OpenSSL on AIX can be impacted by the Heartbleed bug. Only OpenSSL 1.0.1e (IBM AIX VRMFs - 220.127.116.110 & 18.104.22.1681) is vulnerable to the Heartbleed bug (CVE-2014-010). All OpenSSL v0.9.8.xxxx and v12.9.8.xxxx are NOT vulnerable to this CVE.
IBM released OpenSSL 1.0.1g by the end of April 2014, which is the official fix.
The following is information about an ifix that was made available by IBM. The ifix is just a workaround, and currently IBM recommends upgrading to OpenSSL 22.214.171.1241 instead (see below).
- This is a workaround compiled with the feature turned off.
- This is not OS dependent. It only depends on the OpenSSL level.
The OpenSSL ifix doesn't require a reboot. However... It's a shared library update, so any daemons that use it will need to be restarted such as sshd. If you aren't sure what applications running on your machine use OpenSSL, it's recommended to reboot.
To download it, go to: https://testcase.software.ibm.com/ and log in as "Anonymous" (no password needed). Click on the "fromibm" folder, and then click on the "aix" folder. Scroll down the list until you find the following file and click on it to download:
0160_ifix.140409.epkg.ZOnce the download is complete, transfer the file to your AIX system. Log on to your AIX system, go to the directory where you put the file, and run the following command as the root user.
To preview the installation of 0160_ifix.140409.epkg.Z, please do the following:
# emgr -p -e 0160_ifix.140409.epkg.ZTo install the ifix, run the following:
# emgr -X -e 0160_ifix.140409.epkg.ZIf you need to uninstall the iFix for some reason, run the following command as root:
# emgr -r -L 0160_ifix.140409.epkg.ZThe following is more information, updated on June 13, 2014:
IBM has released several new levels for OpenSSL that address both the Heartbleed bug, as well as several other security vulnerabilities that have been identified recently.
We currently recommend downloading OpenSSL 126.96.36.1991. This level can be used on AIX 5.3, 6.1 and 7.1. You can find OpenSSL in the IBM Web Download Pack at:
Click on Downloads (on the right), log in with your IBM user ID (or register for one, if you don't already have an IBM user ID). Select openssl on the next page, and click on Continue at the bottom. Click Submit to accept IBM's privacy statement on the next page, and you'll be forwarded to a list of possible downloads. Here, click on "Download using http", and select the OpenSSL images for openssl-188.8.131.521.tar.Z. You probably also want to review the Readme beneath it as well.
You will download the openssl-184.108.40.2061.tar.Z file. Transfer that onto your AIX systems into a separate folder.
Uncompress the file:
# gzip -d openssl-220.127.116.111.tar.ZNow you will have a tar file.
# tar xf openssl-18.104.22.1681.tarThat will give you folder openssl-22.214.171.1241 within your current folder. Go into that folder:
# cd openssl-126.96.36.1991Here you can find 3 filesets; run inutoc to generate the .toc file:
Then install the filesets:# ls openssl.base openssl.license openssl.man.en_US # inutoc .
# update_all -d . -cYNow, it should be installed. Before logging out, make sure you can access your system through ssh using a separate window.
For more information, see http://heartblead.com. Please ensure your AIX Health Check level is up to date. Version 14.04.10 and up includes a check for your AIX systems to see if any are impacted by the Heartbleed bug.