Question & Answer
Question
How can I determine if an AIX security vulnerability applies to the VIOS?
Answer
VIOS Security Information
To view information on security vulnerabilities that impact the Virtual I/O Server (VIOS), visit the Fix Level Recommendation Tool (FLRT) security information page for VIOS.
In the Search box, type your VIOS version (output from ioslevel) as shown below:
NOTEs:
- If the patch is included at a higher VIOS level available (see the Fixed In column), it is recommended to update the VIOS to that level.
- If updating the VIOS is not possible and a patch is available as interim fix (i-fix) (see the Download column), the i-fix can be install using updateios command: updateios -install -accept -dev /home/padmin/<i-fix_directory>
- If a patch is not available for download or at a higher VIOS level, contact your local IBM Supportline Representative for options.
- For questions about a security advisory (CVE ID) that is not listed in the VIOS Security APAR Information, run a security scan (if you have an app to do so) to determine if the vulnerability is reported against the VIOS. If the security scan report flags the VIOS as vulnerable, contact the scan application vendor to find out the CVE ID. Then, contact your local IBM SupportLine Representative and provide the CVE ID in question and VIOS snap.
- If the security vulnerability relates to a product that is bundled with VIOS, such as Java, refer to the security advisory bulletin for installation instructions. Java patches can be installed via oem_setup_env using 'smitty update_all' or command line.
VIOS / AIX interim fixes (i-Fix) are provided in ifix epkg format and need be applied using procedures found in the VIOS documentation.
In some cases, fixes for non-AIX components such as Java, OpenSSH/OpenSSL, may not be in i-Fix epkg format. These may require installation of new filesets, etc. In such cases, the fixes and process provided to correct the problem on AIX can be applied to the VIOS.
Determine the level of AIX that your VIOS version is based on by using the VIOS to NIM Master mapping page. Then refer to that level of AIX to get the vulnerability patch and instructions. The procedure to apply the patches would be the same as suggested for AIX after dropping into the root shell via the oem_setup_env command.
Determine the level of AIX that your VIOS version is based on by using the VIOS to NIM Master mapping page. Then refer to that level of AIX to get the vulnerability patch and instructions. The procedure to apply the patches would be the same as suggested for AIX after dropping into the root shell via the oem_setup_env command.
Related Information
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\/O Server"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"VIOS 2.2","Edition":"Enterprise;Express;Standard","Line of Business":{"code":"LOB57","label":"Power"}}]
Was this topic helpful?
Document Information
Modified date:
05 November 2024
UID
isg3T1020593