IBM has released AIX and VIOS iFixes in response to Spectre and Meltdown


IBM SECURITY ADVISORY

Security Bulletin: IBM has released AIX and VIOS iFixes in response to the
vulnerabilities known as Spectre and Meltdown.

First Issued: Thu Jan 25 08:15:51 CST 2018

SUMMARY: IBM has released the following fixes for AIX and VIOS in response to
CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754.

ASCII Version:
http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc
https://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc
ftp://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc

Security Bulletin: IBM has released AIX and VIOS iFixes in response to the
vulnerabilities known as Spectre and Meltdown.
http://www-01.ibm.com/support/docview.wss?uid=isg3T1026912

Doc number: 5666 Published date: 20180125

 

Vulnerability Details

Affected Products and Versions

AIX 5.3 (64-bit kernel), 6.1, 7.1, 7.2
VIOS 2.2.x

The vulnerabilities in the following filesets are being addressed:

key_fileset = aix

Fileset                 Lower Level  Upper Level KEY
---------------------------------------------------------
bos.mp64                5.3.12.0     5.3.12.10   key_w_fs
bos.mp64                6.1.9.0      6.1.9.202   key_w_fs
bos.mp64                6.1.9.300    6.1.9.300   key_w_fs
bos.mp64                7.1.4.0      7.1.4.33    key_w_fs
bos.mp64                7.1.5.0      7.1.5.0     key_w_fs
bos.mp64                7.2.0.0      7.2.0.5     key_w_fs
bos.mp64                7.2.1.0      7.2.1.4     key_w_fs
bos.mp64                7.2.2.0      7.2.2.0     key_w_fs

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.

Example: lslpp -L | grep -i bos.mp64

Note: AIX or VIOS users of all fileset levels should continue to monitor their My Notifications alerts and the IBM PSIRT Blog for additional information about these vulnerabilities:

– My Notifications
http://www.ibm.com/support/mynotifications

– IBM PSIRT Blog – Potential Impact on Processors in the Power Family
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Remediation/Fixes

A. APARS

IBM has assigned the following APARs to this problem:

AIX Level APAR     Availability  SP   KEY
------------------------------------------------
5.3.12    IJ03029  N/A           N/A  key_w_apar
6.1.9     IJ03030  **            SP11 key_w_apar
7.1.4     IJ03032  **            SP6  key_w_apar
7.1.5     IJ03033  **            SP2  key_w_apar
7.2.0     IJ03034  **            SP6  key_w_apar
7.2.1     IJ03035  **            SP4  key_w_apar
7.2.2     IJ03036  **            SP2  key_w_apar

Subscribe to the APARs here:

http://www.ibm.com/support/docview.wss?uid=isg1IJ03030
http://www.ibm.com/support/docview.wss?uid=isg1IJ03032
http://www.ibm.com/support/docview.wss?uid=isg1IJ03033
http://www.ibm.com/support/docview.wss?uid=isg1IJ03034
http://www.ibm.com/support/docview.wss?uid=isg1IJ03035
http://www.ibm.com/support/docview.wss?uid=isg1IJ03036

https://www.ibm.com/support/docview.wss?uid=isg1IJ03030
https://www.ibm.com/support/docview.wss?uid=isg1IJ03032
https://www.ibm.com/support/docview.wss?uid=isg1IJ03033
https://www.ibm.com/support/docview.wss?uid=isg1IJ03034
https://www.ibm.com/support/docview.wss?uid=isg1IJ03035
https://www.ibm.com/support/docview.wss?uid=isg1IJ03036

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

B. FIXES

IMPORTANT: Both the AIX/VIOS and FW fixes are required to address the vulnerabilities.

After installing the AIX or VIOS iFix, it will only become active after LPAR reboot, LPAR Migration or Live Update on patched Power Firmware. It is required that the Power Firmware fixes be installed prior to LPAR reboot, LPAR Migration or Live Update of the patched AIX or VIOS LPAR.

