Keeping AIX and virtual I/O servers up to date with regard to HIPER and SECURITY fixes has become enormously important in recent years. To do this, the systems must be checked regularly for any missing fixes. The appropriate fixes must be downloaded and then installed. Determining which fix needs to be installed on a particular system often involves viewing bulletins with a web browser. PowerCampus 01 provides the ‘apar‘ command to simplify the management of fixes. This makes working with fixes and APARs as well as CVEs much easier.
Some sample uses of the ‘apar‘ command
The ‘apar‘ command allows the download of HIPER and SECURITY fixes, the checking of systems (AIX and VIOS) for installed and missing fixes, as well as the display and targeted search for fixes. In order to be able to use all functionalities, a direct Internet connection or a connection via an http proxy server is required. The command is available in versions for AIX, Linux and MacOS. A number of example calls are shown below.
Example 1: What fixes have been released in the last 30 days?
$ apar last
20220817 sec aix CVE-2022-1292,CVE-2022-2068,CVE-2022-2097 AIX is vulnerable to arbitrary command execution due to OpenSSL
20220912 sec vios CVE-2022-29824,IJ42339,IJ42378,IJ42379 AIX is vulnerable to a denial of service due to libxml2 for VIOS
20220912 sec vios CVE-2022-29824,IJ42339,IJ42378,IJ42379 AIX is vulnerable to a denial of service due to libxml2 for VIOS
20220912 sec aix CVE-2022-29824,IJ42339,IJ42378,IJ42379 AIX is vulnerable to a denial of service due to libxml2
20220912 sec aix CVE-2022-29824,IJ42341 AIX is vulnerable to a denial of service due to libxml2
20220912 sec aix CVE-2022-29824,IJ42381 AIX is vulnerable to a denial of service due to libxml2
20220912 sec vios CVE-2022-29824,IJ42381 AIX is vulnerable to a denial of service due to libxml2 for VIOS
20220912 sec vios CVE-2022-34356,IJ41396,IJ41685,IJ41795 AIX kernel is vulnerable to a privilege escalation vulnerability for VIOS
20220912 sec aix CVE-2022-34356,IJ41396,IJ41685,IJ41795 AIX kernel is vulnerable to a privilege escalation vulnerability
20220912 sec vios CVE-2022-34356,IJ41396,IJ41685,IJ41795 AIX kernel is vulnerable to a privilege escalation vulnerability for VIOS
20220912 sec aix CVE-2022-34356,IJ41687 AIX kernel is vulnerable to a privilege escalation vulnerability
20220912 sec aix CVE-2022-34356,IJ41688 AIX kernel is vulnerable to a privilege escalation vulnerability
20220912 sec vios CVE-2022-34356,IJ41706 AIX kernel is vulnerable to a privilege escalation vulnerability for VIOS
20220912 sec aix CVE-2022-34356,IJ41706 AIX kernel is vulnerable to a privilege escalation vulnerability
20220912 sec aix CVE-2022-36768 AIX is vulnerable to a privilege escalation vulnerability due to invscout
$
Example 2: Displaying information about APAR ID IJ42341.
$ apar show IJ42341
type: sec
product: aix
versions: 7300-00-01,7300-00-02
abstract: AIX is vulnerable to a denial of service due to libxml2
apars: CVE-2022-29824,IJ42341
fixedIn: 7300-00-04
ifixes: IJ42341s2a.220907.epkg.Z
bulletinUrl: https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory3.asc
filesets: bos.rte.control:7.3.0.0-7.3.0.1
issued: 20220912
updated:
siblings:
download: https://aix.software.ibm.com/aix/efixes/security/libxml2_fix3.tar
cvss: CVE-2022-29824:5.5
reboot: no
$
Example 3: Viewing the bulletin for APAR ID IJ42341.
$ apar bulletin IJ42341
IBM SECURITY ADVISORY
First Issued: Mon Sep 12 15:07:01 CDT 2022
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/libxml2_advisory3.asc
https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory3.asc
ftp://aix.software.ibm.com/aix/efixes/security/libxml2_advisory3.asc
Security Bulletin: AIX is vulnerable to a denial of service due to libxml2
(CVE-2022-29824)
…
REMEDIATION:
A. APARS
IBM has assigned the following APARs to this problem:
AIX Level APAR Availability SP KEY
-----------------------------------------------------
7.2.4 IJ42381 ** N/A key_w_apar
7.2.5 IJ42339 ** SP06 key_w_apar
7.3.0 IJ42341 ** SP04 key_w_apar
…
$
Example 4: Download the fix for APAR IJ42341.
$ apar download IJ42341
downloading libxml2_fix3.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 30.8M 100 30.8M 0 0 1522k 0 0:00:20 0:00:20 --:--:-- 1638k
$
The fix is downloaded to the current working directory.
Example 5: Searching for fixes for the keywords ‘memory‘ and ‘leak‘.
