Topics: AIX, Security

Heartbleed bug

OpenSSL on AIX can be impacted by the Heartbleed bug. Only OpenSSL 1.0.1e (IBM AIX VRMFs - 1.0.1.500 & 1.0.1.501) is vulnerable to the Heartbleed bug (CVE-2014-010). All OpenSSL v0.9.8.xxxx and v12.9.8.xxxx are NOT vulnerable to this CVE.

IBM released OpenSSL 1.0.1g by the end of April 2014, which is the official fix.

The following is information about an ifix that was made available by IBM. The ifix is just a workaround, and currently IBM recommends upgrading to OpenSSL 1.0.1.511 instead (see below).

  • This is a workaround compiled with the feature turned off.
  • This is not OS dependent. It only depends on the OpenSSL level.
Below are the download and install/uninstall instructions.

The OpenSSL ifix doesn't require a reboot. However... It's a shared library update, so any daemons that use it will need to be restarted such as sshd. If you aren't sure what applications running on your machine use OpenSSL, it's recommended to reboot.

To download it, go to: https://testcase.software.ibm.com/ and log in as "Anonymous" (no password needed). Click on the "fromibm" folder, and then click on the "aix" folder. Scroll down the list until you find the following file and click on it to download:
0160_ifix.140409.epkg.Z
Once the download is complete, transfer the file to your AIX system. Log on to your AIX system, go to the directory where you put the file, and run the following command as the root user.

To preview the installation of 0160_ifix.140409.epkg.Z, please do the following:
# emgr -p -e 0160_ifix.140409.epkg.Z
To install the ifix, run the following:
# emgr -X -e 0160_ifix.140409.epkg.Z
If you need to uninstall the iFix for some reason, run the following command as root:
# emgr -r -L 0160_ifix.140409.epkg.Z
The following is more information, updated on June 13, 2014:

IBM has released several new levels for OpenSSL that address both the Heartbleed bug, as well as several other security vulnerabilities that have been identified recently.

We currently recommend downloading OpenSSL 1.0.1.511. This level can be used on AIX 5.3, 6.1 and 7.1. You can find OpenSSL in the IBM Web Download Pack at:

http://www-03.ibm.com/systems/power/software/aix/expansionpack/

Click on Downloads (on the right), log in with your IBM user ID (or register for one, if you don't already have an IBM user ID). Select openssl on the next page, and click on Continue at the bottom. Click Submit to accept IBM's privacy statement on the next page, and you'll be forwarded to a list of possible downloads. Here, click on "Download using http", and select the OpenSSL images for openssl-1.0.1.511.tar.Z. You probably also want to review the Readme beneath it as well.

You will download the openssl-1.0.1.511.tar.Z file. Transfer that onto your AIX systems into a separate folder.

Uncompress the file:
# gzip -d openssl-1.0.1.511.tar.Z
Now you will have a tar file.

Un-tar it:
# tar xf openssl-1.0.1.511.tar
That will give you folder openssl-1.0.1.511 within your current folder. Go into that folder:
# cd openssl-1.0.1.511
Here you can find 3 filesets; run inutoc to generate the .toc file:
# ls
openssl.base       openssl.license    openssl.man.en_US
# inutoc .
Then install the filesets:
# update_all -d . -cY
Now, it should be installed. Before logging out, make sure you can access your system through ssh using a separate window.

For more information, see http://heartblead.com. Please ensure your AIX Health Check level is up to date. Version 14.04.10 and up includes a check for your AIX systems to see if any are impacted by the Heartbleed bug.