Link to the related Power Firmware Security Bulletin and fix information:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1026811

AIX and VIOS fixes are available.

The AIX/VIOS fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar
http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar
https://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

AIX Level  Interim Fix (*.Z)         KEY
----------------------------------------------
5.3.12.9   IJ03029m9a.180117.epkg.Z  key_w_fix
5.3.12.9   IJ03029m9b.180117.epkg.Z  key_w_fix
6.1.9.10   IJ03030mAa.180116.epkg.Z  key_w_fix
7.1.4.5    IJ03032m5a.180116.epkg.Z  key_w_fix
7.1.5.0    IJ03033m1a.180116.epkg.Z  key_w_fix
7.1.5.1    IJ03033m1a.180116.epkg.Z  key_w_fix
7.2.0.5    IJ03034m5a.180117.epkg.Z  key_w_fix
7.2.1.3    IJ03035m3a.180117.epkg.Z  key_w_fix
7.2.2.0    IJ03036m1a.180116.epkg.Z  key_w_fix
7.2.2.1    IJ03036m1a.180116.epkg.Z  key_w_fix

NOTE: The provided iFixes for AIX 5.3 are for the 64-bit kernel.
– IJ03029m9a is for AIX 5.3 with bos.mp64 fileset level 5.3.12.9.
– IJ03029m9b is for AIX 5.3 with bos.mp64 fileset level 5.3.12.10.
Please reference the Affected Products and Version section above for help with checking installed fileset levels.

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.2.1 is AIX 7200-02-01.

VIOS Level  Interim Fix (*.Z)         KEY
-----------------------------------------------

   2.2.4.50    IJ03030m9b.180116.epkg.Z  key_w_fix
2.2.5.30    IJ03030m9b.180116.epkg.Z  key_w_fix
2.2.6.10    IJ03030mAa.180116.epkg.Z  key_w_fix

To extract the fixes from the tar file:

   tar xvf spectre_meltdown_fix.tar
cd spectre_meltdown_fix

Verify you have retrieved the fixes intact.

The checksums below were generated using the “openssl dgst -sha256 file” command as the following:

openssl dgst -sha256                                              filename                 KEY
-----------------------------------------------------------------------------------------------------
11249eb38318b8779e5f86836edd2913278081e22d61ed68df207175bde6bd3a  IJ03029m9a.180117.epkg.Z key_w_csum
b0cfe72d0d7de4f5f99cdcf802b1a298586b6f7511bcb63e9644008faa4b7353  IJ03029m9b.180117.epkg.Z key_w_csum
44834d4990a178c6773c7fbd6bc00fbc81b23944b9988329294ae0cbb93ec20f  IJ03030m9b.180116.epkg.Z key_w_csum
f1fc5a1bb4daab5f9d2abc1006df087a688ed2832a7eb15a0de4f45efe94d6a6  IJ03030mAa.180116.epkg.Z key_w_csum
896215923b7d6001a5aff7ed7d420d9963bef177d88af1ef2b30d131e1c10029  IJ03032m5a.180116.epkg.Z key_w_csum
48ba4ca0c38611852dcbfcfb25376025941285df77e629953bf9bc534815e3cd  IJ03033m1a.180116.epkg.Z key_w_csum
8d18635a490926c67e992ea0cff6fab853f451802a3172a6f7bfd1244fa81e5c  IJ03034m5a.180117.epkg.Z key_w_csum
ed4f1af7ddd8a8f679ea1c6de410ad53c3b63d3c0b6c15561bbccea4f4837232  IJ03035m3a.180117.epkg.Z key_w_csum
b1c4f488d6084eb7df5e68af3195d5f167f0d17dbb7c0290d9db4646fdd6c06a  IJ03036m1a.180116.epkg.Z key_w_csum

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy.

   openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]

openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig
https://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig

Workarounds and Mitigations

None.

Оставьте комментарий