AIX OpenSSL Heartbleed Vulnerability CVE-2014-0160
Title: Security Bulletin: AIX is affected by a vulnerability in OpenSSL (CVE-2014-0160)
Summary: A security vulnerability has been discovered in OpenSSL.
Vulnerability Details
CVE-ID: CVE-2014-0160
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can affect the confidentially, but not integrity or availability.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.
Affected Products and Versions
OpenSSL version 1.0.1.500 and above in the following AIX/VIOS releases:
AIX: 5.3, 6.1, 7.1 and VIOS 2.2.3.*
Remediation/Fixes
Product
AIX 5.3, 6.1, 7.1, VIOS 2.2.3.*
APAR
OpenSSL versions greater or equal to 1.0.1.500 N/a
Remediation / First Fix
ftp://aix.software.ibm.com/aix/efixes/security/openssl_ifix7.tar
(ifix: 0160_ifix.140409.epkg.Z)
This ifix disables the OpenSSL heartbeat option by compiling with
-DOPENSSL_NO_HEARTBEATS.
Note: AIX OpenSSL v0.9.8.xxxx and 12.9.8.xxxx are not vulnerable to this security vulnerability.
After applying the fix, additional instructions are needed for CVE-2014-0160
1) Replace your SSL Certificates.
You need to revoke existing SSL certificates and reissue new certificates. You need to be sure not to generate the new certificates using the old private key and create a new private key (ie using "openssl genrsa") and use that new private key to create the new certificate signing request (CSR).
2) Reset User Credentials
Users of network facing applications protected by a vulnerable version of OpenSSL should be forced to reset their passwords and should revoke any authentication or session related cookies set prior to the time OpenSSL was upgraded and force the user to re-authenticate.
Warning: Your environment may require additional fixes for other products, including non-IBM products. Please replace the SSL certificates and reset the user credentials after applying the necessary fixes to your environment.
Workarounds and Mitigations
None known
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc
File Times in AIX
This technote discusses timestamps associated with files in filesystems on AIX.
In AIX each file has three different timestamps associated with it. These can be seen in the system include file /usr/include/sys/stat.h :
st_atime Time when file data was last accessed.
st_mtime Time when file data was last modified.
st_ctime Time when the file metadata was last changed.
All times recorded are in seconds since the Unix epoch. (Note for completeness there are also counters for these in nanoseconds)
Access Time (atime)
This is a timestamp recorded in the filesystem when the file was last opened for reading. The timestamp reflects when the open() on the file was performed, not necessarily when data was last read from it.
The access time can be viewed via ls using the -u flag.
Modification Time (mtime)
This denotes when the content of the file was most recently changed.
The modification time is what ls -l reports by default.
Change time (ctime)
This marks when a file's metadata was changed, such as permissions or ownership.
This time cannot be seen with the 'ls' command.
Other Notes
Some operating systems also include a "file creation" time, but AIX does not.
These times can be seen via commands such as 'ls' or 'find' with the appropriate arguments given to print out the value desired.
An easy way to view all three simultaneously is with the /usr/bin/istat command:
Inode 263 on device 10/8 File
Protection: rw-r--r--
Owner: 0(root) Group: 0(system)
Link count: 1 Length 14682 bytes
Last updated: Tue Sep 15 10:50:15 PDT 2009
Last modified: Tue Sep 15 10:50:15 PDT 2009
Last accessed: Tue Nov 3 12:01:12 PST 2009
So this file had its contents modified on Sep 15, and that is also the time the metadata for the file was changed. The file was read last on Nov 3.
Some utilities such as tar specifically modify a file's time values to record a different time than would normally be present. For example, the default behavior of tar when restoring a file is to create the file, then set the modification time back to what it was set to in the tar archive.
Mount Option to Not Update Access Time
For filesystems with a high rate of file access, performance can be improved by disabling the update of the access time stamp. This option can be added to a filesystem by using the "-o noatime" mount option, or permanently set using "chfs -a options=noatime".
SOURCE: 1012054
EMC VNX Snapview not supported with AIX MPIO
I found that some customers uses SnapView on CX or VNX Flare with AIX native MPIO driver on VIOS or AIX.
Already in 2008, EMC wrote a technical note specifying that software layered like Snapview was not supported with AIX MPIO.
Technote: 300-008-486_aix_native_mpio_clariion_1108
Today, this technote has disappeared but EMC support write a EMC primus "emc75601" specify that it is still not supported with VNX software layered.
