Security Bulletin: IBM has released AIX and VIOS iFixes in response to the vulnerabilities known as Spectre and Meltdown.

Summary

IBM has released the following fixes for AIX and VIOS in response to CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754.

Vulnerability Details

CVEID: CVE-2017-5715
CVEID: CVE-2017-5753
CVEID: CVE-2017-5754

iFixes released on August 17, 2018:
Updated AIX and VIOS fixes for CVE-2017-5715, known as Spectre, that are only applicable to some POWER9 systems are now available.
Please see Security Bulletin:
<http://www.ibm.com/support/docview.wss?uid=ibm10719541&gt;

iFixes released on May 22, 2018:
AIX and VIOS fixes are now available for CVE-2018-3639.
Please see Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1027700

Affected Products and Versions

AIX 5.3 (32-bit and 64-bit kernels), 6.1, 7.1, 7.2
VIOS 2.2.x

The vulnerabilities in the following filesets are being addressed:

key_fileset = aix

Fileset Lower Level Upper Level KEY ---------------------------------------------------------
bos.mp 5.3.12.0 5.3.12.9 key_w_fs bos.mp64 5.3.12.0 5.3.12.10 key_w_fs bos.mp64 6.1.9.0 6.1.9.300 key_w_fs bos.mp64 7.1.4.0 7.1.4.33 key_w_fs bos.mp64 7.1.5.0 7.1.5.0 key_w_fs bos.mp64 7.2.0.0 7.2.0.5 key_w_fs bos.mp64 7.2.1.0 7.2.1.4 key_w_fs bos.mp64 7.2.2.0 7.2.2.0 key_w_fs
To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.

Example: lslpp -L | grep -i bos.mp64

Note: AIX or VIOS users of all fileset levels should continue to monitor their My Notifications alerts and the IBM PSIRT Blog for additional information about these vulnerabilities:

- My Notifications
<http://www.ibm.com/support/mynotifications&gt;

- IBM PSIRT Blog - Potential Impact on Processors in the Power Family
<https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/&gt;

Remediation/Fixes

A. APARS

IBM has assigned the following APARs to this problem:

` AIX Level APAR Availability SP KEY

5.3.12 IJ03029 N/A N/A key_w_apar
6.1.9 IJ03030 ** SP11 key_w_apar
7.1.4 IJ03032 ** SP6 key_w_apar
7.1.5 IJ03033 ** SP2 key_w_apar
7.2.0 IJ03034 ** SP6 key_w_apar
7.2.1 IJ03035 ** SP4 key_w_apar
7.2.2 IJ03036 ** SP2 key_w_apar`

VIOS Level APAR Availability SP KEY
------------------------------------------------
2.2.4 IJ03030 ** 2.2.4.60 key_w_apar
2.2.5 IJ03030 ** 2.2.5.40 key_w_apar
2.2.6 IJ03030 ** 2.2.6.20 key_w_apar

Subscribe to the APARs here:

<http://www.ibm.com/support/docview.wss?uid=isg1IJ03032&gt;
<http://www.ibm.com/support/docview.wss?uid=isg1IJ03033&gt;
<http://www.ibm.com/support/docview.wss?uid=isg1IJ03034&gt;
<http://www.ibm.com/support/docview.wss?uid=isg1IJ03035&gt;
<http://www.ibm.com/support/docview.wss?uid=isg1IJ03036&gt;

<https://www.ibm.com/support/docview.wss?uid=isg1IJ03032&gt;
<https://www.ibm.com/support/docview.wss?uid=isg1IJ03033&gt;
<https://www.ibm.com/support/docview.wss?uid=isg1IJ03034&gt;
<https://www.ibm.com/support/docview.wss?uid=isg1IJ03035&gt;
<https://www.ibm.com/support/docview.wss?uid=isg1IJ03036&gt;

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

B. FIXES

AIX and VIOS fixes are available.

IMPORTANT: Both the AIX/VIOS and FW fixes are required to address the vulnerabilities.

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 to avoid a reboot.

