ROOTVG - AIX & POWER Portal - VULNERABILITY: OpenSSL and VIOS

Latest News

Education & Conferences - MITEC
2013-05-20 06:49:50
POWER7 - Latest Firmware Releases
2013-04-30 00:00:00
POWER6 - Latest Firmware Releases
2013-04-07 23:11:48

Michael in the Morning

Bad News! Good News!
2013-03-26 15:48:12
Install NIM - revisited
2013-02-21 12:48:50
Learning from IBM i - again!
2013-02-18 21:02:37

VULNERABILITY: OpenSSL and VIOS

Recent Awareness - Do not forget to check your VIOS

There have been several CVE releases about problems in the implementation of openssl and its consequences on openssh for AIX. New is the update of the security advisory to include not only AIX oslevels but also the VIOS ioslevel. If you have been updating AIX and VIOS consistently you will not have any problems.

If your system looks like this:

padmin@x101:[/home/padmin]lslpp -L | grep openss | grep -v msg
openssh.base.client     5.4.0.6100    C     F    Open Secure Shell Commands
openssh.base.server     5.4.0.6100    C     F    Open Secure Shell Server
openssh.man.en_US       5.4.0.6100    C     F    Open Secure Shell
openssl.base            0.9.8.1300    C     F    Open Secure Socket Layer
openssl.license         0.9.8.1300    C     F    Open Secure Socket License
openssl.man.en_US       0.9.8.1300    C     F    Open Secure Socket Layer

padmin@x101:[/home/padmin]oslevel -s
6100-06-05-1115
padmin@x101:[/home/padmin]
padmin@x101:[/home/padmin]ioslevel
2.2.0.13-FP24 SP-03

You need to update/patch

The following fileset levels are vulnerable:

AIX 7.1, 6.1, 5.3: all versions less than or equal 0.9.8.1800
AIX 7.1, 6.1, 5.3: FIPS capable versions less than or equal 12.9.8.1180
AIX 5.2: all versions less than or equal 0.9.8.808
VIOS 2.X, 1.5.2: all versions less than or equal 0.9.8.1800
IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
OpenSSH 5.0 or later, depending on the OpenSSL version according to
following compatibility matrix:

AIX              OpenSSL                    OpenSSH
------------------------------------------------------------------
5.2              OpenSSL 0.9.8.80x          OpenSSH 5.0
5.3,6.1,7.1      OpenSSL 0.9.8.18xx         OpenSSH 5.8.0.61xx
5.3,6.1,7.1      OpenSSL-fips 12.9.8.18xx   OpenSSH 5.8.0.61xx
VIOS             OpenSSL                    OpenSSH                ------------------------------------------------------------------
2.X,1.5.2        OpenSSL 0.9.8.18x          OpenSSH 5.8.0.61xx

DESCRIPTION (from cve.mitre.org)

The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.

In short, you are going to want to update openssl to version 5.0 or better on all your systems to properly address this vunerability in the openSSL implementation. Read the updated Advisory and/or go to Fix Central and update AIX/VIOS

< Prev		Next >

[ Back ]

Service Bulletins
AIX 6.1 TL06 (404)	AIX 7.1 TL00 (324)
AIX 6.1 TL07 (656)	AIX 7.1 TL01 (544)
AIX 6.1 TL08 (52)	AIX 7.1 TL02 (53)

InfoCenters
AIX 5.1/5.2 (443)	ALL InfoCenters (698)
AIX 5.3 (1'083)	Director 6.3 (390)
AIX 6.1 (1'064)	Hardware (707)
AIX 7.1 (898)	HMC Command Line Manuals (0)