The SAAssist Client (saassist-client) is written in Korn Shell (ksh).
This is a simple ksh script that accesses the SAAssist Server (saassist-server) using HTTP or NFS protocol and collects information about a specific APAR (CVE/IV), checks if it is applicable for the server, provides detailed information and installs the fix if required by you.
Using NFS protocol, there are no requirements. Curl is required if you want to use saassist-client through HTTP protocol.
If you want to use HTTP protocol, remember the package curl is required for IBM AIX/PowerVM.
Download the saassist-client from the link, extract the files and edit client_config file.
1. Download http://github.com/SAAssist/saassist-client
2. Extract the files (unzip, untar ..)
4. Edit and configure the client_config file
The saassist-server is simple to use. You need to run the saassist-client.sh with the actions (parameters) that you want to perform and specify the CVE or IV Number if necessary.
To get full help use: saassist-client.sh help
* checkall: Check all available APARs for the AIX/PowerVM * preview : Verifies if the system is affected by CVE/IV * info : Shows details about the CVE/IV * install : Installs the APAR if it is available and applicable to the system
./saassist-client checkall ======================================================================== SAAssist-client (Security APAR Assist Client) - Version 0.2.0 ======================================================================== Current OS Version: 6100-09-07 [CLIENT] Verifying SAA Server over NFS [CLIENT] Downloading FLRT data from SAAssist Server [CLIENT] Downloading finished. [CLIENT] Generating checkall report SECURITY APAR DATE AFFECTED BOOT DESCRIPTION ------------------------------------------------------------------------------------------------------------- CVE-2016-2848 20161215 N no Vulnerabilities in BIND impact AIX CVE-2017-1093 20170129 *Y* no There is a vulnerability in bellmail that impacts AIX. CVE-2015-7855 20160121 N no Vulnerabilities in NTP affect AIX CVE-2015-8000 20160224 N no Vulnerability in BIND affects AIX IV80334 20160330 N yes SYSTEM CRASH WHEN USING CIFS_FS DUE TO TREE CORRUPTION CVE-2016-0281 20160728 N yes Vulnerability in mustendd device driver impacts AIX CVE-2015-8241 20160222 N no Vulnerabilities in LibXML2 affect AIX CVE-2015-8704 20160422 N no Vulnerability in BIND affects AIX IV81503 20160307 N yes multibos may fail to mount or remove a standby instance IV82196 20160307 N yes Core dump in many commands when using NIS IV82694 20160816 *Y* yes Server using 10 GB PCIE adapters and large_send may crash CVE-2015-8140 20160608 *Y* no Vulnerabilities in NTP affect AIX CVE-2016-0281 20160728 *Y* yes Vulnerability in mustendd device driver impacts AIX CVE-2016-1286 20160616 N(ifix) no Vulnerabilities in BIND affects AIX IV85460 20160606 *Y* yes Malformed network packets can cause system crash IV86773 20160901 *Y* yes Performance regression when using Olson timezone format CVE-2016-2519 20160906 N(ifix) no Vulnerabilities in NTP affect AIX CVE-2016-3053 20161017 *Y* no Vulnerability in lsmcode affects AIX CVE-2016-6079 20161031 *Y* no Vulnerability in lquerylv in LVM impacts AIX CVE-2016-0266 20161202 N no Vulnerability in pConsole impacts AIX CVE-2016-2775 20161118 *Y* no Vulnerabilities in BIND impact AIX CVE-2016-8972 20161215 *Y* yes Vulnerability in bellmail affects AIX IV91199 20170202 *Y* yes Potential data loss using Virtual FC with num_cmd_elems greater than 256 CVE-2016-2848 20161215 *Y* no There are two vulnerabilities in BIND that impact AIX. CVE-2016-9311 20170213 *Y* no There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX. CVE-2016-9131 20170307 *Y* no There is a vulnerability in BIND that impacts AIX. CVE-2017-5486 20170525 *Y* no There are multiple vulnerabilities in tcpdump that impact AIX. IV95102 20170602 *Y* yes SYSTEM CRASH WHEN USING PROCFS FOR PROCESSES CLOSING MANY FILES CVE-2017-6464 20170707 *Y* no There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX IV96553 20170715 N yes UNDETECTED DATA LOSS AFTER STORAGE ERRORS WITH CERTAIN ADAPTERS
./saassist-client preview CVE-2017-1093
========================================================================
SAAssist-client (Security APAR Assist Client) - Version 0.2.0
========================================================================
Current OS Version: 6100-09-07
[CLIENT] Verifying SAA Server over NFS
[CLIENT] Retrieving APAR CVE-2017-1093 info from saassist-server.kairo.eti.br
[CLIENT] Checking if CVE/IV is applicable for OS version 6100-09
[CLIENT] Checking if CVE/IV is applicable for OS release 6100-09-07
[CLIENT] Checking if there are APARs already applied
`- IV92238 is NOT installed
[CLIENT] This system is AFFECTED by CVE-2017-1093
`- Downloading APAR to /opt/saassist/tmp
`- Running IV92238m8a.170112.epkg.Z preview
`- APAR IV92238m8a.170112.epkg.Z is APPLICABLE to the system
[CLIENT] This system is AFFECTED by CVE-2017-1093 (REBOOT REQUIRED: no)
./saassist-client info CVE-2017-1093
========================================================================
SAAssist-client (Security APAR Assist Client) - Version 0.2.0
========================================================================
Current OS Version: 6100-09-07
[CLIENT] Verifying SAA Server over NFS
[CLIENT] Getting APAR 'CVE-2017-1093' info
IBM SECURITY ADVISORY
First Issued: Sun Jan 29 01:19:56 CST 2017
|Updated: Wed Jul 26 12:40:04 CDT 2017
|Update 1: Changed impacted upper level fileset level for AIX 7.2.1 to
| bos.net.tcp.client_core 7.2.1.0.