Driver Example :
EMC.CLARiiON.fcp.MPIO.rte 5.3.0.8 C F EMC CLARiiON FCP MPIO Support
devices.common.IBM.mpio.rte 6.1.7.15 C F MPIO Disk Path Control Module
EMC primus case "emc75601"
EMC Layered software such as SnapView, MirrorView/Asynchronous, MirrorView/Synchronous,
EMC SAN Copy, etc., are not supported with hosts running AIX Native MPIO
So if it is imperative to use Snapview, then install EMC PowerPath.
Device Configuration Database Lock Service Timed Out Message
Every process that changes the ODM first locks the ODM to prevent other processes from making changes simultaneously. When you see this message displayed, it means another process has already obtained the lock.
Wait a few minutes and retry the process. If the system continually displays the message, Check what process is holding the lock.
To check, use the following command:
The system displays the process ID currently holding the lock. Verify the process holding the lock is not hung.
If the process holding the lock is hung, determine whether the process is required. If the process isn’t required, then send a signal to either try to awaken the process or kill the process.
Java process sending IPV6 DNS queries
Question
How to stop Java process from sending IPV6 DNS queries
Answer
Please place the next line as is in /etc/environment( Do not add any double quotes etc)
IBM_JAVA_OPTIONS=-Djava.net.preferIPv4Stack=true
Reboot the system( so that all processes get restarted). This environment variable will only affect Java processes.
Simple AIX ipv4 filtering configuration – memo
In this example :
- One server with IP address (10.0.0.1) configured on en0 logical interface
IPSEC Rules :
- PERMIT SSH request to server (10.0.0.1) from only one client (10.0.0.2)
- DENY and "LOG" all other SSH connections
- DENY ALL packets
Prerequisites
To start firewall in AIX you need few packages to be installed:
- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib
Recommandations
- Use TTY or VTY connections for the first AIX filtering configuration.
- add client hostname in /etc/hosts server
- Use hostname in genfilt rules for this example.
- check IP host resolution
server is 10.0.0.1
# host client
client is 10.0.0.2
Prepared syslog to record logs of rejected packets
# touch /var/adm/ipsec.log
# refresh -s syslogd
Backup old rules
Example of IPSec rules script
# Remove all user rules
rmfilt -v 4 -n all
# Activate rules
mkfilt -v 4 -u
# Stop ipv4 LOG
mkfilt -v 4 -g stop
# DENY ALL
mkfilt -v 4 -u -z D
# PERMIT SSH request from client to server on en0 interface
genfilt -v 4 -a P -s client -d server -g N -c tcp -o gt -p 1023 -O eq -P 22 -r L -w I -l N -f Y -i en0
# PERMIT SSH answer from server to client on en0 interface
genfilt -v 4 -a P -s server -d client -g N -c tcp/ack -o eq -p 22 -O gt -P 1023 -r L -w O -l N -f Y -i en0
# DENY and LOG all other SSH request on en0 interface
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g N -c tcp -O eq -P 22 -r L -w I -l Y -f Y -i en0
# Activate rules
mkfilt -v 4 -u
# start ipv4 LOG to /var/adm/ipsec.log
mkfilt -v4 -g start
# Display Rules list
lsfilt -v4 -O
In ipsec.log trace below you can see that 10.0.0.5 is not authorised to request SSH server.
Feb 15 16:16:57 server local4:notice ipsec_logd: Filter logging daemon ipsec_logd (level 2.20) initialized at 16:16:57 on 02/15/13
Feb 15 16:17:10 server local4:info ipsec_logd: #:4 R:d I:10.0.0.1 S:10.0.0.5 D:10.0.0.1 P:tcp/ack SP:34804 DP:22 R:l I:en0 F:n T:0 L:44
Source:
http://www.ibm.com/developerworks/aix/library/au-aixfiltering/index.html
http://it.toolbox.com/blogs/unix-swing/sample-firewall-in-aix-48146
AIX “From Strength to Strength”
IBM AIX “From Strength to Strength”
A summary of upgrade benefits for each release of AIX
February, 2013 Edition
Steps to unlock a volume group
Question
This document describes how to unlock a volume group with an error like:
0516-1201 lsvg: Warning: Volume group <VG Name> is locked.
Answer
Here are some steps to find out why the volume group is locked and/or unlock it.