$ apar search memory leak
20141029 CVE-2014-3513,CVE-2014-3566,CVE-2014-3567 AIX OpenSSL Denial of Service due to memory leak in DTLS / AIX OpenSSL Patch to mitigate CVE-2014-3566 / AIX OpenSSL Denial of Service due to memory consumption
20150319 IV71217 NODE DOWN IN CAA CLUSTER DUE TO CONFIGRM MEMORY LEAK
20150319 IV71217 NODE DOWN IN CAA CLUSTER DUE TO CONFIGRM MEMORY LEAK
20150319 IV71219 NODE DOWN IN CAA CLUSTER DUE TO CONFIGRM MEMORY LEAK
$
Example 6: Checking the current system (AIX or VIOS).
# time apar check
SUMMARY: 6/21 fixes installed (3 APARs have no fix specified)
Real 2.00
User 0.40
System 0.23
#
To check a system for fixes, root privileges are required to determine the list of installed fixes.
The check took 2 seconds and determined that only 6 out of 21 of the existing fixes are installed.
The missing fixes can be displayed using the option ‘-b‘ (brief listing) or ‘-l‘ (long listing):
# time apar check -b
20210315 sec aix CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803,CVE-2020-27221,CVE-2020-2773 Multiple vulnerabilities in IBM Java SDK affect AIX
INSTALLED: no fix installed
20210730 sec aix CVE-2021-29741,IJ30557 There is a vulnerability in Korn Shell (ksh) that affects AIX
INSTALLED: no fix installed
20210819 hiper aix IJ34376 Applications can terminate on systems with active IPv6 traffic
INSTALLED: no fix installed
20210825 sec aix CVE-2021-29727,CVE-2021-29801,CVE-2021-29862,IJ32631 There are multiple vulnerabilities in the AIX kernel
INSTALLED: no fix installed
20210915 sec aix CVE-2021-2161,CVE-2021-2369,CVE-2021-2432 Multiple vulnerabilities in IBM Java SDK affect AIX
INSTALLED: no fix installed
20211116 sec aix CVE-2021-29860,IJ32714,IJ32736 There is a vulnerability in the libc.a library that affects AIX
INSTALLED: no fix installed
20211116 sec aix CVE-2021-29861,IJ35078,IJ35211 There is a vulnerability in EFS that affects AIX
INSTALLED: no fix installed
20220106 sec aix CVE-2021-3712 There is a vulnerability in OpenSSL used by AIX.
INSTALLED: no fix installed
20220106 sec aix CVE-2021-41617 Vulnerabilities in OpenSSH affect AIX.
INSTALLED: no fix installed
20220223 sec aix CVE-2021-2341,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-41035 Multiple vulnerabilities in IBM Java SDK affect AIX
INSTALLED: no fix installed
20220223 sec aix CVE-2021-38994,CVE-2021-38995,IJ37012 There are multiple vulnerabilities in the AIX kernel.
INSTALLED: no fix installed
20220228 sec aix CVE-2021-38955,IJ38117,IJ38119 There is a vulnerability in the AIX audit user commands.
INSTALLED: no fix installed
20220301 sec aix CVE-2021-38996,CVE-2022-22350,IJ36682,IJ37512 There are multiple vulnerabilities in AIX CAA.
INSTALLED: no fix installed
20220304 sec aix CVE-2021-38989,IJ37488,IJ37778 There is a vulnerability in the AIX pmsvcs kernel extension.
INSTALLED: no fix installed
20220304 sec aix CVE-2022-22351,IJ36681,IJ37706 There is a vulnerability in the AIX nimsh daemon.
INSTALLED: no fix installed
SUMMARY: 6/21 fixes installed (3 APARs have no fix specified)
Real 1.90
User 0.32
System 0.18
#
Example 7: Download all fixes for IOS version 3.1.3.21.
$ apar download 3.1.3.21
downloading lpd_fix2.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 270k 100 270k 0 0 197k 0 0:00:01 0:00:01 --:--:-- 197k
downloading bind_fix21.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 19.1M 100 19.1M 0 0 1498k 0 0:00:13 0:00:13 --:--:-- 1665k
downloading vios_fix.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 32.7M 100 32.7M 0 0 1571k 0 0:00:21 0:00:21 --:--:-- 1750k
downloading kernel_fix4.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 138M 100 138M 0 0 1618k 0 0:01:27 0:01:27 --:--:-- 1671k
downloading libxml2_fix3.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 30.8M 100 30.8M 0 0 1537k 0 0:00:20 0:00:20 --:--:-- 1643k
$
$ ls -l
total 453952
-rw-r--r-- 1 user01 staff 20080640 Sep 17 10:48 bind_fix21.tar
-rw-r--r-- 1 user01 staff 145326080 Sep 17 10:50 kernel_fix4.tar
-rw-r--r-- 1 user01 staff 32378880 Sep 17 10:51 libxml2_fix3.tar
-rw-r--r-- 1 user01 staff 276480 Sep 17 10:48 lpd_fix2.tar
-rw-r--r-- 1 user01 staff 34355200 Sep 17 10:49 vios_fix.tar
$
Similarly, all fixes for a specific AIX version can be downloaded by specifying the AIX version!