AIX and VIOS iFix Dependency:
The Power Firmware fix must be applied prior to the LPAR reboot (or Live Update) for the fix to be active. If the Power Firmware fix is applied after the patched AIX or VIOS LPAR has been rebooted (or Live Update completed), the fix must be activated by either:
1. Performing an additional reboot of the AIX or VIOS LPAR
or
2. Performing an LPAR migration to a destination frame that already has the Power Firmware fix applied.

Link to the related Power Firmware Security Bulletin and fix information:
<http://www-01.ibm.com/support/docview.wss?uid=isg3T1026811&gt;

The AIX/VIOS fixes can be downloaded via ftp or http from:
<ftp://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar&gt;
<http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar&gt;
<https://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar&gt;

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.
AIX Level Interim Fix (*.Z) KEY -----------------------------``----``-------------
``5.3.12.9 IJ03029m9c.180124.epkg.Z key_w_fix
5.3.12.9 IJ03029m9a.180117.epkg.Z key_w_fix 5.3.12.9 IJ03029m9b.180117.epkg.Z key_w_fix
``6.1.9.8 IJ03030m8a.180117.epkg.Z key_w_fix
``6.1.9.9 IJ03030m9a.180116.epkg.Z key_w_fix
6.1.9.10 IJ03030mAa.180116.epkg.Z key_w_fix
``7.1.4.3 IJ03032m3a.180125.epkg.Z key_w_fix
7.1.4.3 IJ03032m3b.180125.epkg.Z key_w_fix
``7.1.4.4 IJ03032m4a.180125.epkg.Z key_w_fix
7.1.4.5 IJ03032m5a.180116.epkg.Z key_w_fix 7.1.5.0 IJ03033m1a.180116.epkg.Z key_w_fix 7.1.5.1 IJ03033m1a.180116.epkg.Z key_w_fix
``7.2.0.3 IJ03034m3a.180117.epkg.Z key_w_fix
``7.2.0.4 IJ03034m4a.180117.epkg.Z key_w_fix
7.2.0.5 IJ03034m5a.180117.epkg.Z key_w_fix
``7.2.1.1 IJ03035m1a.180118.epkg.Z key_w_fix
``7.2.1.1 IJ03035m1b.180118.epkg.Z key_w_fix
``7.2.1.2 IJ03035m2a.180118.epkg.Z key_w_fix
7.2.1.3 IJ03035m3a.180117.epkg.Z key_w_fix 7.2.2.0 IJ03036m1a.180116.epkg.Z key_w_fix 7.2.2.1 IJ03036m1a.180116.epkg.Z key_w_``fix
Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.2.1 is AIX 7200-02-01.

NOTE: Multiple iFixes are provided for AIX 5300-12-09, 7100-04-03, and 7200-01-01.
IJ03029m9c is for AIX 5300-12-09 with bos.mp fileset level 5.3.12.9.
IJ03029m9a is for AIX 5300-12-09 with bos.mp64 fileset level 5.3.12.9.
IJ03029m9b is for AIX 5300-12-09 with bos.mp64 fileset level 5.3.12.10.
IJ03032m3a is for AIX 7100-04-03 with bos.mp64 fileset level 7.1.4.30.
IJ03032m3b is for AIX 7100-04-03 with bos.mp64 fileset level 7.1.4.31.
IJ03035m1a is for AIX 7200-01-01 with bos.mp64 fileset level 7.2.1.1.
IJ03035m1b is for AIX 7200-01-01 with bos.mp64 fileset level 7.2.1.2.

VIOS Level Interim Fix (*.Z) `` KEY -----------------------------------------------
``2.2.4.30 IJ03030m8a.180117.epkg.Z key_w_fix
``2.2.4.40 IJ03030m9a.180116.epkg.Z key_w_fix
2.2.4.50 IJ03030m9b.180116.epkg.Z key_w_fix
``2.2.5.10 IJ03030m8a.180117.epkg.Z key_w_fix
``2.2.5.20 IJ03030m9a.180116.epkg.Z key_w_fix
2.2.5.30 IJ03030m9b.180116.epkg.Z key_w_fix
``2.2.6.0 IJ03030mAa.180116.epkg.Z key_w_fix
2.2.6.10 IJ03030mAa.180116.epkg``.Z key_w_fix
To extract the fixes from the tar file:

tar xvf spectre_meltdown_fix.tar cd spectre_meltdown_fix

Verify you have retrieved the fixes intact.