- Run "chvg -u <VG Name>" to try to unlock it.
- Check the complete ps -ef output for LVM processes such as chlv, chvg, mklv that would modify something in LVM and therefore lock the vg.
If you find any query commands like lsvg or lslv with/without flags as such:
---------------------------------------------------
UID PID PPID C STIME TTY TIME CMD
---------------------------------------------------
root 14942378 19988506 0 Oct 16 - 0:00 lsvg -p rootvg
root 15597578 12189770 0 23:55:05 - 0:00 lsvg -p rootvg
root 4850006 15532252 0 13:45:05 pts/3 0:00 /usr/sbin/lsvg -l
Then it is safe to kill those process (14942378, 15597578, and 4850006 in the case above) since they only query information about the volume group then retry step 1
- Check for maragent or navisphere process running. This is an EMC product and older versions have been known to lock volume groups illegally.
We can check using:
---------------------------------------------------
UID PID PPID C STIME TTY TIME CMD
---------------------------------------------------
root 6881442 17957332 0 06:44:16 pts/5 0:00 maragent
Then try killing the process (6881442) and try step 1 to unlock the volume group
- Check if you are experiencing a full filesystem
Filesystem GB blocks Free %Used Iused %Iused Mounted on
/dev/hd4 1.28 0.81 97% 10080 56% /
/dev/hd2 3.81 1.99 48% 42906 9% /usr
/dev/hd9var 0.69 0.38 85% 6701 67% /var
/dev/hd3 0.12 0.12 6% 142 1% /tmp
/dev/hd1 0.03 0.03 2% 25 1% /home
/dev/hd11admin 0.12 0.12 1% 5 1% /admin
/dev/hd10opt 0.28 0.10 64% 7032 23% /opt
/dev/livedump 0.12 0.12 1% 4 1% /var/adm/ras/livedump
The lines in bold may pose an issue since the system gets chocked resulting in the volume getting locked.
To resolve this issue, you would to increase the size of the filesystem by running:
Which will extend the filesystem by 1G
- Check /etc/vg directory for lock file.
THIS EXAMPLE:
CuAt:
name= "vg name"
attribute= "vgserial_id"
value ="0007b47c00004c000000013b717a0988"
type = "R"
generic = "D"
rep = "n"
nls_index = 637
The value above (0007b47c00004c000000013b717a0988) is the serial of the volume group.
You would then run:
Where XX will be the upper-case of the value you got from the odmget command, in this example you would run:
If there is a process running locking the vg we will see a line similar to the one below:
Which we can then identify:
---------------------------------------------------
UID PID PPID C STIME TTY TIME CMD
---------------------------------------------------
root 9895958 9896034 1 20:07:53 pts/0 0:00 lmigratelv -l 0007b47c00004c000000013b717a0988 -s 50 /tmp/mig_map198
So in this case, we identified that the process that was locking up the volume group is the lmigratelv command, however, you may see a different process running against the volume group. To unlock the volume group, you need to troubleshoot that process (in the case above, I would wait till the migration has completed)
If you find a process that points to a third party application you could contact the vendor for assistance on why it is locking the volume group)
- check the ODM
CuAt:
name= "vg name"
attribute= "lock"
value ="24892"
type = "R"
generic = ""
rep = "l"
The value above (24892) is the PID for the process that has the vg locked. So you can then look at the processes table and find out the process name (i.e ps -fp 24892).
Once we get the process id, we would troubleshoot the process that is running against the volume group like we have done in step 4.
If there is no process, there may be a lock left behind in the ODM. The low-level command "putlvodm" can be used to clear this:
$ putlvodm -K ${VGID}
- Check errpt -a for any disk issues or vscsi adapter mapping from the vio server failing. Hung I/O from disks will cause LVM processes to hang waiting for the I/O to complete, and some of these processes will lock the vg.
- If you are running HACMP, there has been a previous defect against LVM and HACMP that will leave a lock behind if an LVM cmd has been killed. Check APARs for this or other lock related issues.
- If none of these work force a dump on the system and send it in for analysis. On the other hand, if a root cause analysis (RCA) or problem source identification(PSI) is not needed then rebooting may solve the locked volume group.