Example 8: Checking NIM clients for fixes
# apar check aix01 aix02 vios1
aix01: 13/16 fixes installed
aix02: 4/12 fixes installed (1 APAR has no fix specified)
vios1: 17/20 fixes installed (3 APARs have no fix specified)
#
Any number of NIM clients can be specified. NIM groups (mac_group) can also be specified.
Example 9: Checking a NIM client and downloading missing fixes
# apar check -d aix07
aix07: 13/16 fixes installed
downloading efs_fix.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5010k 100 5010k 0 0 1079k 0 0:00:04 0:00:04 --:--:-- 1241k
downloading kernel_fix3.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 142M 100 142M 0 0 1637k 0 0:01:29 0:01:29 --:--:-- 1684k
downloading bind_fix20.tar ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 19.1M 100 19.1M 0 0 1494k 0 0:00:13 0:00:13 --:--:-- 1596k
#
The fixes are placed in the current directory.
Example 10: View fixes for a specific fileset
$ apar show bos.cluster.rte
type: hiper
product: vios
versions: 2.2.3.80,2.2.3.90
abstract: CAA:SLOW GOSSIP RECEIPT ON BOOT MAY CAUSE PARTITIONED CLUSTER
apars: IV97148
fixedIn: See Advisory
ifixes: IV97148s8a.170613.61TL09SP08.epkg.Z,IV97148s8a.170613.epkg.Z,IV97148s9b.171030.61TL09SP09.epkg.Z,IV97148s9b.171030.epkg.Z
bulletinUrl: http://www-01.ibm.com/support/docview.wss?uid=isg1IV97148
filesets: bos.cluster.rte:6.1.9.200-6.1.9.201
issued: 20171108
updated:
siblings: 6100-09:IV97148 7100-04:IV97265 7200-01:IV97266
download: https://aix.software.ibm.com/aix/ifixes/iv97148/
cvss:
reboot: yes
…
$
A version can also be specified:
$ apar show bos.cluster.rte:7.2.5.1
type: sec
product: aix
versions: 7200-05-01,7200-05-01-2038,7200-05-01-2039,7200-05-02,7200-05-02-2114,7200-05-03-2135,7200-05-03-2136,7200-05-03-2148
abstract: There are multiple vulnerabilities in AIX CAA.
apars: CVE-2021-38996,CVE-2022-22350,IJ36682,IJ37512
fixedIn: 7200-05-04
ifixes: IJ36682s3a.220228.epkg.Z,IJ36682s3b.220228.epkg.Z,IJ37512s1a.220228.epkg.Z,IJ37512s2a.220228.epkg.Z
bulletinUrl: https://aix.software.ibm.com/aix/efixes/security/caa_advisory2.asc
filesets: bos.cluster.rte:7.2.5.0-7.2.5.1,bos.cluster.rte:7.2.5.100-7.2.5.101
issued: 20220301
updated:
siblings:
download: https://aix.software.ibm.com/aix/efixes/security/caa_fix2.tar
cvss: CVE-2022-22350:6.2 / CVE-2021-38996:6.2
reboot: yes
…
$
Information about the ‘apar‘ command
The curl command is used to download files. It is available, for example, on the AIX toolbox. If curl is not installed or there is no connection to the Internet (with or without a proxy), then the download functionality of the ‘apar‘ command cannot be used. However, all other functions such as viewing APARs, checking for fixes, or searching for specific APARs can still be used without such a connection.
If a proxy is required, it can be configured using one of the two files /opt/pwrcmps/etc/tools.cfg or ~/.tools.cfg, e.g.:
# The HTTP proxy to use
# Default: (none)
HttpProxy: http://172.168.10.12:3333
We recommend using the /opt/pwrcmps/etc/tools.cfg file for the proxy configuration, as this is valid for all users.
The ‘apar‘ command requires the CSV file apar.csv which contains data records of all HIPER and SECURITY fixes. This file is made available by IBM at the following URL:
https://esupport.ibm.com/customercare/flrt/doc?page=aparCSV
By default, the ‘apar‘ command first searches for this file in the user’s home directory and then under /opt/pwrcmps/etc. If the file is not available in both places, the file will be downloaded from IBM using the URL above. The behavior can be configured via one of the two files /opt/pwrcmps/etc/tools.cfg or ~/.tools.cfg:
# The order of locations to look for the apar.csv file
# Default: ~,/opt/pwrcmps/etc,ibmwebsite
#AparCsvResolve:
We recommend downloading the file regularly using a crontab entry and storing it under /opt/pwrcmps/etc/apar.csv. The file can then be used by all users without having to download it again for each command call.
The download can be done using the following call:
$ apar getcsv
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2834k 0 2834k 0 0 1240k 0 --:--:-- 0:00:02 --:--:-- 1240k
$
The file is stored in the current directory. A crontab call from root for regular download could look like this:
( cd /opt/pwrcmps/etc; apar getcsv )
The ‘apar‘ command can be downloaded from our download area, it includes a time-limited test license for evaluation purposes.
You must be logged in to post a comment.