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory2.asc
https://aix.software.ibm.com/aix/efixes/security/bellmail_advisory2.asc
ftp://aix.software.ibm.com/aix/efixes/security/bellmail_advisory2.asc
Security Bulletin: Vulnerability in bellmail affects AIX (CVE-2017-1093)
===============================================================================
SUMMARY:
There is a vulnerability in bellmail that impacts AIX.
===============================================================================
VULNERABILITY DETAILS:
CVEID: CVE-2017-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1093
DESCRIPTION: IBM AIX could allow a local user to exploit a vulnerability in
the bellmail binary to gain root privileges.
(...)
./saassist-client install CVE-2017-1093
========================================================================
SAAssist-client (Security APAR Assist Client) - Version 0.2.0
========================================================================
Current OS Version: 6100-09-07
[CLIENT] Verifying SAA Server over NFS
[CLIENT] Retrieving APAR CVE-2017-1093 info from saassist-server.kairo.eti.br
[CLIENT] Checking if CVE/IV is applicable for OS version 6100-09
[CLIENT] Checking if CVE/IV is applicable for OS release 6100-09-07
[CLIENT] Checking if there are APARs already applied
`- IV92238 is NOT installed
[CLIENT] This system is AFFECTED by CVE-2017-1093
`- Downloading APAR to /opt/saassist/tmp
`- Running IV92238m8a.170112.epkg.Z preview
`- APAR IV92238m8a.170112.epkg.Z is APPLICABLE to the system
[CLIENT] This system is AFFECTED by CVE-2017-1093 (REBOOT REQUIRED: no)
[CLIENT] Starting the APAR CVE-2017-1093 in 10 seconds. Use CTRL+C to cancel now!
`- Running IV92238m8a.170112.epkg.Z install preview/test
`- APAR IV92238m8a.170112.epkg.Z is APPLICABLE to the system
+-----------------------------------------------------------------------------+
Efix Manager Initialization
+-----------------------------------------------------------------------------+
Initializing log /var/adm/ras/emgr.log ...
Efix package file is: /opt/saassist/tmp/CVE-2017-1093/bellmail_fix2/IV92238m8a.170112.epkg.Z
MD5 generating command is /usr/bin/csum
MD5 checksum is e1f1dadd5b2fb031921321f0d35a6a3f
Accessing efix metadata ...
Processing efix label "IV92238m8a" ...
Verifying efix control file ...
+-----------------------------------------------------------------------------+
Installp Prerequisite Verification
+-----------------------------------------------------------------------------+
Verifying prerequisite file ...
Checking prerequisites ...
Prerequisite Number: 1
Fileset: bos.net.tcp.client
Minimal Level: 6.1.9.101
Maximum Level: 6.1.9.200
Actual Level: 6.1.9.102
Type: PREREQ
Requisite Met: yes
All prerequisites have been met.
+-----------------------------------------------------------------------------+
Processing APAR reference file
+-----------------------------------------------------------------------------+
ATTENTION: Interim fix is enabled for automatic removal by installp.
