Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Workspace AIX
Created by Guest
Created on Apr 17, 2024

Upgrade OpenSSH on AIX to 9.6 or above.

I am getting dinged about CVE-2023-51385 from Qualys.



AIX has this notice: https://www.ibm.com/support/pages/node/7125640



Now, IBM may or may not have done a dandy job of stopping the vulnerability. However if they just patch an existing version of OpenSSH and do not go to a higher level of OpenSSH it doesn't make a difference as far as the scanning services go. All they do is check your current version of OpenSSH and if you are not on a certain minimum level then they assume that you are still susceptible to the vulnerability. I do not fault the scanning services. After all, if the vulnerability was that an exploit will cause your system to overheat and shutdown do you really want them to see if that occurs? So if the general belief for this CVE is that you need to be on 9.6 or higher of OpenSSH then any amount of patching that IBM does to some 8.1 version is not going to pass scanning.



So, after all that patching I still am seeing:



lslpp -L | grep -i openssh.base.client


openssh.base.client 8.1.112.2000 CE F Open Secure Shell Command



ssh -vvv somelocation


OpenSSH_8.1p1, OpenSSL 1.1.1v 1 Aug 2023

I opened a case with IBM on this and they replied:

Hi Robert,

The last available openssh version for AIX can be obtained from the IBM Webpack Download site:

https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp

The most recent openssh v8 and v9 versions available are:

VRMF: 8.1.112.2000

VRMF: 9.2.112.2000

We do plan on shipping a higher openssh version later this year, but for now we are addressing security vulnerabilities through ifixes.

There are many technical and even legal issues that must be resolved before we can ship a newer version of opensource software.

So the levels of many applications on AIX ... such as sendmail and bind ... are always never at the highest available versions.

And when there is a security vulnerability that affects the version of software that we ship and support on AIX, IBM will provide a patch for the security vulnerability.

This has been the standard AIX practice.

Idea priority High
  • Guest
    Reply
    |
    Sep 18, 2024

    Hello!

    OpenSSH 9.7.3013.1000 is available via https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssh !

    HTH,

    With kind regards,

    Stephan

  • Guest
    Reply
    |
    Apr 30, 2024

    I'd also contact your scanning tool vendor to have them update their system to recognise the ifix that IBM has provided.

    1 reply