The checksums below were generated using the “openssl dgst -sha256 file” command as the following:

openssl dgst -sha256 filename KEY
-----------------------------------------------------------------------------------------------------
``d6ddda167a389195f6e48fb1868677e170f8f7ab679eb2af1e15f6672cd18e2e IJ03029m9c.180124.epkg.Z key_w_csum
11249eb38318b8779e5f86836edd2913278081e22d61ed68df207175bde6bd3a IJ03029m9a.180117.epkg.Z key_w_csum b0cfe72d0d7de4f5f99cdcf802b1a298586b6f7511bcb63e9644008faa4b7353 IJ03029m9b.180117.epkg.Z key_w_csum
``043d6e933e98c5b45ec7f93e61d0fb9647575d309151f7f9f6a4c4d4bd7376b0 IJ03030m8a.180117.epkg.Z key_w_csum
``873d25f7743c52d75cff80d1343d638f1f406bff2f70b2b362670a56d7abf3cb IJ03030m9a.180116.epkg.Z key_w_csum
44834d4990a178c6773c7fbd6bc00fbc81b23944b9988329294ae0cbb93ec20f IJ03030m9b.180116.epkg.Z key_w_csum f1fc5a1bb4daab5f9d2abc1006df087a688ed2832a7eb15a0de4f45efe94d6a6 IJ03030mAa.180116.epkg.Z key_w_csum
``61e8ecdf43a25b590697cc924940573a49adc639be381b05123dac0bb6cf6f9c IJ03032m3a.180125.epkg.Z key_w_csum
``895f3e1f269f0ef2f4f8d4d2801642e408731f7e813b279e9dd6616f9975f154 IJ03032m3b.180125.epkg.Z key_w_csum
``09627d285a0fcd81d7eca4a23270457bd9bca2d3e104593f392a837cb7e1faa1 IJ03032m4a.180125.epkg.Z key_w_csum
896215923b7d6001a5aff7ed7d420d9963bef177d88af1ef2b30d131e1c10029 IJ03032m5a.180116.epkg.Z key_w_csum 48ba4ca0c38611852dcbfcfb25376025941285df77e629953bf9bc534815e3cd IJ03033m1a.180116.epkg.Z key_w_csum
``eb1e9f32dd4c7072a05fc41b77f6de957d0812eb788747efb7d8f17573566277 IJ03034m3a.180117.epkg.Z key_w_csum
``64de96295eadae27b967dbd8a5c0c799b13bb4869edc63b970c470bfb820ce58 IJ03034m4a.180117.epkg.Z key_w_csum
8d18635a490926c67e992ea0cff6fab853f451802a3172a6f7bfd1244fa81e5c IJ03034m5a.180117.epkg.Z key_w_csum
``e7e2e4443f33f6449b4d0bfe9a649859dec540156621459662c1f96149c61cb2 IJ03035m1a.180118.epkg.Z key_w_csum
``5d4feacb66f678458df8f0ad053b5c1e64868c6e61debff08c175219efa0b415 IJ03035m1b.180118.epkg.Z key_w_csum
``f89f04a4586ac847fa31cf240448be5221f17783fc3b1a574c894a6dcb727424 IJ03035m2a.180118.epkg.Z key_w_csum
ed4f1af7ddd8a8f679ea1c6de410ad53c3b63d3c0b6c15561bbccea4f4837232 IJ03035m3a.180117.epkg.Z key_w_csum b1c4f488d6084eb7df5e68af3195d5f167f0d17dbb7c0290d9db4646fdd6c06a IJ03036m1a.180116.epkg.Z key_w_csum

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at <http://ibm.com/support/&gt; and describe the discrepancy.

` openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]

openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]`

Published advisory OpenSSL signature file location:

<http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig&gt;
<https://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig&gt;
<ftp://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig&gt;

Workarounds and Mitigations

None.