+-----------------------------------------------------------------------------+
Efix Attributes
+-----------------------------------------------------------------------------+
LABEL: IV92238m8a
PACKAGING DATE: Thu Jan 12 03:12:23 CST 2017
ABSTRACT: IV92238,IV91006 for AIX 6.1 TL09
PACKAGER VERSION: 7
VUID: 00F850C34C00011203012217
REBOOT REQUIRED: no
BUILD BOOT IMAGE: no
PRE-REQUISITES: yes
SUPERSEDE: no
PACKAGE LOCKS: no
E2E PREREQS: no
FIX TESTED: no
ALTERNATE PATH: None
EFIX FILES: 1
Install Scripts:
PRE_INSTALL: no
POST_INSTALL: no
PRE_REMOVE: no
POST_REMOVE: no
File Number: 1
LOCATION: /usr/bin/bellmail
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 72
ACL: DEFAULT
CKSUM: 48632
PACKAGE: bos.net.tcp.client
MOUNT INST: no
+-----------------------------------------------------------------------------+
Efix Description
+-----------------------------------------------------------------------------+
IV92238 - A potential security issue exists
IV91006 - A potential security issue exists
+-----------------------------------------------------------------------------+
Efix Lock Management
+-----------------------------------------------------------------------------+
Checking locks for file /usr/bin/bellmail ...
All files have passed lock checks.
+-----------------------------------------------------------------------------+
Space Requirements
+-----------------------------------------------------------------------------+
Checking space requirements ...
Space statistics (in 512 byte-blocks):
File system: /usr, Free: 1175136, Required: 1517, Deficit: 0.
File system: /tmp, Free: 698312, Required: 2580, Deficit: 0.
+-----------------------------------------------------------------------------+
Efix Installation Setup
+-----------------------------------------------------------------------------+
Unpacking efix package file ...
Initializing efix installation ...
+-----------------------------------------------------------------------------+
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: INSTALLING
+-----------------------------------------------------------------------------+
File Archiving
+-----------------------------------------------------------------------------+
Saving all files that will be replaced ...
Save directory is: /usr/emgrdata/efixdata/IV92238m8a/save
File 1: Saving /usr/bin/bellmail as EFSAVE1 ...
+-----------------------------------------------------------------------------+
Efix File Installation
+-----------------------------------------------------------------------------+
Installing all efix files:
Installing efix file #1 (File: /usr/bin/bellmail) ...
Total number of efix files installed is 1.
All efix files installed successfully.
+-----------------------------------------------------------------------------+
Package Locking
+-----------------------------------------------------------------------------+
Processing package locking for all files.
File 1: installp fileset bos.net.tcp.client is already locked by emgr.
All package locks processed successfully.
+-----------------------------------------------------------------------------+
Reboot Processing
+-----------------------------------------------------------------------------+
Reboot is not required by this efix package.
+-----------------------------------------------------------------------------+
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: STABLE
+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log
EPKG NUMBER LABEL OPERATION RESULT
=========== ============== ================= ==============
1 IV92238m8a INSTALL SUCCESS
Return Status = SUCCESS
[CLIENT] APAR CVE-2017-1093 Installation finished. (REBOOT REQUIRED: no)
./saassist-client checkall ======================================================================== SAAssist-client (Security APAR Assist Client) - Version 0.2.0 ======================================================================== Current OS Version: 6100-09-07 [CLIENT] Verifying SAA Server over NFS [CLIENT] Downloading FLRT data from SAAssist Server [CLIENT] Downloading finished. [CLIENT] Generating checkall report SECURITY APAR DATE AFFECTED BOOT DESCRIPTION ------------------------------------------------------------------------------------------------------------- CVE-2016-2848 20161215 N no Vulnerabilities in BIND impact AIX CVE-2017-1093 20170129 N(ifix) no There is a vulnerability in bellmail that impacts AIX. CVE-2015-7855 20160121 N no Vulnerabilities in NTP affect AIX CVE-2015-8000 20160224 N no Vulnerability in BIND affects AIX (...)
./saassist-client preview CVE-2017-1093
========================================================================
SAAssist-client (Security APAR Assist Client) - Version 0.2.0
========================================================================
Current OS Version: 6100-09-07
[CLIENT] Verifying SAA Server over NFS
[CLIENT] Retrieving APAR CVE-2017-1093 info from saassist-server.kairo.eti.br
[CLIENT] Checking if CVE/IV is applicable for OS version 6100-09
[CLIENT] Checking if CVE/IV is applicable for OS release 6100-09-07
[CLIENT] Checking if there are APARs already applied
`- IV92238 is already installed
[CLIENT] This system is NOT AFFECTED by CVE-2017-1093
SAAssist Client https://github.com/SAAssist/saassist-client/issues
Please access contributing.