Feb 17 16:53:45 CST 2023 | Update: New kernel iFixes provided for AIX 7.2 and 7.3. | The 'new' ifixes resolve a technical issue which was discovered with | the 'original' ifixes when applied with Live update. Both sets of ifixes | (new and original) resolve the security vulnerabilities described in this | bulletin. The new iFixes are only needed if you experience an issue with | the original ifixes after applying using Live update or if you plan to | use Live Update to apply these iFixes (new or original) in the future: | https://www.ibm.com/support/pages/apar/IJ45291. | | Updated: Fri Mar 17 10:18:41 CDT 2023 | Update: Corrected the affected upper fileset levels for AIX 7.1 TL5 to show | that SP11 is affected. Corrected the affected upper fileset levels for | AIX 7.3 TL0 to show that SP03 is affected. Added iFixes for 7.1 TL5 SP10 | and 7.3 TL0 SP03. The update applies to the kernel, perfstat, and pfcdd | portions of the bulletin. | | Updated: Wed Apr 5 13:56:20 CDT 2023 | Update: Corrected the affected upper fileset levels for VIOS to show that | VIOS 3.1.2.50 and 3.1.3.30 are affected. | Added iFixes for VIOS 3.1.2.50 and 3.1.3.30. | This update applies to the kernel, perfstat, and pfcdd | portions of the bulletin. =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.