Security Bulletin
Summary
UPDATED Mar 24 (See Change History): There is a vulnerability in the AIX nimsh daemon.
Vulnerability Details
CVEID: CVE-2022-22351
DESCRIPTION: IBM AIX could allow a non-privileged trusted host user to exploit a vulnerability in the nimsh daemon to cause a denial of service in the nimsh daemon on another trusted host.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220396 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H)
Affected Products and Versions
Affected Product(s) | Version(s) |
AIX | 7.1 |
AIX | 7.2 |
AIX | 7.3 |
VIOS | 3.1 |
The vulnerabilities in the following filesets are being addressed:
Fileset | Lower Level | Upper Level |
bos.sysmgt.nim.client | 7.1.5.0 | 7.1.5.37 |
bos.sysmgt.nim.client | 7.2.4.0 | 7.2.4.4 |
bos.sysmgt.nim.client | 7.2.5.0 | 7.2.5.1 |
bos.sysmgt.nim.client | 7.2.5.100 | 7.2.5.100 |
bos.sysmgt.nim.client | 7.3.0.0 | 7.3.0.0 |
Remediation/Fixes
AIX Level | APAR | SP |
7.1.5 | IJ37419 | SP10 |
7.2.4 | IJ37705 | SP06 |
7.2.5 | IJ36681 | SP04 |
7.3.0 | IJ36593 | SP02 |
VIOS Level | APAR | SP |
3.1.1 | IJ37705 | 3.1.1.60 |
3.1.2 | IJ37706 | 3.1.2.40 |
3.1.3 | IJ36681 | 3.1.3.20 |
Subscribe to the APARs here:
AIX Level | Interim Fix |
7.1.5.7 | IJ37419m9a.220324.epkg.Z |
7.1.5.8 | IJ37419m9a.220324.epkg.Z |
7.1.5.9 | IJ37419m9a.220324.epkg.Z |
7.2.4.3 | IJ37705m4a.220324.epkg.Z |
7.2.4.4 | IJ37705m4a.220324.epkg.Z |
7.2.4.5 | IJ37705m5a.220324.epkg.Z |
7.2.5.1 | IJ37706m2a.220324.epkg.Z |
7.2.5.2 | IJ37706m2a.220324.epkg.Z |
7.2.5.3 | IJ36681m3a.220324.epkg.Z |
7.3.0.1 | IJ36593m1a.220324.epkg.Z |
VIOS Level | Interim Fix |
3.1.1.30 | IJ37705m4a.220324.epkg.Z |
3.1.1.40 | IJ37705m4a.220324.epkg.Z |
3.1.1.50 | IJ37705m5a.220324.epkg.Z |
3.1.2.10 | IJ37706m2a.220324.epkg.Z |
3.1.2.21 | IJ37706m2a.220324.epkg.Z |
3.1.3.10 | IJ36681m3a.220324.epkg.Z |
3.1.3.14 | IJ36681m3a.220324.epkg.Z |
openssl dgst -sha256 | filename |
7b0c82481aa7e93dab6ec60a3723ee88d63de7a339eb1e10366e71009fe5cf64 | IJ36593m1a.220324.epkg.Z |
98cc59b5bb5947a7f8d29ee87742ac094117844cb5b309c2b5a5d2378b727687 | IJ36681m3a.220324.epkg.Z |
71d81e4e864e387413eb7a5421fe796f9afa3031cc413758278e093d88be7832 | IJ37419m9a.220324.epkg.Z |
6efae17ca82b02385cf44458a79535416d4f242debbccb63eb217c96e1ebd746 | IJ37705m4a.220324.epkg.Z |
fb9c4a622a7c39ab2ddeeac2cf70ae71c9653c7cb9417cea120791803bd2426d | IJ37705m5a.220324.epkg.Z |
f6fefdf2a94ffeb0362fc54d7e61f60e4ad5412ac7e651a2ee23ffc644b5e2a0 | IJ37706m2a.220324.epkg.Z |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
04 Mar 2022: Initial Publication
Updated:
Update: New iFixes provided for all levels. The new iFixes resolve a technical failure with the previous iFixes when running NIM commands of extended length, resulting in a /var/adm/ras/nimsh.log error message similar to:
error: command not allowed. Please verify NIM command
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
24 March 2022
UID
ibm16561275