Source: IBM Technote
Virtual I/O Server migration with NIM
Download VIOS DVD migration 2.1.3.10 via IBM FIX CENTRAL
or download ISO image
SERVEUR NIM : AIX 7100-01-04-1216
monter l'image ISO du DVD de migration VIOS 2.1.3.10
Copier le contenu du répertoire installp du DVD de migration dans le filesystem lpp_source
Définition du lpp_source lpp_src_vios_21310
Définition du spot spot_vios_21310 à partir du lpp_source lpp_src_vios_21310
VIRTUAL I/O SERVER : IOSLEVEL 1.5.2.6-FP-11.1 SP-02
1. Paramétrer l'interface Ethernet pour l'installation NIM via le menu SMS.
Welcome to Base Operating System
Installation and Maintenance
Type the number of your choice and press Enter. Choice is indicated by >>>.
>>> 1 Start Install Now with Default Settings
2 Change/Show Installation Settings and Install
3 Start Maintenance Mode for System Recovery
4 Configure Network Disks (iSCSI)
5 Select Storage Adapters
88 Help ?
99 Previous Menu
>>> Choice [1]:1
***********************************************************************************
VIOS Migration Installation Summary
Disks: hdisk1...
>>> 1 Continue with Install
+-----------------------------------------------------
88 Help ? | WARNING: Base Operating System Installation will
99 Previous Menu |destroy or impair recovery of SOME data on the
|destination disk hdisk1.
>>> Choice [1]:1
***********************************************************************************
Migration menu preparation in progress.
Please wait...
Approximate Elapsed time
% tasks complete (in minutes)
0 0
***********************************************************************************
Migration Confirmation
Either type 0 and press Enter to continue the installation, or type the
number of your choice and press Enter.
1 List the saved Base System configuration files which will not be
merged into the system. These files are saved in /tmp/bos.
2 List the filesets which will be removed and not replaced.
3 List directories which will have all current contents removed.
4 Reboot without migrating.
Acceptance of license agreements is required before using system.
You will be prompted to accept after the system reboots.
>>> 0 Continue with the migration.
88 Help ?
+---------------------------------------------------------------------------
WARNING: Selected files, directories, and filesets (installable options)
from the Base System will be removed. Choose 2 or 3 for more information.
>>> Choice[0]:0
***********************************************************************************
MIGRATION en cours .......
$ ioslevel
2.1.3.10-FP23
Update IBM HTTP Server 6.0.2 on AIX
Configuration:
AIX 64-bits et HTTP Server 6.0.2.0 32-bits
Installation du fixpack 6.0.2.43
Depuis le fixpack 6.0.2.21 l'Updateinstaller n'est plus fournit avec le service pack. Vous devez le télécharger.
Updateinstaller 7.0.0.23
ftp://public.dhe.ibm.com/software/websphere/appserv/support/tools/UpdateInstaller/7.0.x/AixPPC32/7.0.0.23-WS-UPDI-AixPPC32.tar.gz
32-bit Power PC IBM HTTP Server FIXPACK 6.0.2.43
ftp://ftp.software.ibm.com/software/websphere/appserv/support/fixpacks/was60/refreshpack2/cumulative/cf60243/AixPPC32/6.0.2-WS-WASIHS-AixPPC32-FP00000043.pak
Arrêt du serveur HTTP
Updateinstaller 7.0.0.23
Déposer Updateinstaller 7.0.0.23 dans /tmp/IHStmpo
# mkdir /tmp/IHStempo
# cd /tmp/IHStempo
# gunzip < 7.0.0.23-WS-UPDI-AixPPC32.tar.gz | tar -xf -
# cd UpdateInstaller
# ./install
- Installer l'Updateinstaller dans /app/ihs/Updateinstaller
- Décocher "Lauch Updateinstaller"
- Finish
- IBM HTTP Server FIXPACK 6.0.2.43
Déposer le fixpack 6.0.2-WS-WASIHS-AixPPC32-FP00000043.pak dans le répertoire /app/ihs/UpdateInstaller/maintenance et lancer l'UpdateInstaller.
# ./update.sh
- Répertoire du produit /app/ihs
- Installer la maintenance 6.0.2.43
Vérifier la mise à jour:
Fileset Level State Type Description (Uninstaller)
----------------------------------------------------------------------------
gskta.rte 7.0.4.28 C F AIX Certificate and SSL Base
Runtime ACME Toolkit
# /app/ihs/bin/apachectl -v
Server version: IBM_HTTP_Server/6.0.2.43 Apache/2.0.47
Server built: Jul 20 2010 22:53:03